Enabling TLS support for the managed .NET client

The managed .NET client uses the Microsoft .NET Framework libraries to implement TLS secure socket protocols. The Microsoft System.Net.SecuritySslStream class operates as a stream over connected TCP sockets and sends and receives data over that socket connection.

About this task

The minimum required .NET Framework level is .NET Framework v3.5. The level of Cipher Algorithm support is based on the .NET Framework level that the application is using:

For applications that are based on .NET Framework levels 3.5 and 4.0, the available secure socket protocols are SSL 3.0 and TSL 1.0.
For applications that are based on .NET Framework level 4.5, the available secure socket protocols are SSL 3.0, TLS 1.1 and TLS 1.2.

You might need to move applications that expect higher TLS protocol support to a later version of the framework as defined for Microsoft Security support in the .NET Framework.

The main features of TLS support for the managed .NET client are as follows:

TLS protocol support: TLS support for the .NET managed client is defined through the .NET SSLStream class, and depends on the .NET Framework that the application is using. For more information see TLS protocol support for the managed .NET client.
CipherSpec support: The TLS settings for the .NET managed client are as for the Microsoft.NET TLS steams. For more information see CipherSpec support for the managed .NET client and CipherSpec mappings for the managed .NET client.
Key repositories: The key repository on the client side is a Windows keystore. The server side repository is a Cryptographic Message Syntax (CMS) type of repository. For more information see Key repositories for the managed .NET client.
Certificates: You can use self-signed TLS certificates to implement mutual authentication between a client and a queue manager. For more information see Using certificates for the managed .NET client.
SSLPEERNAME: In .NET, applications can use the optional SSLPEERNAME attribute to specify a Distinguished Name (DN) pattern. For more information see SSLPEERNAME.
FIPS compliance: Enabling FIPS programmatically is not supported by the Microsoft.NET Security library. FIPS enablement is controlled by the Windows Group Policy setting.
NSA Suite B compliance: IBM MQ implements RFC 6460. The Microsoft.NET implementation for NSA suite B is 5430. This is supported from .NET Framework 3.5 onwards.
Secret key reset or renegotiation: Although the SSLStream class does not support secret key resetting or renegotiation, for consistency with other IBM MQ clients, the .NET managed client allows applications to set SSLKeyResetCount. For more information see Secret key reset or renegotiation for the managed .NET client.
Revocation check: The SSLStream class supports certificate revocation checking, which is automatically done by the certificate chaining engine. For more information see Revocation check.
IBM MQ security exit support: The SSLStream class provides limited support for IBM MQ security exits. Querying local and remote certificates to get SSLPeerNamePtr(Subject DN) and SSLRemCertIssNamePtr (Issuer DN) is possible since this is supported in Microsoft.NET. However, there is no support for getting attributes like DNQ, UNSTRUCTUREDNAME and UNSTRUCTUREDADDRESS, so these values cannot be retrieved using the exits.
Cryptographic hardware support: Cryptographic hardware is not supported for the managed .NET client.