Resetting SSL and TLS secret keys
IBM® MQ supports the resetting of secret keys on queue managers and clients.
Secret keys are reset when a specified number of encrypted bytes of data have flowed across the channel. If channel heartbeats are enabled, the secret key is reset before data is sent or received following a channel heartbeat.
The key reset value is always set by the initiating side of the IBM MQ channel.
For a queue manager, use the command ALTER QMGR with the parameter SSLRKEYC to set the values used during key renegotiation.
On IBM i, use CHGMQM with the SSLRSTCNT parameter.
- By using the KeyResetCount field in the MQSCO structure on an MQCONNX call
- By using the environment variable MQSSLRESET
- By setting the SSLKeyResetCount attribute in the MQI client configuration file
If a value greater than zero is specified and channel heartbeats are enabled for the channel, the secret key is also renegotiated before message data is sent or received following a channel heartbeat.
The count of bytes until the next secret key renegotiation is reset after each successful renegotiation.
For full details of the MQSCO structure, see KeyResetCount (MQLONG). For full details of MQSSLRESET, see MQSSLRESET. For more information about the use of TLS in the client configuration file, see SSL stanza of the client configuration file.
- By setting the sslResetCount field in the MQEnvironment class.
- By setting the environment property MQC.SSL_RESET_COUNT_PROPERTY in a Hashtable object. The application then assigns the hashtable to the
propertiesfield in the MQEnvironment class, or passes the hashtable to an MQQueueManager object on its constructor.
The value of the sslResetCount field or environment property MQC.SSL_RESET_COUNT_PROPERTY represents the total number of bytes sent and received by the IBM MQ classes for Java client code before the secret key is renegotiated. The number of bytes sent is the number before encryption, and the number of bytes received is the number after decryption. The number of bytes also includes control information sent and received by the IBM MQ classes for Java client.
If the reset count is zero, which is the default value, the secret key is never renegotiated. The reset count is ignored if no CipherSuite is specified.
If the value of SSLRESETCOUNT is zero, which is the default value, the secret key is never renegotiated. The SSLRESETCOUNT property is ignored if SSLCIPHERSUITE is not set.
ALTER CF(my.cf) SSLRESETCOUNT(4194304)
For .NET unmanaged clients, the integer property SSLKeyResetCount indicates the number of unencrypted bytes sent and received within a TLS conversation before the secret key is renegotiated.
For information about the use of object properties in IBM MQ classes for .NET, see Getting and setting attribute values.
For .NET managed clients, the SSLStream class does not support secret key reset/renegotiation. However, to be consistent with other IBM MQ clients, the IBM MQ managed .NET client allows applications to set SSLKeyResetCount. For more information, see Secret key reset or renegotiation.
For XMS .NET unmanaged clients, see Secure connections to an IBM MQ queue manager.