TLS encryption without validation is like sealing a letter but never checking who handed it to you. IBM MQ certificate validation is the set of checks that run during the TLS handshake and channel bind: Is this certificate signed by a CA I trust? Is it still within its notBefore and notAfter dates? Has it been revoked? Does the distinguished name match my CHLAUTH SSLPEER rule? Operations teams feel validation as sudden all-channel outages on the morning a corporate root CA rotates, or as one partner stuck in BINDING while others run—often a missing intermediate certificate in the partner chain file. This tutorial explains trust stores, chain building, personal versus CA certificates, SSLPEER pattern pitfalls, revocation with AUTHINFO, hostname alignment with CONNAME, and a renewal playbook that keeps production traffic running through cert changes.
A personal (server or client) certificate proves identity; CA certificates in the same repository prove you trust the issuer. When a partner connects, MQ builds a chain from their leaf cert to an anchor in SSLKEYR. If the partner sends only a leaf without intermediates, validation may fail unless the intermediate is already in your store. Ask partners for a .p7b or full chain export during onboarding. After importing, use platform tools to list labels and expiry—do not wait for channel errors.
| Check | Typical symptom | Remedy direction |
|---|---|---|
| Trusted CA present | Unknown CA / handshake alert | Import signer CA to SSLKEYR |
| Date validity | Certificate expired | Renew and redistribute before expiry |
| Key size / cipher policy | Policy rejection in log | Reissue with approved key length |
| Revocation (CRL/OCSP) | Revoked cert error | Issue new cert; fix AUTHINFO URL |
| SSLPEER / CHLAUTH | CHLAUTH block after TLS | Update SSLPEER pattern or DN |
Each queue manager needs a personal certificate whose public key partners expect. IBM MQ references certificates by label in the key repository—default channel labels differ by platform; ALTER QMGR SSLCERTLABL sets the default label for channels if needed. Multiple personal certs can coexist for different partners or domains; channel CERTLABL attribute selects alternates. When renewing, create the new cert, test on a parallel channel name in lab, switch production channel to new label, then retire the old cert after partners update trust.
After cryptographic validation, CHLAUTH may require the peer DN to match SSLPEER('CN=partner,O=Corp,C=US') or a wildcard form supported for your release. Corporate CAs often change spacing or attribute order in reissued certs—patterns that matched for years break overnight. Capture the exact DN from a successful connection log or openssl output before writing rules. SSLPEERMAP combines match with ACTION(MAP) MCAUSER('svc') so validated partners run under a service ID.
12345DEFINE CHLAUTH('PARTNER.*') TYPE(SSLPEERMAP) CHLTYPE(SVRCONN) + SSLPEER('CN=mqclient,OU=Integration,O=Partner Corp,L=London,C=GB') + ADDRESS('*') MCAUSER('partmq') ACTION(MAP) DISPLAY CHLAUTH('PARTNER.*') ALL * After cert renewal, DISPLAY again and compare SSLPEER to new cert DN
Compromised certificates should be revoked at the CA. DEFINE AUTHINFO TYPE(CRLLDAP) or OCSP settings (per IBM MQ 9.x docs) tell the queue manager where to check revocation status. Network blocks to LDAP or OCSP URLs cause false failures—treat revocation infrastructure as production dependency. Not every estate enables revocation checking; risk acceptance should be documented if disabled.
Clients and senders connect to hostnames in CONNAME or connection strings. Server certificates should include matching Subject Alternative Name (SAN) DNS entries. Connecting by IP while the cert lists only a hostname fails validation in strict setups. Standardize on DNS names in CCDT and firewall rules rather than raw IPs unless certs include IP SANs.
The personal certificate is the passport. CA certificates in your trust store are the list of countries whose visa stamps you accept. Validation is border control reading the passport, checking expiry, checking the stamp is genuine, and optionally checking a revoked-passport list (CRL/OCSP). SSLPEER is the guest list saying only certain passport names may enter the VIP room.
Use openssl s_client -connect host:port -showcerts from a jump host to see the chain the server presents. Compare with runmqakm -cert -list commands on the queue manager. MQ error logs often include GSKit reason codes—search IBM support for the code. On the client, enable SSL trace per client documentation sparingly in lab only.
Certificate validation is checking that a friend's hall pass is real, not expired, not on the principal's revoked list, and that the name on the pass matches the name they told you.
Partner renewed cert with new OU in DN—write steps to update SSLPEERMAP without disabling CHLAUTH.
List what you import to SSLKEYR when given only a leaf .crt file.
Document monitoring alerts for cert expiry 30/14/7 days before channel impact.
1. Trusted CAs are stored in:
2. Expired cert causes:
3. SSLPEERMAP maps cert DN to:
4. Revocation checking uses: