Why I need to provide both key store and trust store for an SSL connection to IBM MQ

Question

I've created a light application that is connecting to IBM MQ using SSL.

If I setup both javax.net.ssl.trustStore and javax.net.ssl.keyStore everything works as expected.

The keystore (jks) contains in it two entries:

1. TrustedCertEntry

2. PrivateKeyEntry

I had the feeling that given the fact that I am the client for this connection, and MQ is the server, only trustStore should be used, but this is not the case since application is not working if I setup only the trustStore.

Can anyone explain me why both are required?

Answer 1

As per SSL configuration of the Websphere MQ Java/JMS client guide, point 2. Create keyStore you are most likely using certificates for client authentication. This authentication setup requires a keyStore:

Complete this section only if you wish to have client authentication when a connection is made to a Queue Manager. If client authentication has not been specified on the channel, you do not need to complete this section.

The keyStore is essentially the same as a trustStore, except that it holds the client's personal certificate, and the JSSE requires a password for access. You can in fact add your personal certificate to the trustStore created earlier and it will act as both trustStore and keyStore, but the password that was not required before will now need to be passed to the JSSE in order for it to access your personal certificate.

You can verify this on the server as shown in the Using self-signed certificates for mutual authentication of a client and queue manager guide by running:

DISPLAY CHSTATUS(<your channel name>) SSLPEER SSLCERTI