SlideShare uma empresa Scribd logo

Mq ssl channels_on_windows

K
karthickmsit
TecnologiaEducação
1 de 20
Baixar para ler offline
Connecting Version 6 MQ Queue Managers using SSL 1 Connecting two Windows Queue Managers using SSL © IBM Corporation, 2005. All rights reserved. 1.1 Abstract This article presents a step-by-step guide to configuring two WebSphere MQ Version 61 queue managers on Windows for communication using SSL channels. I assume that you are familiar with SSL in general and know how to set up non-SSL sender/receiver channels between two queue managers. For more information about SSL with MQ, refer to the WebSphere MQ V6 Security manual, SC34-6588. You can download the PDF from: http://www.ibm.com/software/integration/wmq/library/ 1.2 Basic Configuration We need two queue managers with a working connection (sender/receiver channel pairs in both directions). I will use the following names and attributes; you can create queue managers with the same names, or adjust the instructions below to match your configuration: Queue Manager name QM1 QM2 IP address 192.168.1.65 192.168.1.64 Listener port 11111 22222 Transmit queue QM2 QM1 Sender channel QM1.QM2 QM2.QM1 Receiver channel QM2.QM1 QM1.QM2 Local queue (for testing) Q1 Q2 Remote queue definition QM2.Q2 QM1.Q1 (for testing) MQ Installation directory C:MQV6 C:MQV6 (throughout this document, <MQdir>) 1 Referred to as “MQ” from now on. Page 1 of 20
Connecting Version 6 MQ Queue Managers using SSL If you choose to create two queue managers as above, the only thing you’ll need to change is the IP address. You can create the two queue managers on the same, or on separate, Windows systems. Skip to Checking the channel, below, if you already have two interconnected queue managers. Creating the Queue Managers You can use the Version 6 MQ Explorer to create the queue managers, or use a command script. The following example creates a queue manager called QM1 with a listener on port 11111: @echo Create queue manager crtmqm -u QM1.DLQ QM1 @echo Start queue manager and associated services amqmdain qmgr start QM1 @echo Create and start listener @echo def listener('LISTENER.TCP') trptype(tcp) port(11111) control(qmgr) | runmqsc QM1 @echo START LISTENER('LISTENER.TCP') | runmqsc QM1 @echo Create dead letter queue @echo def ql(QM1.DLQ) replace | runmqsc QM1 The example above shows how to create QM1; you can adapt it to create QM2. Setting up the channels The following commands, when run from a command prompt on the machine where QM1 is running, create the necessary MQ objects for QM1 to communicate with QM2: echo def ql(QM2) replace usage(xmitq) trigger trigdata(QM1.QM2) initq(SYSTEM.CHANNEL.INITQ) | runmqsc QM1 echo def chl(QM1.QM2) chltype(sdr) replace xmitq(QM2) conname('192.168.1.64(22222)') | runmqsc QM1 echo def chl(QM2.QM1) chltype(rcvr) replace | runmqsc QM1 Page 2 of 20
Connecting Version 6 MQ Queue Managers using SSL @rem Create queues for test echo def ql(Q1) replace | runmqsc QM1 echo def qr(QM2.Q2) replace rname(Q2) rqmname(QM2) | runmqsc QM1 Similarly, these commands (from a command prompt on the machine where QM2 is running) create the objects that QM2 needs to communicate with QM1: echo def ql(QM1) replace usage(xmitq) trigger trigdata(QM2.QM1) initq(SYSTEM.CHANNEL.INITQ) | runmqsc QM2 echo def chl(QM2.QM1) chltype(sdr) replace xmitq(QM1) conname('192.168.1.65(11111)') | runmqsc QM2 echo def chl(QM1.QM2) chltype(rcvr) replace | runmqsc QM2 @rem Create queues for test echo def ql(Q2) replace | runmqsc QM2 echo def qr(QM1.Q1) replace rname(Q1) rqmname(QM1) | runmqsc QM2 1.3 Checking the channels Before proceeding, open a command prompt and check that the channels you intend to use with SSL (in our example configuration QM1.QM2 and QM2.QM1) run correctly. The example below assumes that the channels are already running, or the transmission queue is triggered: Page 3 of 20
Connecting Version 6 MQ Queue Managers using SSL Test Machine Run QM1 to QM2 Same as QM1 C:>amqsput QM2.Q2 QM1 Sample AMQSPUT0 start target queue is QM2.Q2 test msg 1 Sample AMQSPUT0 end C:> Same as QM2 C:>amqsget Q2 QM2 Sample AMQSGET0 start message <test msg 1> no more messages Sample AMQSGET0 end C:> QM2 to QM1 Same as QM2 C:>amqsput QM1.Q1 QM2 Sample AMQSPUT0 start target queue is QM1.Q1 test msg 2 Sample AMQSPUT0 end C:> Same as QM1 C:>amqsget Q1 QM1 Sample AMQSGET0 start message <test msg 2> no more messages Sample AMQSGET0 end C:> Page 4 of 20
Connecting Version 6 MQ Queue Managers using SSL With both queue managers and their channels up and running, we are ready to set up an SSL connection. 1.4 SSL: the very basics In the SSL protocol, the party that starts a conversation (in this case, the MQ sender channel) is the SSL client. The other party (MQ receiver channel) is the SSL server. The SSL client (sender channel) authenticates the server by requesting the server's certificate. This is sometimes called one-way authentication. Optionally, the server (receiver channel) may require client authentication (this is mutual, or two-way, authentication). In MQ, most customers using SSL channels will probably set them up to request mutual authentication. In this example we will set up one-way authentication first, and then mutual authentication. Incidentally, one-way authentication is what happens when you shop online: your browser, an SSL client, receives a certificate from the online shop, so you know it is safe to give them your credit card, but the shop does not request a certificate from you. When we start a sender channel (say, QM2.QM1), this is what happens (this is called SSL handshake): QM2 starts the connection and requests a certificate. QM1 sends its certificate. This is encrypted (“signed”) using the Certification Authority certificate—more about this below) . QM2 verifies QM1's digital signature in the certificate. QM2 now knows QM1 is who it claims to be. If mutual authentication is required, QM2 sends its certificate to QM1. The handshake continues with the selection of a secret key that both parties can use to sign and/or encrypt messages. From the list above, it follows that: 1. The party being authenticated must have a certificate. This is called a “Personal Certificate”. 2. The authenticating party must be able to decipher the certificate's signature: it must have the Certification Authority’s certificate used to sign the other party’s Personal certificate. 1.5 Process Overview We will follow this process to establish an SSL connection between QM1 and QM2: 1. Create a key repository for each queue manager. 2. Obtain a certificate for each queue manager. 3. Install the certificates in the key repositories. 4. Set up the channels for SSL authentication and test. Page 5 of 20
Connecting Version 6 MQ Queue Managers using SSL 1.6 Step-by-step instructions Create a key repository for each queue manager The instructions below show how to create a key repository for queue manager QM1; you need to repeat these steps for QM2. Open a Windows Command prompt and enter strmqikm. This starts the IBM Key Management (iKeyMan) GUI. Create a key repository for the queue manager: Select Key Database File  New and create a repository as follows: • Key Database Type: CMS • File name: key.kdb • Location: <MQdir>QmgrsQM1ssl. In this example: C:MQV6QmgrsQM1ssl You should see this: Click OK. Then enter a password (and remember it; you will need it!) and tick Stash the password to a file? Page 6 of 20
Connecting Version 6 MQ Queue Managers using SSL Click OK. You will see this dialog: Click OK. You have created a key repository for queue manager QM1. After creating the key repository, the GUI shows the installed Certification Authority certificates provided with iKeyMan. Use the pull-down (top right) to switch to viewing Personal Certificates: Page 7 of 20
Connecting Version 6 MQ Queue Managers using SSL Keep the iKeyMan GUI open; we will come back to it shortly. At the machine where queue manager QM2 runs, repeat the steps above for QM2. Obtain a certificate for each queue manager The instructions below show how to obtain a certificate for queue manager QM1; you need to repeat these steps for QM2. There are a number of ways to obtain a certificate for your queue manager: • You can create self-signed certificates. • You can have an in-house Certification Authority. • You can request a certificate from a Certification Authority. The instructions below are for obtaining a demo (valid for 30 days) personal certificate from globalsign.com. There are other sites for requesting certificates (for example Thawte, or VeriSign); GlobalSign is convenient because it does not require registration. Note that certificates for purposes other than a demo will cost money (dispensing certificates is what Certification Authorities do for a living). To obtain a certificate: Open Internet Explorer and go to http://www.globalsign.com. Page 8 of 20
Connecting Version 6 MQ Queue Managers using SSL Select “Buy Certificates”; this opens a list. From the list, select “Personal Certificates”. This should open: http://www.globalsign.com/digital_certificate/personalsign/index.cfm Select PersonalSign Demo (click on the “Get Yours Now!” button). This takes you to a screen showing an 8-step process for obtaining your certificate: Step Comments Step 1. CHECK ROOT This should already be installed. First, you need to install GlobalSign´s Root Certificate. Step 2. SUBMIT YOUR E- This asks your internet e-mail address and a MAIL ADDRESS password that you will need in step 4. After you press "go to step 3" GlobalSign will send you an e-mail. Submit your e-mail address and provide a password. Step 3. CHECK YOUR You will receive and e-mail from "ca@globalsign.net" MAILBOX within one minute. The e-mail contains a hyperlink -- click on it (make sure that clicking on the You will receive an e-mail hyperlink invokes the same browser you were from GlobalSign in your using before). mailbox. You have to check your mailbox and click on the hyperlink. Step 4. ENTER YOUR Enter the password you gave in step 2. PASSWORD Enter the password you provided in step 2. Step 5. PROVIDE PERSONAL Click on "Go to step 6" without making any changes. DATA In particular, leave “Protect private key” set to “No”. Enter some personal information. Step 6. ACCEPT Click on "Agree (Go to step 7)" AGREEMENT Read the subscriber agreement. Step 7. CHECK YOUR You will receive another e-mail within 5 minutes. It MAILBOX contains a hyperlink that downloads your certificate and opens a browser page with an "Install" button. You will receive an e-mail Make sure it is the same browser as before. from GlobalSign containing a hyperlink. Check your mailbox! Page 9 of 20
