IBM Support

IBM WebSphere MQ: How does MQ provide multiple certificates (CERTLABL) capability

Question & Answer


How does MQ provide the multiple certificates capability - channel CERTLABL for TLS secured channels?


Server Name Indication (SNI) is an extension to the TLS protocol that allows a client to indicate what service it requires. In MQ terminology this equates to a channel.

The SNI extension is used by MQ to allow multiple certificates to be specified across different channels using the CERTLABL parameter on the channel definition.

The SNI address used by MQ is based upon the channel name that is being requested, followed by a suffix of "".

MQ channel names are mapped to be valid SNI names as follows:

  • Upper case letters A-Z are folded to lower case
  • Digits 0 through 9 are left unchanged
  • All other characters including lower-case letters a-z are converted into their 2-digit hexadecimal ASCII character code followed by a hyphen.
  • lower case letters a through z map to "61-" through "7a-" respectively
  • percent (%) maps to "25-"
  • hyphen (-) maps to "2d-"
  • dot (.) maps to "2e-"
  • forward slash (/) maps to "2f-"
  • underscore (_) maps to "5f-"

On EBCDIC platforms, the channel name is converted to ASCII before this mapping is applied.

As an example, channel name "TO.QMGR1" maps to an SNI address of "".

By contrast, the lower case channel name "to.qmgr1" maps onto SNI address of "".

[{"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"SSL","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018