[UNIX, Linux, Windows, IBM i]

SSL stanza of the qm.ini file

The SSL stanza is used to configure the TLS channels on a queue manager.

Online Certificate Status Protocol (OCSP)

A certificate can contain an AuthorityInfoAccess extension. This extension specifies a server to be contacted through Online Certificate Status Protocol (OCSP). To allow SSL or TLS channels on your queue manager to use AuthorityInfoAccess extensions, ensure that the OCSP server named in them is available, is correctly configured, and is accessible over the network. For more information, see Working with revoked certificates.

CrlDistributionPoint (CDP)

A certificate can contain a CrlDistributionPoint extension. This extension contains a URL which identifies both the protocol used to download a certificate revocation list (CRL) and also the server to be contacted.

If you want to allow SSL or TLS channels on your queue manager to use CrlDistributionPoint extensions, ensure that the CDP server named in them is available, correctly configured, and accessible over the network.

The SSL Stanza

Use the SSL stanza in the qm.ini file to configure how TLS channels on your queue manager attempts to use the following facilities, and how they react if problems occur when using them.

In each of the following cases, if the value supplied is not one of the valid values listed, then the default value is taken. No error messages are written mentioning that an invalid value is specified.

CDPCheckExtensions=YES|NO (default)

Specifies whether TLS channels on this queue manager try to check CDP servers that are named in CrlDistributionPoint certificate extensions.

  • YES: TLS channels try to check CDP servers to determine whether a digital certificate is revoked.
  • NO (default): TLS channels do not try to check CDP servers. This value is the default.
OCSPAuthentication=REQUIRED (default) |WARN|OPTIONAL

Specifies the action to be taken when a revocation status cannot be determined from an OCSP server.

If OCSP checking is enabled, a TLS channel program attempts to contact an OCSP server.

If the channel program is unable to contact any OCSP servers, or if no server can provide the revocation status of the certificate, then the value of the OCSPAuthentication parameter is used.

  • REQUIRED (default): Failure to determine the revocation status causes the connection to be closed with an error. This value is the default.
  • WARN: Failure to determine the revocation status causes a warning message to be written in the queue manager error log, but the connection is allowed to proceed.
  • OPTIONAL: Failure to determine the revocation status allows the connection to proceed silently. No warnings or errors are given.
OCSPCheckExtensions= YES (default) |NO

Specifies whether TLS channels on this queue manager try to check OCSP servers that are named in AuthorityInfoAccess certificate extensions.

  • YES (default) : TLS channels try to check OCSP servers to determine whether a digital certificate is revoked. This value is the default.
  • NO: TLS channels do not try to check OCSP servers.
SSLHTTPProxyName= string
The string is either the host name or network address of the HTTP Proxy server that is to be used by GSKit for OCSP checks. This address can be followed by an optional port number, enclosed in parentheses. If you do not specify the port number, the default HTTP port, 80, is used.
[AIX][Solaris][HP-UX]For 32-bit clients on AIX®, and on Solaris SPARC platforms and HP-UX PA-RISC platforms, the network address can only be an IPv4 address.
On other platforms, the network address can be an IPv4 or IPv6 address.

This attribute might be necessary if, for example, a firewall prevents access to the URL of the OCSP responder.

Example stanza


SSL:
       CDPCheckExtensions=NO1
        OCSPAuthentication=REQUIRED
        OCSPTimeout=30
Notes:
  1. The values for CDPCheckExtensions can be only Yes or No.