How IBM MQ provides multiple certificates capability
Server Name Indication (SNI) is an extension to the TLS protocol that allows a client to indicate what service it requires. In IBM® MQ terminology this equates to a channel.
The SNI extension is used by IBM MQ to allow multiple certificates to be specified across different channels using the CERTLABL parameter on the channel definition.
The SNI address used by IBM MQ is based upon the
channel name that is being requested, followed by a suffix of .chl.mq.ibm.com
.
- Upper case letters
A
toZ
are folded to lower case - Digits
0
to9
are left unchanged - All other characters, including lower case letters
a
toz
, are converted into their two digit hexadecimal ASCII character code (in lower case), followed by a hyphen.- Lower case letters
a
toz
map to hexadecimal61-
to7a-
respectively - percent (
%
) maps to hexadecimal25-
- hyphen (
-
) maps to hexadecimal2d-
- dot (
.
) maps to hexadecimal2e-
- forward slash (
/
) maps to hexadecimal2f-
- underscore (
_
) maps to hexadecimal5f-
- Lower case letters
On EBCDIC platforms, the channel name is converted to ASCII before this mapping is applied.
As an example, channel name TO.QMGR1
maps to an SNI address of
to2e-qmgr1.chl.mq.ibm.com
.
By contrast, the lower case channel name to.qmgr1
maps onto SNI address of
74-6f-2e-71-6d-67-72-1.chl.mq.ibm.com
.
The additional OutboundSNI property of the SSL stanza allows you to select whether the SNI should be set to the target IBM MQ channel name to the remote system when initiating a TLS connection, or to the hostname. For more information about the OutboundSNI property, see SSL stanza of the qm.ini file and SSL stanza of the client configuration file for more details.
Multiple certificates requires that the SNI is set to the IBM MQ channel name. If a hostname, custom, or no SNI is used to connect to an IBM MQ channel with a certificate label configured, the connecting application is rejected with an MQRC_SSL_INITIALIZATION_ERROR, and an AMQ9673 message is printed in the remote queue manager error logs.
If a channel connects to the destination queue manager through IBM MQ Internet Pass-Thru (MQIPT), MQIPT must be configured to either set the SNI to the channel name, or to pass through the SNI received on the inbound connection to the route, to allow multiple certificates to be used by the destination queue manager. For more information about multiple certificate support and MQIPT, see IBM MQ multiple certificate support with MQIPT.
For more information on how this property is used, see Connecting to a queue manager deployed in a Red Hat OpenShift cluster.