Telemetry channel configuration for MQTT client authentication using SSL
The IBM® WebSphere® MQ administrator configures telemetry channels at the server. Each channel is configured to accept a TCP/IP connection on a different port number. SSL channels are configured with passphrase protected access to key files. If an SSL channel is defined with no passphrase or key file, the channel does not accept SSL connections.
Set the property, com.ibm.mq.MQTT.ClientAuth of
an SSL telemetry channel to REQUIRED
to force all
clients connecting on that channel to provide proof that they have
verified digital certificates. The client certificates are authenticated
using certificates from certificate authorities, leading to a trusted
root certificate. If the client certificate is self-signed, or is
signed by a certificate that is from a certificate authority, the
publicly signed certificates of the client, or certificate authority,
must be stored securely at the server.
Place the publicly signed client certificate or the certificate from the certificate authority in the telemetry channel keystore. At the server, publicly signed certificates are stored in the same key file as privately signed certificates, rather than in a separate truststore.
The server verifies the signature of any client certificates it is sent using all the public certificates and cipher suites it has. The server verifies the key chain. The queue manager can be configured to test the certificate against the certificate revocation list. The queue manager revocation namelist property is SSLCRLNL.
If any of the certificates a client sends is verified by a certificate in the server keystore, then the client is authenticated.
The WebSphere MQ administrator can configure the same telemetry channel to use JAAS to check the UserName or ClientIdentifier of the client with the client Password.
You can use the same keystore for multiple telemetry channels.
Verification of at least one digital certificate in the password protected client keystore on the device authenticates the client to the server. The digital certificate is only used for authentication by WebSphere MQ. It is not used to verify the TCP/IP address of the client, or set the identity of the client for authorization or accounting. The identity of the client adopted by the server is either the Username or ClientIdentifier of the client, or an identity created by the WebSphere MQ administrator.
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_AES_128_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_RC4_128_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5
SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA
SSL_KRB5_EXPORT_WITH_RC4_40_MD5
SSL_KRB5_EXPORT_WITH_RC4_40_SHA
SSL_KRB5_WITH_3DES_EDE_CBC_MD5
SSL_KRB5_WITH_3DES_EDE_CBC_SHA
SSL_KRB5_WITH_DES_CBC_MD5
SSL_KRB5_WITH_DES_CBC_SHA
SSL_KRB5_WITH_RC4_128_MD5
SSL_KRB5_WITH_RC4_128_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_FIPS_WITH_AES_128_CBC_SHA256
SSL_RSA_FIPS_WITH_AES_256_CBC_SHA256
SSL_RSA_FIPS_WITH_DES_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_SHA256
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA