How IBM MQ provides multiple certificates capability

Server Name Indication (SNI) is an extension to the TLS protocol that allows a client to indicate what service it requires. In IBM® MQ terminology this equates to a channel.

The SNI extension is used by IBM MQ to allow multiple certificates to be specified across different channels using the CERTLABL parameter on the channel definition.

The SNI address used by IBM MQ is based upon the channel name that is being requested, followed by a suffix of .chl.mq.ibm.com.

IBM MQ channel names are mapped to be valid SNI names as follows:

Upper case letters A to Z are folded to lower case
Digits 0 to 9 are left unchanged
All other characters, including lower case letters a to z, are converted into their two digit hexadecimal ASCII character code (in lower case), followed by a hyphen.
- Lower case letters a to z map to hexadecimal 61- to 7a- respectively
- percent (%) maps to hexadecimal 25-
- hyphen (-) maps to hexadecimal 2d-
- dot (.) maps to hexadecimal 2e-
- forward slash (/) maps to hexadecimal 2f-
- underscore (_) maps to hexadecimal 5f-

On EBCDIC platforms, the channel name is converted to ASCII before this mapping is applied.

As an example, channel name TO.QMGR1 maps to an SNI address of to2e-qmgr1.chl.mq.ibm.com.

By contrast, the lower case channel name to.qmgr1 maps onto SNI address of 74-6f-2e-71-6d-67-72-1.chl.mq.ibm.com.

Note: In environments where the generated SNI URL must conform to URL formatting specifications, for example when a client is connecting to a queue manager running in Red Hat® OpenShift® across a Red Hat OpenShift Route, the channel name must not end with a lower case letter.

The outboundSNI setting

The OutboundSNI property of the SSL stanza allows you to select whether the SNI should be set to the target IBM MQ channel name to the remote system when initiating a TLS connection, or to the hostname. For more information about the OutboundSNI property, see SSL stanza of the qm.ini file and SSL stanza of the client configuration file.

Multiple certificates requires that the SNI is set to the IBM MQ channel name. If a hostname, custom, or no SNI is used to connect to an IBM MQ channel with a certificate label configured, the connecting application is rejected with an MQRC_SSL_INITIALIZATION_ERROR, and an AMQ9673 message is printed in the remote queue manager error logs.

If a channel connects to the destination queue manager through IBM MQ Internet Pass-Thru (MQIPT), MQIPT must be configured to either set the SNI to the channel name, or to pass through the SNI received on the inbound connection to the route, to allow multiple certificates to be used by the destination queue manager. For more information about multiple certificate support and MQIPT, see IBM MQ multiple certificate support with MQIPT.

For more information on how this property is used, see Connecting to a queue manager deployed in a Red Hat OpenShift cluster.

Key considerations for setting OutboundSNI

Setting OutboundSNI to HOSTNAME or CHANNEL has its advantages and disadvantages.

HOSTNAME: When OutboundSNI is set to hostname, the multiple certificates functionality does not work. Client applications connecting to a queue manager always receive the certificate set on the queue manager object. Additionally, if these clients connect to a channel that has a certificate set on it, the connection fails as IBM MQ verifies that the correct certificate was sent to the client.; For those users planning to connect to queue managers running in the IBM MQ Saas offering, this setting is a requirement.
CHANNEL: When using channel name, the main disadvantage is having to calculate the SNI value if you plan to use that for routing. It is possible to use a channel name SNI header for routing, but any queue managers that a router could send to must have unique channel names. Additionally, channel names might have to be carefully named to ensure that the hostname produced is valid. For example, a channel name of chl becomes 63-68-6c-.chl.mq.ibm.com, which is not a valid hostname.