Connecting Version 6 MQ Queue Managers using SSL Step 8. INSTALL Click on "Install". CERTIFICATE Click “OK” to any browser warnings. You should receive a message confirming that your When receiving our mail, certificate is installed. Click OK. click on the hyperlink in order to install your certificate. How do you know the certificate is installed? The following is extracted from the final confirmation screen: Note for Microsoft Internet Explorer Users: After having installed your certificate, you can now verify that you OWN a Globalsign Certificate. Go to the "Tools" menu, select "Internet options", click on the "Content" tab and finally click on "Certificates". By doing so, you will have opened the certificate manager and you will see a GlobalSign Certificate "issued to" your e-mail address. Repeat these steps for queue manager QM2 (on the machine where QM2 runs). Install the certificates in the key repositories The instructions below show how to install the certificate you just obtained for queue manager QM1; you need to repeat these steps for QM2. The certificate you have just obtained is accessible from Internet Explorer. To install it for QM1, you need to: • Export the certificate from Internet Explorer. • Import the certificate into QM1’s key repository. Export the certificate from Internet Explorer Open Internet Explorer and select: Tools  Internet Options …  Content  Certificates … You will see the certificate you just obtained and installed: Page 10 of 20
Connecting Version 6 MQ Queue Managers using SSL Select (click on) the certificate; then select Export … This opens the Export Certificate Wizard: At the Welcome screen, click Next. At the Export Private Key dialog, select Yes. Page 11 of 20
Connecting Version 6 MQ Queue Managers using SSL At the Export File Format dialog, select Include all certificates … Click Next. At the Password dialog, enter a password to protect the exported certificate (you will need it when importing). At the File to Export dialog, Enter (or navigate to): <MQdir>QmgrsQM1sslQM1.pfx. (In this example: C:MQV6QmgrsQM1sslQM1.pfx.) Click Next. Page 12 of 20
Connecting Version 6 MQ Queue Managers using SSL At the completion dialog, verify the settings: The settings must be: File Name: C:MQV6QmgrsQM1sslQM1.pfx Export Keys: Yes Include all …: Yes File Format: Personal Information Exchange (*.pfx) Click Finish. You should see the message “The export was successful”. The next step is to import the certificate into QM1’s key repository. Import the certificate Switch to the iKeyMan GUI, which you left open at the end of step (Create a key repository for each queue manager). If iKeyMan is closed: • Enter strmqikm from a command prompt • Key Database File  Open  <MQdir>QmgrsQM1sslkey.kdb Page 13 of 20
Connecting Version 6 MQ Queue Managers using SSL • Enter the password • From pull-down, select Personal Certificates The Personal Certificates pane is empty. Click on the Import … button: This opens the Import Key dialog. Select PKCS12 from the Key file type pull- down: Click on the Browse … button • Navigate to <MQdir>QmgrsQM1ssl • Select All files from the pull-down (see picture, below) • Select QM1.pfx (the certificate exported from Internet Explorer) Page 14 of 20
Connecting Version 6 MQ Queue Managers using SSL Click Open. This returns to the Import Key dialog. Click OK. Enter the password you gave when exporting the certificate from Internet Explorer. The Change labels dialog asks “Would you like to change any of these labels…?” and shows four certificates2: three are for the Certification Authority (they all have “globalsign” somewhere in the label) and one is the personal certificate (the label is a hexadecimal string). Click on the personal certificate (this enables the new label field, at the bottom). 2 If you see only one certificate, it is because you did not select Include all certificates when exporting the certificate from Internet Explorer. The import may work, but if it doesn’t, repeat the export process, this time including all certificates. Page 15 of 20
Connecting Version 6 MQ Queue Managers using SSL Enter the label. This must be ibmwebspheremq followed by queue manager name, all in lowercase: ibmwebspheremqqm1. Click on Apply. Click OK. You will see the certificate listed under Personal Certificates, and the Certification Authority certificates listed under Signer Certificates: Page 16 of 20
Connecting Version 6 MQ Queue Managers using SSL Close the repository: Close the iKeyMan GUI. Repeat these steps for queue manager QM2 (on the machine where QM2 runs). Set up the channels for SSL authentication and test Open MQ Explorer and start the queue managers. Set up channels on QM1 Select Channels (under Advanced). Right-click on QM1.QM2  Properties  SSL Page 17 of 20
Connecting Version 6 MQ Queue Managers using SSL Set the SSL Cipherspec to NULL_MD5 (any other cipherspec will do, as long as it matches that of the receiver channel in QM2): Click Apply. Click OK. Right-click on QM2.QM1  Properties  SSL Set the SSL Cipherspec to NULL_MD5 (again, any cipherspec will do, as long as it matches that of the sender channel in QM2). Leave Authentication of partner (…) as Required: Click Apply. Click OK. Page 18 of 20
Connecting Version 6 MQ Queue Managers using SSL Set up channels on QM2 Select Channels (under Advanced). Right-click on QM2.QM1  Properties  SSL Set the SSL Cipherspec to NULL_MD5. Click Apply. Click OK. Right-click on QM1.QM2  Properties  SSL Set the SSL Cipherspec to NULL_MD5. Leave Authentication of partner (…) as Required. Click Apply. Click OK. Verify the key repository location From MQ Explorer: right-click on queue manager QM1  Properties  SSL. Check that the key repository matches the location and name of the key repository you created. In our example, this is <MQdir>qmgrsQM1sslkey (note that the key repository file extension, .kdb, is omitted): Page 19 of 20
Connecting Version 6 MQ Queue Managers using SSL Repeat the check for queue manager QM2. Start the channels Start the sender channel QM1.QM2. You should see the channel status change to Running. Switch to the QM2 machine, and start the sender channel QM2.QM1. This concludes the SSL setup for two Windows queue managers using an external Certification Authority. Page 20 of 20

