SSL and TLS on the IBM MQ MQI client

IBM® MQ supports SSL and TLS on clients. You can tailor the use of SSL or TLS in various ways.

IBM MQ provides SSL and TLS support for IBM MQ MQI clients on Windows, UNIX and Linux® systems. If you are using IBM MQ classes for Java, see Using IBM MQ classes for Java and if you are using IBM MQ classes for JMS, see Using IBM MQ classes for JMS. The rest of this section does not apply to the Java or JMS environments.

You can continue to run your existing IBM MQ MQI client applications without SSL, as long as SSL is not specified at the other end of the channel.

If changes are made on a client machine to the contents of the SSL Key Repository, the location of the SSL Key Repository, the Authentication Information, or the Cryptographic hardware parameters, you need to end all the SSL connections in order to reflect these changes in the client-connection channels that the application is using to connect to the queue manager. Once all the connections have ended, restart the SSL channels. All the new SSL settings are used. These settings are analogous to those refreshed by the REFRESH SECURITY TYPE(SSL) command on queue manager systems.

When your IBM MQ MQI client runs on a Windows, UNIX and Linux system with cryptographic hardware, you configure that hardware with the MQSSLCRYP environment variable. This variable is equivalent to the SSLCRYP parameter on the ALTER QMGR MQSC command. Refer to ALTER QMGR for a description of the SSLCRYP parameter on the ALTER QMGR MQSC command. If you use the GSK_PCS11 version of the SSLCRYP parameter, the PKCS #11 token label must be specified entirely in lower-case.

SSL secret key reset and FIPS are supported on IBM MQ MQI clients. For more information, see Resetting SSL and TLS secret keys and Federal Information Processing Standards (FIPS) for UNIX, Linux, and Windows.

See Setting up IBM MQ MQI client security for more information about the SSL support for IBM MQ MQI clients.