Creating an TLS client profile by using the web UI

If you want to configure a secure TLS connection with an LDAP server, then you must configure a client profile.

Before you begin

CAUTION:
Read the topic Important: avoiding user lock out when configuring role based management before you attempt to set up authentication with LDAP

About this task

You can configure an TLS client profile by using the IBM® MQ Appliance web UI. You can do this by opening a dialog while you configure role based management (RBM), or as a separate operation before you configure RBM.

Procedure

  1. Open the TLS Client Profile window. You can do this in one of two ways:
    Before you configure RBM:
    1. Click the object icon shows the object icon.
    2. Select Crypto Configuration > TLS Client Profile
    3. Click New to open the TLS Client Profile window.
    While you are configuring RBM:
    1. In the Authenticate tab (if you have selected the LDAP method) or Credential Mapping tab (if you have selected Search LDAP for group name) select an TLS client type of Client profile.
    2. Click the plus icon shows the plus icon next to the TLS client profile field to open the TLS Client Profile window.
  2. In the TLS Client Profile window, enter a name for your profile.
  3. Ensure that Administrative state is set to On, and optionally enter comments.
  4. Select which TLS protocols your profile supports.
  5. Specify which cipher suites your profile supports.
  6. Select from the following options:
    Use SNI

    Allows the client to send the Server Name Indication (SNI) extension in the ClientHello message to the server that the client attempts to connect to.

    Permit connections without renegotiation

    Allows connections to TLS servers that do not support RFC 5746.

    Enable compression

    Enables TLS compression. Compression in HTTPS is dangerous because the HTTPS connection becomes vulnerable to the CRIME (Compression Ratio Info-leak Made Easy) attack.

  7. Optionally specify that client connections will pass a host name in the SNI extension to the ClientHello, and specify the host name to pass.
  8. Specify the client credentials. There are two parts to this:
    • Identification credentials specify the credentials that the appliance uses to authenticate itself to an TLS server if the TLS server requests client authentication.
    • Validation credentials are required if you select Validate server certificate and specify details about how the client authenticates the TLS server.
    You can create the credentials profiles before you create the TLS client profile, and select them in the Identification credentials and Validation credentials list. Alternatively, you can click the plus icon shows the plus icon to open dialogs to create the two credentials.
  9. Optionally, open the Session caching section. Caching is enabled by default, and you can specify how long sessions are cached for in seconds and the minimum size of the cache in number of entries.
  10. Optionally, open the Advanced section and add to the list of elliptic curves that the TLS client profile supports.