Connecting two queue managers using SSL or TLS
Secure communications that use the SSL or TLS cryptographic security protocols involve setting up the communication channels and managing the digital certificates that you will use for authentication.
To set up your SSL or TLS installation you must define your channels to use SSL or TLS. You must also obtain and manage your digital certificates. On a test system, you can use self-signed certificates or certificates issued by a local certificate authority (CA). On a production system, do not use self-signed certificates. For more information, see ..//zs14140_.html.
For full information about creating and managing certificates, see Working with SSL or TLS on UNIX, Linux, and Windows systems.
This collection of topics introduces the tasks involved in setting up SSL communications, and provides step-by-step guidance on completing those tasks.
- In this context, an SSL client refers to the connection initiating the handshake.
- See the Glossary for further details.
On UNIX, Linux and Windows systems, the SSL or TLS client sends
a certificate only if it has one labeled in the correct WebSphere
MQ format, which is ibmwebspheremq followed by the
name of your queue manager changed to lowercase. For example, for QM1, ibmwebspheremqqm1.
WebSphere MQ uses the ibmwebspheremq prefix
on a label to avoid confusion with certificates for other products.
Ensure that you specify the entire certificate label in lowercase.
The SSL or TLS server always validates the client certificate if one is sent. If the client does not send a certificate, authentication fails only if the end of the channel that is acting as the SSL or TLS server is defined with either the SSLCAUTH parameter set to REQUIRED or an SSLPEER parameter value set. For more information about connecting a queue manager anonymously, that is, when the SSL or TLS client does not send a certificate, see Connecting two queue managers using one-way authentication.