Telemetry channel configuration for MQTT client authentication using SSL
The IBM® WebSphere® MQ administrator configures telemetry channels at the server. Each channel is configured to accept a TCP/IP connection on a different port number. SSL channels are configured with passphrase protected access to key files. If an SSL channel is defined with no passphrase or key file, the channel does not accept SSL connections.
Set the property, com.ibm.mq.MQTT.ClientAuth of
an SSL telemetry channel to REQUIRED to force all
clients connecting on that channel to provide proof that they have
verified digital certificates. The client certificates are authenticated
using certificates from certificate authorities, leading to a trusted
root certificate. If the client certificate is self-signed, or is
signed by a certificate that is from a certificate authority, the
publicly signed certificates of the client, or certificate authority,
must be stored securely at the server.
Place the publicly signed client certificate or the certificate from the certificate authority in the telemetry channel keystore. At the server, publicly signed certificates are stored in the same key file as privately signed certificates, rather than in a separate truststore.
The server verifies the signature of any client certificates it is sent using all the public certificates and cipher suites it has. The server verifies the key chain. The queue manager can be configured to test the certificate against the certificate revocation list. The queue manager revocation namelist property is SSLCRLNL.
If any of the certificates a client sends is verified by a certificate in the server keystore, then the client is authenticated.
The WebSphere MQ administrator can configure the same telemetry channel to use JAAS to check the UserName or ClientIdentifier of the client with the client Password.
You can use the same keystore for multiple telemetry channels.
Verification of at least one digital certificate in the password protected client keystore on the device authenticates the client to the server. The digital certificate is only used for authentication by WebSphere MQ. It is not used to verify the TCP/IP address of the client, or set the identity of the client for authorization or accounting. The identity of the client adopted by the server is either the Username or ClientIdentifier of the client, or an identity created by the WebSphere MQ administrator.
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHASSL_DH_anon_EXPORT_WITH_RC4_40_MD5SSL_DH_anon_WITH_3DES_EDE_CBC_SHASSL_DH_anon_WITH_AES_128_CBC_SHASSL_DH_anon_WITH_DES_CBC_SHASSL_DH_anon_WITH_RC4_128_MD5SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHASSL_DHE_DSS_WITH_3DES_EDE_CBC_SHASSL_DHE_DSS_WITH_AES_128_CBC_SHASSL_DHE_DSS_WITH_DES_CBC_SHASSL_DHE_DSS_WITH_RC4_128_SHASSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHASSL_DHE_RSA_WITH_3DES_EDE_CBC_SHASSL_DHE_RSA_WITH_AES_128_CBC_SHASSL_DHE_RSA_WITH_DES_CBC_SHASSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHASSL_KRB5_EXPORT_WITH_RC4_40_MD5SSL_KRB5_EXPORT_WITH_RC4_40_SHASSL_KRB5_WITH_3DES_EDE_CBC_MD5SSL_KRB5_WITH_3DES_EDE_CBC_SHASSL_KRB5_WITH_DES_CBC_MD5SSL_KRB5_WITH_DES_CBC_SHASSL_KRB5_WITH_RC4_128_MD5SSL_KRB5_WITH_RC4_128_SHASSL_RSA_EXPORT_WITH_DES40_CBC_SHASSL_RSA_EXPORT_WITH_RC4_40_MD5SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA![[V7.5.0.2 Jul 2013]](../com.ibm.mm.tc.doc/../com.ibm.mq.adm.doc/ng7502.gif)
SSL_RSA_FIPS_WITH_AES_128_CBC_SHA256SSL_RSA_FIPS_WITH_AES_256_CBC_SHA256SSL_RSA_FIPS_WITH_DES_CBC_SHASSL_RSA_WITH_3DES_EDE_CBC_SHASSL_RSA_WITH_AES_128_CBC_SHASSL_RSA_WITH_AES_128_CBC_SHA256SSL_RSA_WITH_AES_256_CBC_SHA256SSL_RSA_WITH_DES_CBC_SHASSL_RSA_WITH_NULL_MD5SSL_RSA_WITH_NULL_SHASSL_RSA_WITH_NULL_SHA256SSL_RSA_WITH_RC4_128_MD5SSL_RSA_WITH_RC4_128_SHA
![[V7.5.0.2 Jul 2013]](ng7502.gif)
If you plan to use SHA-2 cipher suites, see System requirements for using SHA-2 cipher
suites with MQTT channels.