Configuring SSL on WebSphere MQ MQI clients

About this task

To work with SSL on a WebSphere® MQ client, you must use various commands as introduced here. For further explanations, see Security if you have installed the WebSphere MQ product documentation. If you have not installed the WebSphere MQ product documentation, see Security in the IBM® online IBM WebSphere MQ product documentation.

Managing the WebSphere MQ client's certificates

Use the IBM Key Management (iKeyman) GUI to manage your SSL certificates. For more information, see Starting the IBM Key Management GUI. For instructions about using the iKeyman GUI, see Security.

In the iKeyman GUI, ensure that the client key repository contains all the Certificate Authority (CA) certificates that might be required to validate certificates that are received from other queue managers.

To find out the location of the client's key repository, type the following command to examine the MQSSLKEYR environment variable:

echo %MQSSLKEYR%

Also check your application because the key repository can be set on an MQCONNX call. If both values are set, the value set on the MQCONNX call overrides the value of MQSSLKEYR.

Configuring the channels to use SSL

The SSL channels must be set up as described here in Configuring SSL channels.

For further information on setting up WebSphere MQ client security, see Setting up WebSphere MQ MQI client security if you have installed the WebSphere MQ product documentation. If you have not installed the WebSphere MQ product documentation, see Setting up WebSphere MQ MQI client security in the IBM online IBM WebSphere MQ product documentation.

Authenticating certificates using Certificate Revocation Lists

About this task

You can set up a WebSphere MQ MQI client to check certificates against CRLs on LDAP servers:

Procedure

  1. On the WebSphere MQ server, in WebSphere MQ Explorer, expand the queue manager.
  2. Create a new authentication information object of type CRL LDAP. For more information, see Creating and configuring queue managers and objects.
  3. Repeat Step 2 to create as many authentication information objects as you need.
  4. Create a new namelist and add to the namelist the names of the authentication information objects that you created in Steps 2 and 3. For more information, see Creating and configuring queue managers and objects.
  5. Right-click the queue manager, then click Properties.
  6. On the SSL page, in the CRL Namelist field, type the name of the namelist that you created in Step 4.
  7. Click OK. All the LDAP CRL information is now written to the client channel definition table.
  8. Make the client channel definition table available to the client, or, if you are using Windows Active Directory, write out the information from the client channel definition table to the Active Directory (see the setmqscp command in the System Administration Guide in the online IBM WebSphere MQ product documentation).

Results

For more information, see Clients if you have installed the WebSphere MQ product documentation. If you have not installed the WebSphere MQ product documentation, see Overview of WebSphere MQ MQI clients in the IBM online IBM WebSphere MQ product documentation.

You can add to the namelist up to 10 connections to alternative LDAP servers to ensure continuity of service if one or more LDAP servers are inaccessible. For more information, see Security if you have installed the WebSphere MQ product documentation. If you have not installed the WebSphere MQ product documentation, see Security in the IBM online IBM WebSphere MQ product documentation.

Authenticating certificates using OCSP authentication

About this task

You can set up a WebSphere MQ MQI client to check certificates against an OCSP responder. Some client environments do not support OCSP revocation checking, but all server platforms support the ability to define OCSP configuration which will be written into the client channel definition table file.

Procedure

  1. On the WebSphere MQ server, in WebSphere MQ Explorer, expand the queue manager.
  2. Create a new authentication information object of type OCSP. For more information, see Creating and configuring queue managers and objects.
  3. Repeat Step 2 to create as many OCSP authentication information objects as you need.
  4. Create a new namelist and add to the namelist the names of the OCSP authentication information objects that you created in Steps 2 and 3. For more information, see Creating and configuring queue managers and objects.
  5. Right-click the queue manager, then click Properties.
  6. On the SSL page, in the Revocation namelist field, type the name of the namelist that you created in Step 4.
  7. Click OK.
  8. Make the client channel definition table available to the client.

Results

For more information, see Clients if you have installed the WebSphere MQ product documentation. If you have not installed the WebSphere MQ product documentation, see Overview of WebSphere MQ MQI clients in the IBM online IBM WebSphere MQ product documentation.

Only one OCSP object can be added to the namelist because the SSL socket library can only use one OCSP responder URL at a time. For more information, see Security if you have installed the WebSphere MQ product documentation. If you have not installed the WebSphere MQ product documentation, see Security in the IBM online IBM WebSphere MQ product documentation.