SSL connection in Managed MQ .

NET (MQ v8)

Sudhanshu Pant |Aug 26 2014 Updated
MQ v8 introduces managed dot net clients to establish a secure SSL connection to the Queue Manager. Prior to
MQ v8, MQ.net supported SSL connections in unmanaged mode only, which is based on MQI C client libraries
(and GSKit). That is, the SSL operations are handled by the C client libraries which doesn’t happen within the
scope of .NET CLR, hence can’t be called as managed and the facilities that .NET CLR provides such as
Memory management, exception management etc were not used. To provide a better way of utilizing the
offerings in .NET CLR, MQ v8 has introduced the SSL connections using the managed .NET client.
MQ v8 managed .NET client provides support for all the major secure socket protocols including SSLv3,
TLSv1.0, TLSv1.2 and TLSv1.2. You can read more information about this here.
IBM MQ ships a number of samples that demonstrate creating SSL connections to a queue manager in .NET
Managed mode. To run the sample, one should follow the configuration steps mentioned below:

 For Queue Manager (server) side:

1. Set the Key Database file in the SSLKEYR parameter of the Queue Manager.
                          ALTER QMGR SSLKEYR('<key database>')

2. Set the CipherSpec name on the Queue Manager channel:

                          ALTER CHANNEL(SYSTEM.DEF.SVRCONN) CHLTYPE(SVRCONN)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA) SSLCAUTH(REQUIRED)

3. Refresh the Queue Manager security settings:

                          REFRESH SECURITY (*) TYPE(SSL)

 For client (application) side:

1. Import the obtained client side SSL Certificate to the the Windows Certificate Store. (Under
COMPUTER/USER account).

- To do that go to Start->Run->mmc.   This will open the Windows Memory Management

Console.
- Click File->Add/Remove Snap-ins, or press ctrl+m.
- Select "Certificates" from the left hand side dialog box and click "Add" button which will
open a new pop-up window to select the account you want to import your certificate into.
- You can either choose "My user account" or "Computer account". Click Next and then
Finish. You should see "Certificates" under Selected snap-ins as follows:

- Click OK to open the Certificate Management Console.

- To add the client side certificate (PKCS12 format), right click on the Personal store->All
Tasks->Import:
2. Currently, Microsoft .NET SSLStream does not allow setting of CipherSpec in the application program (To
be consistent in design with other MQ Clients and also with future consideration that Microsoft might allow
programmatic setting, MQ .net client asks you to set the cipher name in
"SSL_CIPHER_SPEC_PROPERTY").  For SSLStream, a CipherSpec or a preference list of them can be
set only in Windows Local Group Policy and SSLStream will use it during the handshake with the server.
To do that follow following steps:
- Go to Start->Run->gpedit.msc to open the Local Group Policy Editor.
- Expand the "Computer Configuration -> Administrative Templates -> Network".

- Click on the "SSL Configuration Settings". You can double-click on the "SSL Cipher Suite
Order" to set the desired cipher spec for the MQ channel.
 - Select "Enabled" and give the name of the cipher spec you want to use under the "SSL
Cipher Suites" box. Restart the system for the changes to take effect.
With this your Server and Client side configuration is done.
To run a Sample program say SimplePut.cs (inside C:\Program Files\IBM\WebSphere MQ\Tools\dotnet\samples\
cs\base\bin) pass the arguments as follows:
C:\Program Files\IBM\WebSphere MQ\Tools\dotnet\samples\cs\base\bin\SimplePut.exe  -q Q01 -k *SYSTEM -s
TLS_RSA_WITH_AES_128_CBC_SHA -p 2000 -n 2
(If your Key Repository in under User Account you can give *USER for the '-k' parameter.). The output looks like
below: