Skip to content

IBM MQ Security

The IBM MQ integration supports plain username/password authentication and optional MQ-native TLS configuration.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
import os

from faststream.security import SASLPlaintext

from faststream_mq import MQBroker

security = SASLPlaintext(username="app", password="password", use_ssl=False)

broker = MQBroker(
    queue_manager="QM1",
    conn_name=os.getenv("FASTSTREAM_MQ_CONN_NAME", "localhost(1414)"),
    security=security,
)

Plain Credentials

  • SASLPlaintext can be used to provide MQ credentials

TLS with PEM inputs

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
from faststream_mq import MQBroker, mq_tls_from_pem

broker = MQBroker(
    queue_manager="QM1",
    conn_name="localhost(1414)",
    tls=mq_tls_from_pem(
        cipher_spec="TLS_AES_256_GCM_SHA384",
        client_cert="docs/docs_src/mq/security/certs/client.crt",
        client_key="docs/docs_src/mq/security/certs/client.key",
        ca_cert="docs/docs_src/mq/security/certs/ca.crt",
    ),
)

Use this mode when you have:

  • client certificate PEM file
  • client private key PEM file
  • a CA PEM file

Use mq_tls_from_pem(...) for this mode. FastStream prepares a temporary PKCS12 keystore in Python and connects using MQ-native TLS settings.

If your deployment has multiple CA certificates, bundle them into a single PEM file before passing it as ca_cert.

If keystore_password is omitted, FastStream generates a strong random password for the process-local temporary keystore.

TLS with a prebuilt MQ key repository

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
from faststream_mq import MQBroker, mq_tls_from_keystore

broker = MQBroker(
    queue_manager="QM1",
    conn_name="localhost(1414)",
    tls=mq_tls_from_keystore(
        cipher_spec="TLS_AES_256_GCM_SHA384",
        keystore="docs/docs_src/mq/security/certs/client.p12",
        certificate_label="client-cert",
    ),
)

Use mq_tls_from_keystore(...) if your deployment already provides a PKCS12 keystore.

Notes

  • IBM MQ TLS is configured with tls=..., not with Python ssl_context
  • security.use_ssl=True alone is not enough for IBM MQ
  • tls=None keeps the current non-TLS behavior