Specifying that an MQI channel uses SSL/TLS
For an MQI channel to use TLS, the value of the SSLCipherSpec attribute of the client-connection channel must be the name of a CipherSpec that is supported by IBM® MQ on the client platform.
- When a PreConnect exit provides a channel definition structure to use.
A PreConnect exit can provide the name of a CipherSpec in the SSLCipherSpec field of a channel definition structure, MQCD. This structure is returned in the ppMQCDArrayPtr field of the MQNXP exit parameter structure used by the PreConnect exit.
- When an IBM MQ MQI client application issues an MQCONNX call.
The application can specify the name of a CipherSpec in the SSLCipherSpec field of a channel definition structure, MQCD. This structure is referenced by the connect options structure, MQCNO, which is a parameter on the MQCONNX call.
- Using a client channel definition table (CCDT).
One or more entries in a client channel definition table can specify the name of a CipherSpec. For example, if you create an entry by using the DEFINE CHANNEL MQSC command, you can use the SSLCIPH parameter on the command to specify the name of a CipherSpec.
- Using Active Directory on Windows.
On Windows systems, you can use the setmqscp control command to publish the client-connection channel definitions in Active Directory. One or more of these definitions can specify the name of a CipherSpec.
For example, if a client application provides a client-connection channel definition in an MQCD structure on an MQCONNX call, this definition is used in preference to any entries in a client channel definition table that can be accessed by the IBM MQ client.
You cannot use the MQSERVER environment variable to provide the channel definition at the client end of an MQI channel that uses TLS.
To check whether a client certificate has flowed, display the channel status at the server end of a channel for the presence of a peer name parameter value.