How to Configure SSL for the MQSC Adapter - Middleware News
The following procedures are designed to help you with configuring a Windows MQSeries Client to run with Secure Sockets Layer (SSL)-enabled MQSeries Server channels. The procedures describe configuration for one-way (Server) authentication.
Configuration is performed in the following steps:
* Set up the Queue Manager/Client to work without SSL.
* Add SSL to the configuration.
* Configure the MQSeries Client-Based Adapter properties for SSL.
Note
For more information, refer to IBM WebSphere MQ documentation. If you already have MQSeries client/server SSL working, you can go directly to the procedure for configuring the SSL properties in the adapter.
The following procedures assume that you are setting up a new Queue Manager. However, you can also apply these steps to existing Queue Managers.
To set up the Queue Manager/Client to work without SSL
1.
Create a Queue Manager named QM1, and define a listener on the required port.
2.
Define a SVRCONN channel TO.QM1.
3.
Define a CLNTCONN channel TO.QM1.
4.
Supply the name on the SVRCONN channel to which it will connect (TO.QM1), the transport type, the IP address/DNS name of the server, and the port number.
5.
Define a local queue on the target Queue Manager named TESTQUEUE, which can be used for testing the client connections.
6.
Copy the AMQCLCHL.TAB file from the server onto the client computer. (This file can be found in /var/mqm/qmgrs//@IPCC on most UNIX installations and /Program Files//qmgrs//@IPCC on most Windows installations.)
7.
On the client computer, set the following environment variables:
* MQCHLLIB=C:\sslclient\ssl\ (where MQCHLLIB is set to the path of the client channel table).
* MQCHLTAB=AMQCLCHL.TAB (where MQCHLTAB is set to the name of the client channel table).
Aa754431.note(en-US,BTS.10).gifNote
There are defaults for these environment variables if you want to use them. See the WebSphere MQ Client manual for more information.
8.
Test that the client connection works by running amqsputc.exe on your BizTalk Server computer: amqsputc.exe TESTQUEUE.
To add SSL to the configuration
================================
1.
Add the certificate to the Queue Manager’s store (using Internet Explorer/the MQSeries user interface or amqmcert on Windows, or gsk6ikm or gsk6cmd on UNIX).
2.
Alter the SVRCONN channel so the SSLCIPH is set (for example, to NULL_MD5) and set SSLCAUTH to OPTIONAL.
Aa754431.note(en-US,BTS.10).gifNote
SSLCAUTH is required for two-way authentication (client/server).
3.
Alter the CLNTCONN channel so the SSLCIPH is set to the same as the SVRCONN channel (for example, to NULL_MD5).
4.
Copy the new AMQCLCHL.TAB file from the server onto the client computer; the changes made for SSL can be picked up.
5.
On the Windows client computer, ensure that the CA certificates are in the system key store (you can do this from Internet Explorer) and if they are not, import them into it (again, using Internet Explorer).
6.
Export the following environment variable to specify the location and name of the client key store: set MQSSLKEYR=C:\sslclient\ssl\key.
Note
The key store must have the file name extension .sto and the environment variable must not specify it.
7.
When you have the required CA certificates in the system store, you can set up a client key store.
1. List the certificates in the system CA store: amqmcert -l -k ca and note the number(s) of the required CA certificate(s)
2. Add the certificates to the client store: amqmcert -a (certificate_number), where (certificate_number) is the number of each required certificate.
8.
Test that the SSL Client connections work by using the amqsputc sample program and the test queue that you set up previously.
Note
You do not actually have to import CA certificates into the Windows system store before; for example, you can import the certificates to the client certificate store straight from a file. See the IBM MQSeries System Admin guide for information about amqmcert.
When the MQSeries Client-to-MQSeries Queue Manager SSL is working, the adapter can be configured on both receive locations and send ports to use SSL. The property values that were used in the test must be specified in the adapter configuration. The following adapter properties are relevant to both send port and receive locations:
SSL Cipher Specification defines a single CipherSpec for an SSL connection that will be used by the endpoint configured in the adapter. Both ends of a WebSphere MQ SSL channel definition must include the attribute, and the value specified here should match the name that was specified on the server end of the channel. The value is a string with a maximum length of 32 characters.
SSL Peer Name is used to check the distinguished name (also known as DN) of the certificate from the peer queue manager or client at the other end of a WebSphere MQ channel. If the distinguished name received from the peer does not match this value, the channel does not start.