Recomendados

Monitoring and problem determination of your mq distributed systems
Monitoring and problem determination of your mq distributed systemsMonitoring and problem determination of your mq distributed systems
Monitoring and problem determination of your mq distributed systems
matthew1001
 
Interconnect 2017: 6893 Keep out the bad guys by securing your MQ messaging e...
Interconnect 2017: 6893 Keep out the bad guys by securing your MQ messaging e...Interconnect 2017: 6893 Keep out the bad guys by securing your MQ messaging e...
Interconnect 2017: 6893 Keep out the bad guys by securing your MQ messaging e...
Robert Parker
 
HHM 6887 Managing Your Scalable Applications in an MQ Hybrid Cloud World
HHM 6887 Managing Your Scalable Applications in an MQ Hybrid Cloud WorldHHM 6887 Managing Your Scalable Applications in an MQ Hybrid Cloud World
HHM 6887 Managing Your Scalable Applications in an MQ Hybrid Cloud World
matthew1001
 
New Tools and Interfaces for Managing IBM MQ
New Tools and Interfaces for Managing IBM MQNew Tools and Interfaces for Managing IBM MQ
New Tools and Interfaces for Managing IBM MQ
Matt Leming
 
IBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ ClustersIBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
David Ware
 
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
Matt Leming
 
HHM-3481: IBM MQ for z/OS: Enhancing Application and Messaging Connectivity ...
HHM-3481: IBM MQ for z/OS: Enhancing Application and Messaging Connectivity ... HHM-3481: IBM MQ for z/OS: Enhancing Application and Messaging Connectivity ...
HHM-3481: IBM MQ for z/OS: Enhancing Application and Messaging Connectivity ...
Matt Leming
 
IBM MQ - Monitoring and Managing Hybrid Messaging Environments
IBM MQ - Monitoring and Managing Hybrid Messaging EnvironmentsIBM MQ - Monitoring and Managing Hybrid Messaging Environments
IBM MQ - Monitoring and Managing Hybrid Messaging Environments
MarkTaylorIBM
 

Recomendados

Monitoring and problem determination of your mq distributed systems
Monitoring and problem determination of your mq distributed systemsMonitoring and problem determination of your mq distributed systems
Monitoring and problem determination of your mq distributed systems
matthew1001
 
Interconnect 2017: 6893 Keep out the bad guys by securing your MQ messaging e...
Interconnect 2017: 6893 Keep out the bad guys by securing your MQ messaging e...Interconnect 2017: 6893 Keep out the bad guys by securing your MQ messaging e...
Interconnect 2017: 6893 Keep out the bad guys by securing your MQ messaging e...
Robert Parker
 
HHM 6887 Managing Your Scalable Applications in an MQ Hybrid Cloud World
HHM 6887 Managing Your Scalable Applications in an MQ Hybrid Cloud WorldHHM 6887 Managing Your Scalable Applications in an MQ Hybrid Cloud World
HHM 6887 Managing Your Scalable Applications in an MQ Hybrid Cloud World
matthew1001
 
New Tools and Interfaces for Managing IBM MQ
New Tools and Interfaces for Managing IBM MQNew Tools and Interfaces for Managing IBM MQ
New Tools and Interfaces for Managing IBM MQ
Matt Leming
 
IBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ ClustersIBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
IBM MQ: Managing Workloads, Scaling and Availability with MQ Clusters
David Ware
 
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
HHM-2833: Where is My Message?: Using IBM MQ Tools to Work Out What Applicati...
Matt Leming
 
HHM-3481: IBM MQ for z/OS: Enhancing Application and Messaging Connectivity ...
HHM-3481: IBM MQ for z/OS: Enhancing Application and Messaging Connectivity ... HHM-3481: IBM MQ for z/OS: Enhancing Application and Messaging Connectivity ...
HHM-3481: IBM MQ for z/OS: Enhancing Application and Messaging Connectivity ...
Matt Leming
 
