MQ SSL settings

After you create a transport for WebSphere® MQ, you must configure SSL settings for it.

To configure SSL transport settings, you must click the SSL tab.

The following settings apply when you enable SSL, by selecting the Use MQ SSL check box.

Field Description
Peer Name The Distinguished Name (DN) of the queue manager to be used by SSL. The queue manager identifies itself by using an SSL certificate, which contains a DN. Rational® Integration Tester can use this DN to ensure that it is communicating with the correct queue manager.

In WebSphere® MQ, a DN pattern is specified by using the sslPeerName variable of MQEnvironment. Connections succeed only if the Peer Name matches the pattern that is specified.

Cipher Suite For encrypting the transport communication, select one of the cipher suites from the list or enter the name if it is not listed. For more information, see WebSphere® MQ Knowledge Center.
Notes:
  • The application has set the com.ibm.mq.cfg.useIBMCipherMappings system property to false, therefore, enter the Oracle CipherSuite name as the cipher suite name. For example TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
  • Some newer cipher suites might require a specific version of the Transport Layer Security (TLS) such as TLSv1.2. You can set the appropriate TLS version in Override default protocols.
  • You cannot select this option if you are connecting to WebSphere® MQ by using a Client Channel Definition Table (CCDT).
Fips Required Specifies whether the requested cipher suite must use FIPS-certified cryptography in WebSphere® MQ.
KeyResetCount The total number of non-encrypted bytes that can be sent and received within an SSL conversation before the secret key is renegotiated. If left blank or set to zero (default), the secret key is never renegotiated. This value is ignored if no cipher suite is specified. Valid values are integers 0 - 999,999,999.
Note: KeyResetCount is not supported in WebSphere® MQ V5.3.x but is supported in WebSphere® MQ V6.0 or later.
Trust Store To enable server authentication, select the server identity store that was configured in the Physical View of Rational® Integration Tester.
Key Store To enable client authentication, select the client identity store that was configured in the Physical View of Rational® Integration Tester.
Override default protocols If you are required to use a specific version of the secure sockets protocol, such as SSLv2 or TLSv1.2, enter that algorithm name. For a complete list of algorithms, see Standard Algorithm Name Documentation.