Configuring certificate validation policies in IBM MQ

You can specify which TLS certificate validation policy is used to validate digital certificates received from remote partner systems in four ways.

On the queue manager, the certificate validation policy can be set in the following ways:
  • Using the queue manager attribute CERTVPOL. For more information about setting this attribute, see ALTER QMGR.
On the client, there are several methods that can be used to set the certificate validation policy. If more than one method is used to set the policy, the client uses the settings in the following priority order:
  1. Using the CertificateValPolicy field in the client MQSCO structure. For more information about using this field, see MQSCO - SSL configuration options.
  2. Using the client environment variable, MQCERTVPOL. For more information about using this variable, see MQCERTVPOL.
  3. Using the client SSL stanza tuning parameter setting, CertificateValPolicy. For more information about using this setting, see SSL stanza of the client configuration file.

For more information about certificate validation policies, see Certificate validation policies in IBM MQ.