IBM MQ - Monitoring and Managing Hybrid Messaging Environments
IBM MQ - Monitoring and Managing Hybrid Messaging EnvironmentsIBM MQ - Monitoring and Managing Hybrid Messaging Environments
IBM MQ - Monitoring and Managing Hybrid Messaging Environments
MarkTaylorIBM
 
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
T.Rob Wyatt
 
IBM MQ for z/OS The Latest and Greatest Enhancements
IBM MQ for z/OS The Latest and Greatest EnhancementsIBM MQ for z/OS The Latest and Greatest Enhancements
IBM MQ for z/OS The Latest and Greatest Enhancements
Pete Siddall
 
3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...
Robert Parker
 
IBM MQ - better application performance
IBM MQ - better application performanceIBM MQ - better application performance
IBM MQ - better application performance
MarkTaylorIBM
 
Secure Messages with IBM WebSphere MQ Advanced Message Security
Secure Messages with IBM WebSphere MQ Advanced Message SecuritySecure Messages with IBM WebSphere MQ Advanced Message Security
Secure Messages with IBM WebSphere MQ Advanced Message Security
Morag Hughson
 
IBM MQ High Availabillity and Disaster Recovery (2017 version)
IBM MQ High Availabillity and Disaster Recovery (2017 version)IBM MQ High Availabillity and Disaster Recovery (2017 version)
IBM MQ High Availabillity and Disaster Recovery (2017 version)
MarkTaylorIBM
 
IBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster RecoveryIBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster Recovery
MarkTaylorIBM
 
HHM-3540: The IBM MQ Light API: From Developer Laptop to Enterprise Data Cen...
HHM-3540: The IBM MQ Light API: From Developer Laptop to Enterprise Data Cen... HHM-3540: The IBM MQ Light API: From Developer Laptop to Enterprise Data Cen...
HHM-3540: The IBM MQ Light API: From Developer Laptop to Enterprise Data Cen...
Matt Leming
 
IBM MQ: Using Publish/Subscribe in an MQ Network
IBM MQ: Using Publish/Subscribe in an MQ NetworkIBM MQ: Using Publish/Subscribe in an MQ Network
IBM MQ: Using Publish/Subscribe in an MQ Network
David Ware
 
Hhm 3479 mq clustering and shared queues for high availability
Hhm 3479 mq clustering and shared queues for high availabilityHhm 3479 mq clustering and shared queues for high availability
Hhm 3479 mq clustering and shared queues for high availability
Pete Siddall
 
IBM MQ V8 Security
IBM MQ V8 SecurityIBM MQ V8 Security
IBM MQ V8 Security
Morag Hughson
 
Building an Active-Active IBM MQ System
Building an Active-Active IBM MQ SystemBuilding an Active-Active IBM MQ System
Building an Active-Active IBM MQ System
matthew1001
 
IBM MQ Clustering (2017 version)
IBM MQ Clustering (2017 version)IBM MQ Clustering (2017 version)
IBM MQ Clustering (2017 version)
MarkTaylorIBM
 
MQ Security Overview
MQ Security OverviewMQ Security Overview
MQ Security Overview
MarkTaylorIBM
 
3452 - Managing your applications
3452 - Managing your applications3452 - Managing your applications
3452 - Managing your applications
Timothy McCormick
 
Websphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentalsWebsphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentals
Biju Nair
 
InterConnect 2016: What's new in IBM MQ
InterConnect 2016: What's new in IBM MQInterConnect 2016: What's new in IBM MQ
InterConnect 2016: What's new in IBM MQ
David Ware
 
What's new in IBM MQ Messaging
What's new in IBM MQ MessagingWhat's new in IBM MQ Messaging
What's new in IBM MQ Messaging
MarkTaylorIBM
 
MQ V8004 Summary
MQ V8004 SummaryMQ V8004 Summary
MQ V8004 Summary
MarkTaylorIBM
 
Running IBM MQ in Containers
Running IBM MQ in ContainersRunning IBM MQ in Containers
Running IBM MQ in Containers
Robert Parker
 
MQTC 2016: Monitoring and Tracking MQ and Applications
MQTC 2016: Monitoring and Tracking MQ and ApplicationsMQTC 2016: Monitoring and Tracking MQ and Applications
MQTC 2016: Monitoring and Tracking MQ and Applications
Robert Parker
 
MQTC 2016: IBM MQ Security deep dive including AMS
MQTC 2016: IBM MQ Security deep dive including AMSMQTC 2016: IBM MQ Security deep dive including AMS
MQTC 2016: IBM MQ Security deep dive including AMS
Robert Parker
 

Mais conteúdo relacionado

Mais procurados

Secure Messages with IBM WebSphere MQ Advanced Message Security
Secure Messages with IBM WebSphere MQ Advanced Message SecuritySecure Messages with IBM WebSphere MQ Advanced Message Security
Secure Messages with IBM WebSphere MQ Advanced Message Security
Morag Hughson
 
HHM-3540: The IBM MQ Light API: From Developer Laptop to Enterprise Data Cen...
HHM-3540: The IBM MQ Light API: From Developer Laptop to Enterprise Data Cen... HHM-3540: The IBM MQ Light API: From Developer Laptop to Enterprise Data Cen...
HHM-3540: The IBM MQ Light API: From Developer Laptop to Enterprise Data Cen...
Matt Leming
 
InterConnect 2016: What's new in IBM MQ
InterConnect 2016: What's new in IBM MQInterConnect 2016: What's new in IBM MQ
InterConnect 2016: What's new in IBM MQ
David Ware
 

Mais procurados (20)

IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
IBM MQ CONNAUTH/CHLAUTH Doesn't Work Like You Think it Does (and if you aren'...
 
