[AIX, Linux, Windows]

Configuring for cryptographic hardware on AIX, Linux, and Windows

You can configure cryptographic hardware for a queue manager or client in a number of ways.

You can configure cryptographic hardware for a queue manager on AIX®, Linux®, and Windows using either of the following methods:
  • Use the ALTER QMGR MQSC command with the SSLCRYP parameter, as described in ALTER QMGR.
  • Use IBM® MQ Explorer to configure the cryptographic hardware on your AIX, Linux, and Windows system. For more information, refer to the online help.
You can configure cryptographic hardware for an IBM MQ client on AIX, Linux, and Windows using one of the following methods:
  • Set the MQSSLCRYP environment variable. The permitted values for MQSSLCRYP are the same as for the SSLCRYP parameter, as described in ALTER QMGR.

    If you use the GSK_PKCS11 version of the SSLCRYP parameter, the PKCS #11 token label must match the label you configured your hardware with.

  • Set the SSLCryptographicHardware attribute in the SSL stanza of the IBM MQ client configuration file. The permitted values are the same as for the SSLCRYP parameter, as described in ALTER QMGR.

    If you use the GSK_PKCS11 version of the SSLCRYP parameter, the PKCS #11 token label must match the label you configured your hardware with.

  • Set the CryptoHardware field of the SSL configuration options structure, MQSCO, on an MQCONNX call. For more information, see Overview for MQSCO.
[MQ 9.2.3 Jul 2021]Attention: When supplying configuration for the cryptographic hardware through the MQSSLCRYP environment variable, or the SSLCryptoHardware attribute, you should protect the password prior to storing. See IBM MQ clients using cryptographic hardware for more information.

If you have configured cryptographic hardware which uses the PKCS #11 interface using any of these methods, you must store the personal certificate for use on your channels in the key database file for the cryptographic token you have configured. This is described in Managing certificates on PKCS #11 hardware.