IBM Support

How to configure DataPower dynamic MQ URL to use MQ SSL channel

Technote (FAQ)

This document applies only to the following language version(s):



How to configure DataPower dynamic MQ URL to use MQ qmgr secure channel in mutual authentication mode?


The dynamic MQ URL does not have any configuration parameter to use MQ secure channel in mutual authentication mode. This has to be configured in a custom stylesheet using key database and its associated cipher specs.


In order to configure dynamic MQ URL (URL starting with mq://) with MQ secure channel in mutual authentication mode, the following steps are necessary:

(1) Configure DataPower's static MQ URL (URL starting with dpmq://) that uses "key" database and its associated password file with MQ secure channel in mutual authentication mode. See link for further details:

(2) The dynamic MQ URL uses "MQCD" and "MQSCO" headers to provide SSL MQ connection. Refer to the link on "MQCD" and "MQSCO" headers for details:

For MQSCO Headers, refer to :

For MQCD Headers, refer to:

The MQSCO structure in conjunction with the SSL fields in the MQCD structure allows an application running as a WebSphere® MQ client to specify configuration options that control the use of SSL for the client connection when the channel protocol is TCP/IP.

Version-8 channel definition structure.
The field has this value on WebSphere MQ Version 6.0 on all platforms.

Version-9 channel definition structure.
The field has this value on WebSphere MQ Version 7.0 on all platforms.

(3) Injecting MQCD structure with custom stylesheet:

<xsl:variable name="MQCDStr">
<xsl:variable name="mqcdStr">
<dp:serialize select="$MQCDStr" omit-xml-decl="yes"/>
<!-- for request rule -->
<dp:set-request-header name="'MQCD'" value="$mqcdStr"/>
<!-- for response rule -->
<!-- <dp:set-response-header name="'MQCD'" value="$mqcdStr"/> -->

(4) Injecting MQSCO structure with custom stylesheet:

<xsl:variable name="MQSCOStr">
<xsl:variable name="mqscoStr">
<dp:serialize select="$MQSCOStr" omit-xml-decl="yes"/>
<!-- for request rule -->
<dp:set-request-header name="'MQSCO'" value="$mqscoStr"/>
<!-- for response rule -->
<!-- <dp:set-response-header name="'MQSCO'" value="$mqscoStr"/> -->

(5) Set the DataPower Routing variable with the Dynamic URL for the request rule:
<dp:set-variable name="'var://service/routing-url'" value="<dynamic MQ URL>"/>
For the response rule, the MQCD and MQSCO headers should be injected using the transform action and the result action with dynamic MQ URL can be configured in the destination box to route the message to the client.

Here is the syntax of dynamic MQ URL:

Refer to the DataPower documentation for further details:

Note the "KeyRepository" header field as defined in step 4. It must contain the name of the "key" database along with the directory where the file is stored. The MQCD.SSLCipherSpec field defined in step 3 must match the cipher string that is being configured in the MQ queue manager channel.

Document information

More support for: WebSphere DataPower Integration Appliance XI50

Software version: 3.8, 3.8.1, 3.8.2, 4.0, 4.0.1, 4.0.2

Operating system(s): Firmware

Reference #: 1576361

Modified date: 29 December 2011