MQIPT implementation of SSL/TLS

MQIPT can act as an SSL/TLS client or an SSL/TLS server depending on which end initiates the connection. The client starts a connection and the server accepts the connection request. It is possible for an MQIPT route to act both as a client and a server. In this case, using the SSL/TLS Proxy Mode feature typically gives better performance.

When MQIPT is configured for SSL/TLS Proxy Mode, it only forwards SSL/TLS data between the two end-points; it does not participate in the SSL/TLS handshake and does not require any digital certificates.

In versions earlier than IBM MQ 9.3.0, MQIPT does not pass TLS Server Name Indication (SNI) data that is received on an inbound TLS connection through to an outbound TLS connection. This means that per-channel certificates, specified using the CERTLABL channel attribute, cannot be used for TLS connections between MQIPT and the destination queue manager. To use a per-channel certificate on the destination queue manager, for a TLS connection that passes through MQIPT at a version earlier than IBM MQ 9.3.0, the MQIPT route must use SSL/TLS Proxy Mode, which forwards all TLS control flows intact, including the SNI name. From IBM MQ 9.3.0, MQIPT can be configured to either set the SNI for TLS connections to a specific value, or to pass through the SNI received on the inbound connection to the route. For more information about using multiple certificates on a queue manager with MQIPT, see IBM MQ multiple certificate support with MQIPT.

Each MQIPT route can be independently configured with its own set of SSL/TLS properties. See MQIPT route properties for more details.