Connecting a client to a queue manager anonymously

Follow these sample instructions to modify a system with mutual authentication to allow a queue manager to connect anonymously to another.

About this task

Scenario:

Your queue manager and client (QM1 and C1) have been set up as in Using CA-signed certificates for mutual authentication of a client and queue manager.
You want to change C1 so that it connects anonymously to QM1.

The resulting configuration looks like this:

The client C1 is linked to queue manager QM1 by the channel C1.TO.QM1, which has the attribute SSLCAUTH(optional). The client and queue manager each have a key repository, described in the following text. — Figure 1. Client and queue manager allowing anonymous connection

Procedure

Remove the personal certificate from the key repository for C1, according to operating system:
- IBM® i systems.
- UNIX, Linux®, and Windows systems.
The certificate label is either ibmwebspheremq followed by your logon user ID in lowercase, or the value of the CERTLABL attribute. See Digital certificate labels.
Restart the client application, or cause the client application to close and reopen all SSL or TLS connections.
Allow anonymous connections on the queue manager, by issuing the following command:
```
ALTER CHANNEL(C1.TO.QM1) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL)
```

Results

Key repositories and channels are changed as illustrated in Figure 1

What to do next

At the server end of the channel, the presence of the peer name parameter value on the channel status display indicates that a client certificate has flowed.

Verify that the task has been completed successfully by issuing some DISPLAY commands. If the task was successful, the resulting output is similar to that shown in the following example:

From queue manager QM1, enter the following command:


DISPLAY CHSTATUS(C1.TO.QM1) SSLPEER SSLCERTI

The resulting output will be similar to the following example:


DISPLAY CHSTATUS(C1.TO.QM1) SSLPEER SSLCERTI
     5 : DISPLAY CHSTATUS(C1.TO.QM1) SSLPEER SSLCERTI
AMQ8417: Display Channel Status details.
   CHANNEL(C1.TO.QM1)                      CHLTYPE(SVRCONN)
   CONNAME(9.20.35.92)                     CURRENT
   SSLCERTI( )                             SSLPEER( )
   STATUS(RUNNING)                         SUBSTATE(RECEIVE)

The SSLCERTI and SSLPEER fields are empty, showing that C1 did not send a certificate.