Default security preferences
A security exit can be defined for all client connections in the same IBM® MQ Explorer. This is known as a default security exit and the preferences for the security exit are described here.
- Click . The Preferences dialog opens.
- Expand MQ Explorer.
- Expand Client Connections. The default security settings dialogs are now accessible.
Security Exit
Select Enable default security exit to set the default security exit for all client connections in the same IBM MQ Explorer. The security exit for all the client-connected queue managers in a set can be changed. The security exit can be overridden if you define a new security exit when you add a new remote queue manager.
The Security Exit for all client-connected queue managers in a set can be changed. The TLS options can be overridden when you add a new remote queue manager.
| Item | Description |
|---|---|
| Exit name | Specifies the name of the exit program to be
run by the security exit. Exit name can be up
to 1024 characters long and is case sensitive. Exit name can
be a fully qualified java class name found in the directory or jar
file. Exit name can be a C exit, of the format: dll_name(function_name).
The default path for exits is always used to locate C exits, you cannot
specify the location of the exit library in this entry field unless
no default path is set. |
| in directory | Specifies the directory for the security exit (Java exits only). |
| in jar | Specifies the jar file for the security exit (Java exits only). |
| Exit data | Exit data can be up to 32 characters long. If no value has been defined for that attribute, this field is all blanks. |
SSL/TLS Options
Select Enable default SSL options to enable the default SSL/TLS options for all client connections in the same IBM MQ Explorer. The SSL/TLS options for all client-connected queue managers in a set can be changed. The SSL/TLS options can be overridden when you add a new remote queue manager.
| Item | Description |
|---|---|
| SSL CipherSpec | The CipherSpec identifies the combination of encryption algorithm and hash
function used by an SSL/TLS connection. A CipherSpec forms part of a CipherSuite, which identifies
the key exchange and authentication mechanism as well as the encryption and hash function
algorithms. The size of the key used during the handshake can depend on the digital certificate you use, but some of the CipherSpecs supported by IBM MQ include a specification of the handshake key size. Note that larger handshake key sizes provide stronger authentication. With smaller key sizes, the handshake is faster. For more information, see CipherSpecs and CipherSuites in the IBM MQ online product documentation. |
| SSL FIPS required | Select Yes to use only FIPS-certified cipher suites. If you select Yes, then all TLS connections must use FIPS-certified cipher suites. Select No to use any available cipher suites. The default setting is No. If you change this setting from Yes to No, or from No to Yes a dialog will be opened asking if you want to restart MQ Explorer. Any changes to this setting will not be applied until the MQ Explorer has been restarted. |
| SSL reset count | Type the number of bytes, from 0 to 999 999 999, that are sent and received within a TLS conversation before the secret key is renegotiated. A value of 0 means that the secret key is never renegotiated. The number of bytes includes control information that is sent by the message channel agent (MCA). If the value of this attribute is greater than 0 and the value of the Heartbeat interval attribute in the Channel properties is greater than 0, the secret key is also renegotiated before message data is sent or received following a channel heartbeat. |
| Peer name | The Distinguished Name (DN) of the queue manager to be used by TLS. The peer name is set to indicate that connections will only be allowed where the server is successfully authenticated as a specific DN. |
SSL/TLS Stores
Select Enable default SSL stores to work with the Trusted Certificate Store and the Personal Certificate Store.
To configure IBM MQ Explorer with the location and password of the SSL/TLS certificate store, refer to: Specifying the default location and default password of TLS certificates.
By enabling the default SSL/TLS stores, IBM MQ Explorer can use the certificates in the TrustStore and KeyStore to connect to remote queue managers with a TLS-enabled connection.
The SSL/TLS Stores for all client-connected queue managers in a set can be changed. The SSL/TLS Stores can be overridden when you add a new remote queue manager.