Integration


This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Submitted
Workspace MQ, MQ Advanced & MQ Appliance
Created by Guest
Created on Mar 5, 2026

RELATED IDEAS

Support OpenSSL

Problem Statement

Currently, GSKit is the only supported way of setting up TLS and cryptography in MQ. Because only IBM products rely on GSKit (as far as I know) it poses a higher barrier to entry when starting with Db2. While GSKit supports standards like PKCS#12 keystores it adds a proprietary layer for stash files - resulting in PKCS#12 files being incompatible with e.g., OpenSSL.

GSKit doesn't have a way of creating a truststore without a private key and thus a password/stash file. For creating trust this is pointless because only the root and intermediate certificates are important. No private keys are used. This makes distributing truststores more difficult than it should be.

GSKit doesn't have a mechanism of an "OS truststore" - something were the OS stores all the certificates it (and utilities running on it) can trust. We maintain these truststores with customer root certificates which helps setting up TLS for many applications. For GSKit-required applications this doesn't work and a new truststore must be created and managed.

During a case we also identified a problem where two different versions were loaded inside one process because both MQ and Db2 was used. This caused a low-level memory exception. The result was that GSKit cannot be safely loaded twice in the same process. OpenSSL doesn't pose such restriction.

GSKit isn't supported by tools like Ansible. A lot of custom code is required to produce the necessary files. An Ansible role was created internally that allows management of truststores and keystores.

Current Workaround

Learning GSKit can be done and the fair amount of documentation and examples help in doing so. Because it is the only option for MQ, there is simply no way around it right now. Sometimes I was asked to implement external TLS implementations (e.g., through HAProxy) for incoming and outgoing connections. This, however, adds another layer of complexity.

For the problem of running both MQ and Db2 in the same process, we are making sure that the MQ GSKit supplied libraries are loaded first via LD_PRELOAD. This is flaky and, as per my understanding, prone to fail in case Db2's version of GSKit is higher than the one MQ is shipped with.

Benefit / Goals

  1. Reduce the barrier of entry for people starting out with MQ

  2. OpenSSL exists for a wide variety of distributions. It is also distributed by them. In case of security fixes these can be easily identified and patched (in many cases, automatically). OpenSSL shouldn't be bundled with MQ.

  3. Make setting up TLS and cryptography much easier to setup for MQ, increasing the use of TLS.

  4. Allow the use of an OS truststore for TLS verification.

  5. Enhance the MQ configuration experience because support is included for other products: Instantly use certificates provided through external key vaults (e.g., Azure KeyVault). Support provisioning with Ansible (it offers a module to create the required files).

  6. OpenSSL isn't just used for TLS but also ships a cryptography library which likely can be used to support the AMS part of MQ.

  7. Easier tracing/debugging of problems because the AMQ.SSL.TRC is only binary and can only be formatted/read by IBM.

The goals could also be implemented as features to GSKit. Because OpenSSL exists and is widely accepted and it already ships that functionality, my suggestions is to reuse something that exists and has proven to work.

Idea priority Medium

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.