SSL connection factory parameters in the WebSphere MQ Web services URI

Add SSL options to the list of connection factory options in the IBM® WebSphere® MQ Web services URI.

Purpose

You can use a secure connection between an IBM WebSphere MQ Web services client and the queue manager hosting the web service. The SSL options control how SSL is configured on the IBM WebSphere MQ MQI client-server channel connection.

Syntax diagram

SSL (Java)
Read syntax diagramSkip visual syntax diagramsslCipherSuite( CipherSuite)sslKeyStore(KeyStoreName )sslKeyPassword( KeyStorePassword)sslTrustStore( TrustStore)sslTrustStorePassword( TrustStorePassword)SSL (Common)
SSL (.NET)
Read syntax diagramSkip visual syntax diagramsslCipherSpec( CipherSpec)sslKeyRepository( KeyRepository)CryptoHardwareSSL (Common)
SSL (Common)
Read syntax diagramSkip visual syntax diagramsslCipherPeerName(PeerName )sslKeyResetCount(0bytecount)sslFipsRequired(NOYES)sslLDAPCRLServe(?ldap://hostname[389][port])
CryptoHardware
Read syntax diagramSkip visual syntax diagramsslCryptoHardware= PKCS #11 Path and file name;PKCS #11 token label; PKCS #11 token password; symmetric cipher setting;

Required SSL parameters (Common)

sslPeerName(peerName)
peerName specifies the sslPeerName used on the channel.

Required SSL parameters (Java)

sslCipherSuite(CipherSuite)
CipherSuite specifies the sslCipherSuite used on the channel. The CipherSuite specified by the client must match the CipherSuite specified on the server connection channel.
sslKeyStore(KeyStoreName)
KeyStoreName specifies the sslKeyStoreName used on the channel. The keystore holds the private key of the client used to authenticate the client to the server. The keystore is optional if the SSL connection is configured to accept anonymous client connections.
sslKeyStorePassword(KeyStorePassword)
KeyStorePassword specifies the sslKeyStorePassword used on the channel.
sslTrustStore(TrustStoreName)
TrustStoreName specifies the sslTrustStoreName used on the channel. The trust store holds the public certificate of the server, or its key chain, to authenticate the server to the client. The truststore is optional if the root certificate of a certificate authority is used to authenticate the server. In Java, root certificates are held in the JRE certificate store, cacerts.
sslTrustStorePassword(TrustStorePassword)
TrustStorePassword specifies the sslTrustStorePassword used on the channel.

Required SSL parameters (.NET)

sslCipherSpec(CipherSpec)
CipherSpec specifies the sslCipherSpec used on the channel. If the option is specified then SSL is used on the client channel.
sslKeyRepository(KeyRepository)
KeyRepository specifies the sslCipherSpec used on the channel where SSL keys and certificates are stored. KeyRepository is specified in stem format, that is, a full path with file name but with the file extension omitted. The effect of setting sslKeyRepository is the same as setting the KeyRepository field in the MQSCO structure on an MQCONNX call.

Optional SSL parameters (.NET)

sslCryptoHardware(CryptoHardware)
CryptoHardware specifies the sslCryptoHardware used on the channel. The possible values for this field, and the effect of setting it, are the same as for the CryptoHardware field of the MQSCO structure on an MQCONNX.

Optional SSL parameters (Common)

sslKeyResetCount(bytecount)
bytecount specifies the number of bytes passed across an SSL channel before the SSL secret key must be renegotiated. To disable the renegotiation of SSL keys omit the field or set it to zero. Zero is the only value supported in some environments, see Renegotiating the secret key in WebSphere MQ classes for Java. The effect of setting sslKeyResetCount is the same as setting the KeyResetCount field in the MQSCO structure on an MQCONNX call.
sslFipsRequired(fipsCertified)
fipsCertified specifies whether CipherSpec or CipherSuite must use FIPS-certified cryptography in IBM WebSphere MQ on the channel. The effect of setting fipsCertified is the same as setting the FipsRequired field of the MQSCO structure on an MQCONNX call.
sslLDAPCRLServers(LDAPServerList)

LDAPServerList specifies a list of LDAP servers to be used for Certificate Revocation List checking.

For SSL enabled client connections, LDAPServerList is a list of LDAP servers to be used for Certificate Revocation List (CRL) checking. The certificate provided by the queue manager is checked against one of the listed LDAP CRL servers; if found, the connection fails. Each LDAP server is tried in turn until connectivity is established to one of them. If it is impossible to connect to any of the servers, the certificate is rejected. Once a connection has been successfully established to one of them, the certificate is accepted or rejected depending on the CRLs present on that LDAP server.

If LDAPServerList is blank, the certificate belonging to the queue manager is not checked against a Certificate Revocation List. An error message is displayed if the supplied list of LDAP URIs is not valid. The effect of setting this field is the same as that of including MQAIR records and accessing them from an MQSCO structure on an MQCONNX.