Configuring SSL channels
About this task
To configure channels in IBM® WebSphere® MQ Explorer:
Procedure
- Open IBM WebSphere MQ Explorer.
- In the Navigator view, expand the Queue Managers folder, then click the Channels folder.
- In the Content view, right-click the channel, then click Properties.
- In the Properties dialog, open the SSL page.
Results
Use the SSL page of the Channel properties dialog for the following tasks.
Setting message security
SSL-enabled messaging offers 2 methods of ensuring message security:
- Encryption ensures that if the message is intercepted, it is unreadable.
- Hash functions ensure that if the message is altered, this is detected.
The combination of these methods is called the cipher specification, or CipherSpec. The same CipherSpec must be set for both ends of a channel, otherwise SSL-enabled messaging fails. For more information, see Security in the IBM online IBM WebSphere MQ product documentation.
On the SSL page of the Properties dialog, do one of the following:
- From the Standard cipher field, select a standard cipher.
- If you are an advanced user and you are administering a queue manager on a z/OS® or IBM i platform that includes new CipherSpecs that are not the IBM WebSphere MQ predefined list, enter a platform-specific value for a CipherSpec in the Custom ciphers field.
Filtering certificates on their owner's name
Certificates contain the distinguished name of the owner of the certificate. You can optionally configure the channel to accept only certificates with attributes in the distinguished name of the owner that match given values. To do this, select the Accept only certificates with Distinguished Names matching these values check box.
The attribute names that IBM WebSphere MQ can filter are listed in the following table:
| Attribute names | Meaning |
|---|---|
| CN | common name |
| T | title |
| OU | organizational unit name |
| O | organization name |
| L | locality |
| S, ST, or SP | state or province name |
| C | country |
In the Accept only certificates with Distinguished Names matching these values field, you can use the wildcard character (*) at the beginning or the end of the attribute value in place of any number of characters. For example, to accept only certificates from any person with a name ending with Smith working for IBM in GB, type:
CN=*Smith, O=IBM, C=GB
Authenticating parties initiating connections to a queue manager
When another party initiates an SSL-enabled connection to a queue manager, the queue manager must send its personal certificate to the initiating party as proof of identity. You can also optionally configure the queue manager channel so that the queue manager refuses the connection if the initiating party does not send its own personal certificate. To do this, on the SSL page of the Channel properties dialog, select Required from the Authentication of parties initiating connections list.