[Linux]

How IBM MQ provides multiple certificates capability

Server Name Indication (SNI) is an extension to the TLS protocol that allows a client to indicate what service it requires. In IBM® MQ terminology this equates to a channel.

The SNI extension is used by IBM MQ to allow multiple certificates to be specified across different channels using the CERTLABL parameter on the channel definition.

The SNI address used by IBM MQ is based upon the channel name that is being requested, followed by a suffix of .chl.mq.ibm.com.

IBM MQ channel names are mapped to be valid SNI names as follows:
  • Upper case letters A to Z are folded to lower case
  • Digits 0 to 9 are left unchanged
  • All other characters, including lower case letters a to z, are converted into their two digit hexadecimal ASCII character code (in lower case), followed by a hyphen.
    • Lower case letters a to z map to hexadecimal 61- to 7a- respectively
    • percent (%) maps to hexadecimal 25-
    • hyphen (-) maps to hexadecimal 2d-
    • dot (.) maps to hexadecimal 2e-
    • forward slash (/) maps to hexadecimal 2f-
    • underscore (_) maps to hexadecimal 5f-

On EBCDIC platforms, the channel name is converted to ASCII before this mapping is applied.

As an example, channel name TO.QMGR1 maps to an SNI address of to2e-qmgr1.chl.mq.ibm.com.

By contrast, the lower case channel name to.qmgr1 maps onto SNI address of 74-6f-2e-71-6d-67-72-1.chl.mq.ibm.com.

Note: In environments where the generated SNI URL must conform to URL formatting specifications, for example when a client is connecting to a queue manager running in Red Hat® OpenShift® across a Red Hat OpenShift Route, the channel name must not end with a lower case letter.

The additional OutboundSNI property of the SSL stanza allows you to select whether the SNI should be set to the target IBM MQ channel name to the remote system when initiating a TLS connection, or to the hostname. For more information about the OutboundSNI property, see SSL stanza of the qm.ini file and SSL stanza of the client configuration file for more details.

Multiple certificates requires that the SNI is set to the IBM MQ channel name. If a hostname, custom, or no SNI is used to connect to an IBM MQ channel with a certificate label configured, the connecting application is rejected with an MQRC_SSL_INITIALIZATION_ERROR, and an AMQ9673 message is printed in the remote queue manager error logs.

[MQ 9.2.5 Feb 2022]If a channel connects to the destination queue manager through IBM MQ Internet Pass-Thru (MQIPT), MQIPT must be configured to either set the SNI to the channel name, or to pass through the SNI received on the inbound connection to the route, to allow multiple certificates to be used by the destination queue manager. For more information about multiple certificate support and MQIPT, see IBM MQ multiple certificate support with MQIPT.

For more information on how this property is used, see Connecting to a queue manager deployed in a Red Hat OpenShift cluster.