SSL/TLS on the IBM MQ MQI client
IBM® MQ supports TLS on clients. You can tailor the use of TLS in various ways.
IBM MQ provides TLS support for IBM MQ MQI clients on AIX®, Linux®, and Windows systems. If you are using IBM MQ classes for Java, see Using IBM MQ classes for Java and if you are using IBM MQ classes for JMS, see Using IBM MQ classes for JMS. The rest of this section does not apply to the Java or JMS environments.
- Using a channel definition table
- Using the SSL configuration options structure, MQSCO, on an MQCONNX call
- Using the Active Directory (on Windows systems)
You can continue to run your existing IBM MQ MQI client applications without TLS, as long as TLS is not specified at the other end of the channel.
If changes are made on a client machine to the contents of the TLS Key Repository, the location of the TLS Key Repository, the Authentication Information, or the Cryptographic hardware parameters, you need to end all the TLS connections in order to reflect these changes in the client-connection channels that the application is using to connect to the queue manager. Once all the connections have ended, restart the TLS channels. All the new TLS settings are used. These settings are analogous to those refreshed by the REFRESH SECURITY TYPE(SSL) command on queue manager systems.
When your IBM MQ MQI client runs on a AIX, Linux, and Windows system with cryptographic hardware, you configure that hardware with the MQSSLCRYP environment variable. This variable is equivalent to the SSLCRYP parameter on the ALTER QMGR MQSC command. Refer to ALTER QMGR for a description of the SSLCRYP parameter on the ALTER QMGR MQSC command. If you use the GSK_PCS11 version of the SSLCRYP parameter, the PKCS #11 token label must be specified entirely in lower-case.
TLS secret key reset and FIPS are supported on IBM MQ MQI clients. For more information, see Resetting SSL and TLS secret keys and Federal Information Processing Standards (FIPS) for AIX, Linux, and Windows.
See Setting up IBM MQ MQI client security for more information about the TLS support for IBM MQ MQI clients.