Resetting SSL and TLS secret keys
IBM® WebSphere® MQ supports the resetting of secret keys on queue managers and clients.
Secret keys are reset when a specified number of encrypted bytes of data have flowed across the channel, or after the channel has been idle for a period.
The key reset value is always set by the initiating side of the MQ channel.
Queue manager
For a queue manager, use the command ALTER QMGR with the parameter SSLRKEYC to set the values used during key renegotiation.
MQI client
- By using the KeyResetCount field in the MQSCO structure on an MQCONNX call
- By using the environment variable MQSSLRESET
- By setting the SSLKeyResetCount attribute in the MQI client configuration file
If a value greater than zero is specified and channel heartbeats are enabled for the channel, the secret key is also renegotiated before message data is sent or received following a channel heartbeat.
The count of bytes until the next secret key renegotiation is reset after each successful renegotiation.
For full details of the MQSCO structure, see KeyResetCount (MQLONG). For full details of MQSSLRESET, see MQSSLRESET. For more information about the use of SSL or TLS in the client configuration file, see SSL stanza of the client configuration file.
Java
- By setting the sslResetCount field in the MQEnvironment class.
- By setting the environment property MQC.SSL_RESET_COUNT_PROPERTY
in a Hashtable object. The application then assigns the hashtable
to the
properties
field in the MQEnvironment class, or passes the hashtable to an MQQueueManager object on its constructor.
The value of the sslResetCount field or environment property MQC.SSL_RESET_COUNT_PROPERTY represents the total number of bytes sent and received by the WebSphere MQ classes for Java client code before the secret key is renegotiated. The number of bytes sent is the number before encryption, and the number of bytes received is the number after decryption. The number of bytes also includes control information sent and received by the WebSphere MQ classes for Java client.
If the reset count is zero, which is the default value, the secret key is never renegotiated. The reset count is ignored if no CipherSuite is specified.
JMS
ALTER CF(my.cf) SSLRESETCOUNT(4194304)
If the
value of SSLRESETCOUNT is zero, which is the default value, the secret
key is never renegotiated. The SSLRESETCOUNT property is ignored if
SSLCIPHERSUITE is not set. .NET
For .NET unmanaged clients, the integer property SSLKeyResetCount indicates the number of unencrypted bytes sent and received within an SSL or TLS conversation before the secret key is renegotiated.
For information about the use of object properties in IBM WebSphere MQ classes for .NET, see Getting and setting attribute values.
XMS .NET
For XMS .NET unmanaged clients, see Secure connections to an IBM WebSphere MQ queue manager.