IBM MQ for z/OS The Latest and Greatest Enhancements
IBM MQ for z/OS The Latest and Greatest EnhancementsIBM MQ for z/OS The Latest and Greatest Enhancements
IBM MQ for z/OS The Latest and Greatest Enhancements
 
3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...3429 How to transform your messaging environment to a secure messaging envi...
3429 How to transform your messaging environment to a secure messaging envi...
 
IBM MQ - better application performance
IBM MQ - better application performanceIBM MQ - better application performance
IBM MQ - better application performance
 
Secure Messages with IBM WebSphere MQ Advanced Message Security
Secure Messages with IBM WebSphere MQ Advanced Message SecuritySecure Messages with IBM WebSphere MQ Advanced Message Security
Secure Messages with IBM WebSphere MQ Advanced Message Security
 
IBM MQ High Availabillity and Disaster Recovery (2017 version)
IBM MQ High Availabillity and Disaster Recovery (2017 version)IBM MQ High Availabillity and Disaster Recovery (2017 version)
IBM MQ High Availabillity and Disaster Recovery (2017 version)
 
IBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster RecoveryIBM MQ - High Availability and Disaster Recovery
IBM MQ - High Availability and Disaster Recovery
 
HHM-3540: The IBM MQ Light API: From Developer Laptop to Enterprise Data Cen...
HHM-3540: The IBM MQ Light API: From Developer Laptop to Enterprise Data Cen... HHM-3540: The IBM MQ Light API: From Developer Laptop to Enterprise Data Cen...
HHM-3540: The IBM MQ Light API: From Developer Laptop to Enterprise Data Cen...
 
IBM MQ: Using Publish/Subscribe in an MQ Network
IBM MQ: Using Publish/Subscribe in an MQ NetworkIBM MQ: Using Publish/Subscribe in an MQ Network
IBM MQ: Using Publish/Subscribe in an MQ Network
 
Hhm 3479 mq clustering and shared queues for high availability
Hhm 3479 mq clustering and shared queues for high availabilityHhm 3479 mq clustering and shared queues for high availability
Hhm 3479 mq clustering and shared queues for high availability
 
IBM MQ V8 Security
IBM MQ V8 SecurityIBM MQ V8 Security
IBM MQ V8 Security
 
Building an Active-Active IBM MQ System
Building an Active-Active IBM MQ SystemBuilding an Active-Active IBM MQ System
Building an Active-Active IBM MQ System
 
IBM MQ Clustering (2017 version)
IBM MQ Clustering (2017 version)IBM MQ Clustering (2017 version)
IBM MQ Clustering (2017 version)
 
MQ Security Overview
MQ Security OverviewMQ Security Overview
MQ Security Overview
 
3452 - Managing your applications
3452 - Managing your applications3452 - Managing your applications
3452 - Managing your applications
 
Websphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentalsWebsphere MQ (MQSeries) fundamentals
Websphere MQ (MQSeries) fundamentals
 
InterConnect 2016: What's new in IBM MQ
InterConnect 2016: What's new in IBM MQInterConnect 2016: What's new in IBM MQ
InterConnect 2016: What's new in IBM MQ
 
What's new in IBM MQ Messaging
What's new in IBM MQ MessagingWhat's new in IBM MQ Messaging
What's new in IBM MQ Messaging
 
MQ V8004 Summary
MQ V8004 SummaryMQ V8004 Summary
MQ V8004 Summary
 
Running IBM MQ in Containers
Running IBM MQ in ContainersRunning IBM MQ in Containers
Running IBM MQ in Containers
 

Destaque

Interconnect 2017: 6885 Deploying IBM MQ in the cloud
Interconnect 2017: 6885 Deploying IBM MQ in the cloudInterconnect 2017: 6885 Deploying IBM MQ in the cloud
Interconnect 2017: 6885 Deploying IBM MQ in the cloud
Robert Parker
 

Destaque (20)

MQTC 2016: Monitoring and Tracking MQ and Applications
MQTC 2016: Monitoring and Tracking MQ and ApplicationsMQTC 2016: Monitoring and Tracking MQ and Applications
MQTC 2016: Monitoring and Tracking MQ and Applications
 
MQTC 2016: IBM MQ Security deep dive including AMS
MQTC 2016: IBM MQ Security deep dive including AMSMQTC 2016: IBM MQ Security deep dive including AMS
MQTC 2016: IBM MQ Security deep dive including AMS
 
