TLS security protocols in IBM MQ

IBM® MQ supports the Transport Layer Security (TLS) protocol to provide link level security for message channels and MQI channels.

Message channels and MQI channels can use the TLS protocol to provide link level security. A caller MCA is a TLS client and a responder MCA is a TLS server.

[MQ 9.2.0 Jul 2020]IBM MQ supports Versions 1.2 and 1.3 of the TLS protocol. Earlier versions of TLS, as well as SSL, are not enabled by default, but can be if needed. You can specify the cryptographic algorithms that are used by the TLS protocol by supplying a CipherSpec as part of the channel definition.

[MQ 9.2.0 Jul 2020]See Enabling CipherSpecs for a list of the CipherSpecs supported by IBM MQ and Deprecated CipherSpecs for those that are deprecated.

You can use the SECPROT and SSLCIPH parameters to display the security protocol and CipherSpec in use on a channel.

At each end of a message channel, and at the server end of an MQI channel, the MCA acts on behalf of the queue manager to which it is connected. During the TLS handshake, the MCA sends the digital certificate of the queue manager to its partner MCA at the other end of the channel. The IBM MQ code at the client end of an MQI channel acts on behalf of the user of the IBM MQ client application. During the TLS handshake, the IBM MQ code sends the user's digital certificate to the MCA at the server end of the MQI channel.

Queue managers and IBM MQ client users are not required to have personal digital certificates associated with them when they are acting as TLS clients, unless SSLCAUTH(REQUIRED) is specified at the server side of the channel.

Digital certificates are stored in a key repository. The queue manager attribute SSLKeyRepository specifies the location of the key repository that holds the queue manager's digital certificate. On an IBM MQ client system, the MQSSLKEYR environment variable specifies the location of the key repository that holds the user's digital certificate. Alternatively, an IBM MQ client application can specify its location in the KeyRepository field of the TLS configuration options structure, MQSCO, on an MQCONNX call. See the related topics for more information about key repositories and how to specify where they are located.

Support for TLS

[MQ 9.2.0 Jul 2020] IBM MQ provides support for TLS 1.2 and TLS 1.3 on all platforms. For more information about the TLS protocol, refer to the information in the subtopics.
Java and JMS clients
These clients use the JVM to provide TLS support.
AIX®, Linux®, and Windows
TLS support is installed with IBM MQ.
IBM i
TLS support is integral to the IBM i operating system.
z/OS®
TLS support is integral to the z/OS operating system. The TLS support on z/OS is known as System SSL.
For information about any prerequisites for IBM MQ TLS support, see System Requirements for IBM MQ.