Configuring certificate validation policies in IBM MQ

There are several different ways in which you can specify which TLS certificate validation policy is used to validate digital certificates received from remote partner systems.

About this task

The certificate validation policy determines how strictly the certificate chain validation conforms to industry security standards. The certificate validation policy depends upon the platform and environment. For more information about certificate validation policies, see Certificate validation policies in IBM MQ.

Procedure

  • To set the certificate validation policy on the queue manager, use the queue manager attribute CERTVPOL.
    For more information about setting this attribute, see ALTER QMGR (alter queue manager settings).
  • To set the certificate validation policy on the client, use of the following methods.
    If more than one method is used to set the policy, the client uses the settings in the following priority order:
    1. Use the CertificateValPolicy field in the client MQSCO structure. Set the field to one of the following values:
      MQ_CERT_VAL_POLICY_ANY
      Apply each of the certificate validation policies supported by the secure sockets library. Accept the certificate chain if any of the policies considers the certificate chain valid.
      MQ_CERT_VAL_POLICY_RFC5280
      Apply only the RFC5280 compliant certificate validation policy. This setting provides stricter validation than the ANY setting, but rejects some older digital certificates.
      [MQ 9.4.0 Jul 2024][MQ 9.4.0 Jul 2024]MQ_CERT_VAL_POLICY_NONE
      Apply no certificate validation policy. This setting is for client applications only and accepts the TLS server certificate without validating the trust chain.
      For more information about using this field, see MQSCO - SSL configuration options.
    2. Use the client environment variable MQCERTVPOL. To set this environment variable, use one of the following commands:
      • [AIX][Linux]For AIX® and Linux® systems: 
        
export MQCERTVPOL= value
      • [Windows]For Windows systems: 
        
SET MQCERTVPOL= value
      • [IBM i]For IBM® i systems: 
        
ADDENVVAR ENVVAR(MQCERTVPOL) VALUE(value)
    3. Use the CertificateValPolicy attribute of the SSL stanza in the client configuration file. Set this attribute to one of the following values:
      ANY
      Use any certificate validation policy supported by the underlying secure sockets library. This setting is the default setting.
      RFC5280
      Use only certificate validation which complies with the RFC 5280 standard.
      [MQ 9.4.0 Jul 2024][MQ 9.4.0 Jul 2024]NONE
      Apply no certificate validation policy. This setting accepts the TLS server certificate without validating the trust chain.
      For more information about using this attribute, see SSL stanza of the client configuration file.