Interconnect 2017: 6885 Deploying IBM MQ in the cloud
Interconnect 2017: 6885 Deploying IBM MQ in the cloudInterconnect 2017: 6885 Deploying IBM MQ in the cloud
Interconnect 2017: 6885 Deploying IBM MQ in the cloud
 
IBM MQ: An Introduction to Using and Developing with MQ Publish/Subscribe
IBM MQ: An Introduction to Using and Developing with MQ Publish/SubscribeIBM MQ: An Introduction to Using and Developing with MQ Publish/Subscribe
IBM MQ: An Introduction to Using and Developing with MQ Publish/Subscribe
 
Where is My Message
Where is My MessageWhere is My Message
Where is My Message
 
Effective administration of IBM Integration Bus - Sanjay Nagchowdhury
Effective administration of IBM Integration Bus - Sanjay NagchowdhuryEffective administration of IBM Integration Bus - Sanjay Nagchowdhury
Effective administration of IBM Integration Bus - Sanjay Nagchowdhury
 
CTU 2017 - I168 IBM MQ in the cloud
CTU 2017 - I168 IBM MQ in the cloudCTU 2017 - I168 IBM MQ in the cloud
CTU 2017 - I168 IBM MQ in the cloud
 
Whats New in IBM Integration Bus Interconnect 2017
Whats New in IBM Integration Bus Interconnect 2017Whats New in IBM Integration Bus Interconnect 2017
Whats New in IBM Integration Bus Interconnect 2017
 
Ssl2
Ssl2Ssl2
Ssl2
 
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CDWhats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
Whats new in IBM MQ; V9 LTS, V9.0.1 CD and V9.0.2 CD
 
IBM Design Thinking + Agile + DevOps Interconnect 2017
IBM Design Thinking + Agile + DevOps Interconnect 2017IBM Design Thinking + Agile + DevOps Interconnect 2017
IBM Design Thinking + Agile + DevOps Interconnect 2017
 
CTU 2017 I173 - how to transform your messaging environment to a secure messa...
CTU 2017 I173 - how to transform your messaging environment to a secure messa...CTU 2017 I173 - how to transform your messaging environment to a secure messa...
CTU 2017 I173 - how to transform your messaging environment to a secure messa...
 
The bits bytes and business benefits of securing your mq environment and mess...
The bits bytes and business benefits of securing your mq environment and mess...The bits bytes and business benefits of securing your mq environment and mess...
The bits bytes and business benefits of securing your mq environment and mess...
 
IBM MQ - Comparing Distributed and z/OS platforms
IBM MQ - Comparing Distributed and z/OS platformsIBM MQ - Comparing Distributed and z/OS platforms
IBM MQ - Comparing Distributed and z/OS platforms
 
IBM Managed File Transfer Portfolio - IBMImpact 2014
IBM Managed File Transfer Portfolio - IBMImpact 2014IBM Managed File Transfer Portfolio - IBMImpact 2014
IBM Managed File Transfer Portfolio - IBMImpact 2014
 
Understanding mq deployment choices and use cases
Understanding mq deployment choices and use casesUnderstanding mq deployment choices and use cases
Understanding mq deployment choices and use cases
 
Using ibm mq in managed file transfer environments final
Using ibm mq in managed file transfer environments finalUsing ibm mq in managed file transfer environments final
Using ibm mq in managed file transfer environments final
 
IBM MQ Advanced - IBM InterConnect 2016
IBM MQ Advanced - IBM InterConnect 2016IBM MQ Advanced - IBM InterConnect 2016
IBM MQ Advanced - IBM InterConnect 2016
 
Expanding your options with the IBM MQ Appliance - IBM InterConnect 2016
Expanding your options with the IBM MQ Appliance - IBM InterConnect 2016Expanding your options with the IBM MQ Appliance - IBM InterConnect 2016
Expanding your options with the IBM MQ Appliance - IBM InterConnect 2016
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
 

Semelhante a Mq ssl channels_on_windows

quickguide-einnovator-3-rabbitmq
quickguide-einnovator-3-rabbitmqquickguide-einnovator-3-rabbitmq
quickguide-einnovator-3-rabbitmq
jorgesimao71
 
Ibm websphere mq
Ibm websphere mqIbm websphere mq
Ibm websphere mq
Rakeshtoodi
 
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)
Art Schanz
 

Semelhante a Mq ssl channels_on_windows (20)

Implementing ssl self sign demo
Implementing ssl self sign demoImplementing ssl self sign demo
Implementing ssl self sign demo
 
Ibm mq c luster overlap demo script
Ibm mq c luster overlap demo scriptIbm mq c luster overlap demo script
Ibm mq c luster overlap demo script
 
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows
 
Ibm mq dqm setups
Ibm mq dqm setupsIbm mq dqm setups
Ibm mq dqm setups
 
quickguide-einnovator-3-rabbitmq
quickguide-einnovator-3-rabbitmqquickguide-einnovator-3-rabbitmq
quickguide-einnovator-3-rabbitmq
 
IBM IMPACT 2014 - AMC-1883 - Where's My Message - Analyze IBM WebSphere MQ Re...
IBM IMPACT 2014 - AMC-1883 - Where's My Message - Analyze IBM WebSphere MQ Re...IBM IMPACT 2014 - AMC-1883 - Where's My Message - Analyze IBM WebSphere MQ Re...
IBM IMPACT 2014 - AMC-1883 - Where's My Message - Analyze IBM WebSphere MQ Re...
 
