Configuring SSL for managed IBM MQ .NET

Configuring SSL for managed IBM® MQ .NET consists of creating the signer certificates, then configuring the server side, the client side, and the application program.

About this task

To configure SSL, you must first create the appropriate signer certificates. Signer certificates can be either self signed or certificates provided by a certificate authority. Although self-signed certificates can be used on a development, test or pre-production system, do not use them on a production system. On a production system, use certificates that you have obtained from a trusted external certificate authority (CA).

Procedure

  1. Create the signer certificates.
    1. To create self-signed certificates, use one of the following tools provided with IBM MQ :
      Use either the iKeyman GUI or iKeycmd or runmqakm from the command line. For more information on using these tools, see Using iKeyman, iKeycmd, runmqakm, and runmqckm.
    2. To obtain certificates for the queue manager and clients from a certificate authority (CA), follow the instructions in Obtaining personal certificates from a certificate authority.
  2. Configure the server side.
    1. Configure SSL on the queue manager, using GSKit, as described in Connecting a client to a queue manager securely.
    2. Set the SVRCONN channel SSL attributes:
      • Set SSLCAUTH to "REQUIRED/OPTIONAL".
      • Set SSLCIPH to an appropriate CipherSpec.
      For more information, seeEnabling SSL for the unmanaged .NET client.
  3. Configure the client side.
    1. Import the client certificates into the Windows certificate store (under the User/Computer account).
      IBM MQ .NET accesses client certificates from the Windows certificate store, therefore you must import your certificates into the Windows certificate store to establish a secure socket connection to IBM MQ . For more information about how to access the Windows key store and import the client side certificates, see Import or export certificates and private keys.
    2. Supply the CertificateLabel as described in Connecting a client to a queue manager securely.
    3. If needed, edit the Windows Group Policy to set the CipherSpec, then, for the Windows Group Policy updates to take effect, restart the computer.
  4. Configure the application program.
    1. Set the MQEnvironment or the SSLCipherSpec value to denote the connection as a secured connection.
      The value that you specify is used to identify the SSL protocol being used (SSL or TLS) and must match with any preference that you have specified in the Windows Group Policy.
    2. Set the SSLKeyRepository property to either "*SYSTEM" or "*USER".
    3. Optional: Set SSLPEERNAME to the distinguished name (DN) of the server certificate.
    4. Supply the CertificateLabel as described in Connecting a client to a queue manager securely.
    5. Set any further optional parameters that you require such as KeyResetCount, CertificationRevocationCheck, and enable FIPS.

Examples of how to set the SSL protocol and SSL key repository

For Base .NET, you can set the SSL protocol and SSL key repository through the MQEnvironment class as shown in the following example: 

MQEnvironment.SSLCipherSpec = "TLS_RSA_WITH_AES_128_CBC_SHA256";
MQEnvironment.SSLKeyRepository = "*USER";

MQEnvironment.properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA256")
Alternatively, you can set the SSL protocol and SSL key repository by supplying a hashtable as part of the MQQueueManager constructor as shown in the following example. 

Hashtable properties = new Hashtable();
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, sslKeyRepository);
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA256")

What to do next

For more information about getting started with developing IBM MQ .NET managed SSL applications, seeWriting a simple application.