Protecting channels with SSL
The Secure Sockets Layer (SSL) protocol provides out of the box channel
security, with protection against eavesdropping, tampering, and impersonation. WebSphere MQ support
for SSL enables you to specify, on the channel definition, that a particular
channel uses SSL security. You can also specify details of the kind of security
you want, such as the encryption algorithm you want to use.
SSL support in WebSphere MQ uses the queue manager authentication information
object and various MQSC commands and queue manager and channel parameters
that define the SSL support required in detail.
The following MQSC
commands support SSL:
- ALTER AUTHINFO
- Modifies the attributes of an authentication information object.
- DEFINE AUTHINFO
- Creates a new authentication information object.
- DELETE AUTHINFO
- Deletes an authentication information object.
- DISPLAY AUTHINFO
- Displays the attributes for a specific authentication information object.
The
following queue manager parameters support SSL:
- SSLCRLNL
- Allows access to a certificate revocation list. The SSLCRLNL attribute
specifies a namelist. The namelist contains zero or more authentication information
objects. Each authentication information object gives access to an LDAP server.
- SSLCRYP
- On Windows and UNIX systems, sets the SSLCryptoHardware queue manager attribute.
This attribute is the name of the parameter string that you can use to configure
the cryptographic hardware you have on your system.
- SSLEV
- Determines whether an SSL event message will be reported if a channel
using SSL fails to establish an SSL connection.
- SSLFIPS
- Specifies whether only FIPS-certified algorithms are to be used if cryptography
is carried out in WebSphere MQ. If cryptographic hardware is configured, the cryptographic
modules used are those provided by the hardware product, and these may, or
may not, be FIPS-certified to a particular level. This depends on the hardware
product in use.
- SSLKEYR
- On Windows and UNIX systems, associates a key repository with a queue manager.
The key database is held in a GSKit key database.
(The IBM(R) Global Security Kit (GSKit) enables you to use SSL security on Windows and UNIX systems systems.)
- SSLRKEYC
- The number of unencrypted bytes sent and received within an SSL conversation
before the secret key is renegotiated. The number of bytes includes control
information sent by the MCA.
The following channel parameters support SSL:
- SSLCAUTH
- Defines whether WebSphere MQ requires and validates a certificate from the
SSL client.
- SSLCIPH
- Specifies the encryption strength and function (CipherSpec), for example
NULL_MD5 or RC4_MD5_US. The CipherSpec must match at both ends of channel.
- SSLPEER
- Specifies the distinguished name (unique identifier) of allowed partners.
This book describes the setmqaut, dspmqaut, dmpmqaut, rcrmqobj, rcdmqimg, and dspmqfls commands
to support the authentication information object. It also describes the amqtcert command for migrating certificates on Windows systems, and
the IKEYCMD command for managing certificates on UNIX systems. See the following
sections:
For an overview of channel security using SSL, see WebSphere MQ Security.
For details of MQSC commands associated with SSL, see the WebSphere MQ Script (MQSC) Command Reference.
For details of PCF commands associated with SSL, see WebSphere MQ Programmable Command Formats and Administration Interface.