To Establish a Secure Connection

1. Set the MQ_CONNECTION_TYPE_PROPERTY to SSL .

2. If you want the runtime to check the broker’s certificate, set the MQ_SSL_BROKER_IS_TRUSTED property to false. Otherwise, you can leave it to its default (true) value.

3. Generate the NSS files CertN .db, keyN.db, and secmod.db using the certificate database tool certutil . You can find this tool at the following locations:

   • Solaris: /usr/sfw/bin

   • Linux: /opt/sun/private/bin

   • AIX: IMQ_HOME/bin

   • Windows: IMQ_HOME\bin

     For directions and an example of using this tool, see

     http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

4. Note the path name of the directory that contains the NSS files you generated in Configuring the Client for Secure Communication.

5. If you have set the MQ_SSL_BROKER_IS_TRUSTED property to false, use the certutil tool to import the root certificate of the authority certifying the broker into the database files you generated in Configuring the Client for Secure Communication .

   Make sure that the MQ_BROKER_HOST_PROPERTY value is set to the same value as the (CN) common name in the broker’s certificate.

6. If you have set the MQ_SSL_BROKER_IS_TRUSTED property to false, you have the option of enabling broker fingerprint-based verification in case authorization fails. For details, see Verification Using Fingerprints.

7. Call the function MQInitializeSSL once (and only once) before creating the connection, and pass the name of the directory that contains the NSS files you generated in Configuring the Client for Secure Communication. If the broker is trusted, these files can be empty.

   You must call this function before you create any connection to the broker, including connections that do not use SSL.