![[MQ 10 2026]](../ng10.gif)
Secure replication for a high availability queue manager
You can specify that replication links in your HA configuration are secured with TLS.
When you create a high availability (HA) queue manager, you can specify that the links used to replicate data between the queue manager instances are secured with TLS.
- Configure the required certificates.
- Start the TLS Replication Handshake daemon (tlshd).
- Specify the
-reoption when creating a new queue manager using crtmqm.
Configuring certificates
If any queue manager that runs on an appliance might ever be part of a DR/HA configuration, then the certificates that are used by the replication links must contain a Subject Alternative Name (SAN) that contains the HA group name. The createcert and createcertrequest commands set the SAN to the HA group name when the certificate, or certificate request, is created. Ensure that the SAN is copied to the signed certificate when the certificate request is signed by the certificate authority.
The HA group name of HA pairs connected with DR can be the same for both HA groups, or unique to
each HA group. In both cases, the name of the remote HA group must be specified by using the
-san parameter of the crtdrprimary command. The
crtdrprimary and dspdrsecondary commands will generate the
crtdrsecondary command with the required value for the -san
parameter.
mqpubcert: URI for downloading and sending for signing. The signed certificate and
CA certificates are uploaded to the mqpubcert: URI, from which the certificate
management commands add them to the key store. mq_replication, to use a different certificate label add the -l
parameter to the createcertrequest, receivecert, and
setrepcert commands.To use secure replication links in an HA configuration you need two certificates, one certificate per appliance in the HA group.
- Use the following command to generate a private key and a certificate signing
request
(CSR):
mqa(mqcli)# createcertrequest -replication -dn CN=MainSiteAppliance1.example.com,O=JOJO;C=UK;OU=Hillesden - The CSR is created in mqpubcert:. Copy the CSR from the appliance and send it for signing by the CA. On return, copy the signed certificate to mqpubcert:, along with the full chain of CA certificates.
- Add the CA certificates and receive the signed
certificate:
mqa(mqcli)# addcert -replication -file mqpubcert://TheCA.crt -label CA mqa(mqcli)# receivecert -replication -file mqpubcert:///mq_replication.signed - Repeat these steps on all other appliances within the HA configuration.
TLS Replication Handshake daemon
The implementation of encryption on replication links relies on the TLS Replication Handshake daemon (tlshd) to handle the TLS replication handshake. This daemon needs to be configured and started before any TLS handshakes can be completed. A single tlshd certificate configuration is used for all encrypted replication for any given appliance.
The key and certificates, and underlying files are managed by the certificate management commands (see Configuring certificates).
You use the setrepcert -e command to enable the TLS replication handshake
daemon. This command starts the daemon, after which it is monitored to ensure it is running, and
restarted as required (including during appliance restart). If the key and certificate configuration
are incomplete or invalid, the setrepcert -e command fails.
You can disable the TLS replication handshake daemon by using the setrepcert -d
command. This command fails if any HA or DR queue managers exist with replication encryption
enabled.
If the key or certificates are changed, for example, to replace expiring certificates, the TLS
replication handshake daemon continues to use the existing configuration until it is next restarted.
To trigger an immediate restart use the setrepcert -r command.
dsprepcert command to see the current state of the daemon. The following
states can be reported:Not configured- No keys and certificates have been configured and the TLS replication handshake daemon has not been enabled.Disabled- A valid set of keys and certificates have been configured, the TLS replication handshake daemon has not been enabled.Enabled- The TLS replication handshake daemon has been enabled but is not running.Running- The TLS replication handshake daemon has been enabled is running.
dsprepcert command also displays the label of the private key and
certificate, and the time at which the TLS Handshake daemon was last started.Creating the HA Queue Manager
-re option, for
example:mqa(mqcli)# crtmqm -sx -re HAqmmqa(mqcli)# sethagrp -i -re MyQMgrFor more information about creating an HA, see Configuring high availability queue managers.