The SSL/TLS sample program

AMQSSLC is a sample C program that demonstrates how to use the MQCNO and MQSCO structures to supply SSL/TLS client connection information on the MQCONNX call. This enables a client MQI application to provide the definition of its client connection channel and SSL/TLS settings at run time without a client channel definition table (CCDT).

If a connection name is supplied, the program constructs a client connection channel definition in an MQCD structure.

If the stem name of the key repository file is supplied, the program constructs an MQSCO structure; if an OCSP responder URL is also supplied, the program constructs an authentication information record MQAIR structure.

The program then connects to the queue manager using MQCONNX. It inquires and prints out the name of the queue manager to which it connected.

This program is intended to be linked as an MQI client application. However, it can be linked as a regular MQI application. Then, it simply connects to a local queue manager and ignores the client connection information

AMQSSLC accepts the following parameters, all of which are optional:

-m QmgrName: Name of the queue manager to connect to
-c ChannelName: Name of the channel to use
-x ConnName: Server connection name

SSL/TLS parameters:

-k KeyReposStem

The stem name of the key repository file. This is the full path to the file without the .kdb suffix. For example:


/home/user/client
C:\User\client

-s CipherSpec

The SSL/TLS channel CipherSpec string corresponding to the SSLCIPH on the SVRCONN channel definition on the queue manager.

-f

Specifies that only FIPS 140-2 certified algorithms must be used.

-b VALUE1[,VALUE2...]

Specifies that only Suite B compliant algorithms must be used. This parameter is a comma-separated list of one or more of the following values: NONE,128_BIT,192_BIT. These values have the same meaning as those for the MQSUITEB environment variable, and the equivalent EncryptionPolicySuiteB setting in the client configuration file SSL stanza.

-p Policy

Specifies the certificate validation policy to be used. This can be one of the following values:

ANY: Apply each of the certificate validation policies supported by the secure sockets library and accept the certificate chain if any of the policies considers the certificate chain valid. This setting can be used for maximum backwards compatibility with older digital certificates which do not comply with the modern certificate standards.
RFC5280: Apply only the RFC 5280 compliant certificate validation policy. This setting provides stricter validation than the ANY setting, but rejects some older digital certificates.

The default value is ANY.

OCSP certificate revocation parameter:

-o URL: The OCSP Responder URL