The following procedures are designed to help you with configuring a Windows MQSeries Client to run with Secure Sockets Layer (SSL)-enabled MQSeries Server channels. The procedures describe configuration for one-way (Server) authentication.
Configuration is performed in the following steps:
* Set up the Queue Manager/Client to work without SSL.
* Add SSL to the configuration.
* Configure the MQSeries Client-Based Adapter properties for SSL.
Note
For more information, refer to IBM WebSphere MQ documentation. If you already have MQSeries client/server SSL working, you can go directly to the procedure for configuring the SSL properties in the adapter.
The following procedures assume that you are setting up a new Queue Manager. However, you can also apply these steps to existing Queue Managers.
To set up the Queue Manager/Client to work without SSL
1.
Create a Queue Manager named QM1, and define a listener on the required port.
2.
Define a SVRCONN channel TO.QM1.
3.
Define a CLNTCONN channel TO.QM1.
4.
Supply the name on the SVRCONN channel to which it will connect (TO.QM1), the transport type, the IP address/DNS name of the server, and the port number.
5.
Define a local queue on the target Queue Manager named TESTQUEUE, which can be used for testing the client connections.
6.
Copy the AMQCLCHL.TAB file from the server onto the client computer. (This file can be found in /var/mqm/qmgrs/
7.
On the client computer, set the following environment variables:
* MQCHLLIB=C:\sslclient\ssl\ (where MQCHLLIB is set to the path of the client channel table).
* MQCHLTAB=AMQCLCHL.TAB (where MQCHLTAB is set to the name of the client channel table).
Aa754431.note(en-US,BTS.10).gifNote
There are defaults for these environment variables if you want to use them. See the WebSphere MQ Client manual for more information.
8.
Test that the client connection works by running amqsputc.exe on your BizTalk Server computer: amqsputc.exe TESTQUEUE.
To add SSL to the configuration
================================
1.
Add the certificate to the Queue Manager’s store (using Internet Explorer/the MQSeries user interface or amqmcert on Windows, or gsk6ikm or gsk6cmd on UNIX).
2.
Alter the SVRCONN channel so the SSLCIPH is set (for example, to NULL_MD5) and set SSLCAUTH to OPTIONAL.
Aa754431.note(en-US,BTS.10).gifNote
SSLCAUTH is required for two-way authentication (client/server).
3.
Alter the CLNTCONN channel so the SSLCIPH is set to the same as the SVRCONN channel (for example, to NULL_MD5).
4.
Copy the new AMQCLCHL.TAB file from the server onto the client computer; the changes made for SSL can be picked up.
5.
On the Windows client computer, ensure that the CA certificates are in the system key store (you can do this from Internet Explorer) and if they are not, import them into it (again, using Internet Explorer).
6.
Export the following environment variable to specify the location and name of the client key store: set MQSSLKEYR=C:\sslclient\ssl\key.
Note
The key store must have the file name extension .sto and the environment variable must not specify it.
7.
When you have the required CA certificates in the system store, you can set up a client key store.
1. List the certificates in the system CA store: amqmcert -l -k ca and note the number(s) of the required CA certificate(s)
2. Add the certificates to the client store: amqmcert -a (certificate_number), where (certificate_number) is the number of each required certificate.
8.
Test that the SSL Client connections work by using the amqsputc sample program and the test queue that you set up previously.
Note
You do not actually have to import CA certificates into the Windows system store before; for example, you can import the certificates to the client certificate store straight from a file. See the IBM MQSeries System Admin guide for information about amqmcert.
When the MQSeries Client-to-MQSeries Queue Manager SSL is working, the adapter can be configured on both receive locations and send ports to use SSL. The property values that were used in the test must be specified in the adapter configuration. The following adapter properties are relevant to both send port and receive locations:
SSL Cipher Specification defines a single CipherSpec for an SSL connection that will be used by the endpoint configured in the adapter. Both ends of a WebSphere MQ SSL channel definition must include the attribute, and the value specified here should match the name that was specified on the server end of the channel. The value is a string with a maximum length of 32 characters.
SSL Peer Name is used to check the distinguished name (also known as DN) of the certificate from the peer queue manager or client at the other end of a WebSphere MQ channel. If the distinguished name received from the peer does not match this value, the channel does not start.
Comments
Post a Comment