Creating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationCreating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorization
 
IBM_Q-Rep-Tutorial
IBM_Q-Rep-TutorialIBM_Q-Rep-Tutorial
IBM_Q-Rep-Tutorial
 
WebSphere MQ introduction
WebSphere MQ introductionWebSphere MQ introduction
WebSphere MQ introduction
 
Ruby и TestComplete
Ruby и TestCompleteRuby и TestComplete
Ruby и TestComplete
 
Azure Quantum with IBM Qiskit and IonQ QPU
Azure Quantum with IBM Qiskit and IonQ QPUAzure Quantum with IBM Qiskit and IonQ QPU
Azure Quantum with IBM Qiskit and IonQ QPU
 
Where is my MQ message on z/OS?
Where is my MQ message on z/OS?Where is my MQ message on z/OS?
Where is my MQ message on z/OS?
 
Ibm websphere mq
Ibm websphere mqIbm websphere mq
Ibm websphere mq
 
New Features in QP5
New Features in QP5New Features in QP5
New Features in QP5
 
Half a year with contrail at production
Half a year with contrail at productionHalf a year with contrail at production
Half a year with contrail at production
 
weblogic perfomence tuning
weblogic perfomence tuningweblogic perfomence tuning
weblogic perfomence tuning
 
Hybrid Messaging with MQ Light, MQ's Beta Support for AMQP, and IBM Bluemix
Hybrid Messaging with MQ Light, MQ's Beta Support for AMQP, and IBM BluemixHybrid Messaging with MQ Light, MQ's Beta Support for AMQP, and IBM Bluemix
Hybrid Messaging with MQ Light, MQ's Beta Support for AMQP, and IBM Bluemix
 
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)
MQTC V2.0.1.3 - WMQ & TCP Buffers – Size DOES Matter! (pps)
 
CCDT(client connection)MQ.docx
CCDT(client connection)MQ.docxCCDT(client connection)MQ.docx
CCDT(client connection)MQ.docx
 
Ruby и TestComplete
Ruby и TestCompleteRuby и TestComplete
Ruby и TestComplete
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Último (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Mq ssl channels_on_windows

  • 1. Connecting Version 6 MQ Queue Managers using SSL 1 Connecting two Windows Queue Managers using SSL © IBM Corporation, 2005. All rights reserved. 1.1 Abstract This article presents a step-by-step guide to configuring two WebSphere MQ Version 61 queue managers on Windows for communication using SSL channels. I assume that you are familiar with SSL in general and know how to set up non-SSL sender/receiver channels between two queue managers. For more information about SSL with MQ, refer to the WebSphere MQ V6 Security manual, SC34-6588. You can download the PDF from: http://www.ibm.com/software/integration/wmq/library/ 1.2 Basic Configuration We need two queue managers with a working connection (sender/receiver channel pairs in both directions). I will use the following names and attributes; you can create queue managers with the same names, or adjust the instructions below to match your configuration: Queue Manager name QM1 QM2 IP address 192.168.1.65 192.168.1.64 Listener port 11111 22222 Transmit queue QM2 QM1 Sender channel QM1.QM2 QM2.QM1 Receiver channel QM2.QM1 QM1.QM2 Local queue (for testing) Q1 Q2 Remote queue definition QM2.Q2 QM1.Q1 (for testing) MQ Installation directory C:MQV6 C:MQV6 (throughout this document, <MQdir>) 1 Referred to as “MQ” from now on. Page 1 of 20
  • 2. Connecting Version 6 MQ Queue Managers using SSL If you choose to create two queue managers as above, the only thing you’ll need to change is the IP address. You can create the two queue managers on the same, or on separate, Windows systems. Skip to Checking the channel, below, if you already have two interconnected queue managers. Creating the Queue Managers You can use the Version 6 MQ Explorer to create the queue managers, or use a command script. The following example creates a queue manager called QM1 with a listener on port 11111: @echo Create queue manager crtmqm -u QM1.DLQ QM1 @echo Start queue manager and associated services amqmdain qmgr start QM1 @echo Create and start listener @echo def listener('LISTENER.TCP') trptype(tcp) port(11111) control(qmgr) | runmqsc QM1 @echo START LISTENER('LISTENER.TCP') | runmqsc QM1 @echo Create dead letter queue @echo def ql(QM1.DLQ) replace | runmqsc QM1 The example above shows how to create QM1; you can adapt it to create QM2. Setting up the channels The following commands, when run from a command prompt on the machine where QM1 is running, create the necessary MQ objects for QM1 to communicate with QM2: echo def ql(QM2) replace usage(xmitq) trigger trigdata(QM1.QM2) initq(SYSTEM.CHANNEL.INITQ) | runmqsc QM1 echo def chl(QM1.QM2) chltype(sdr) replace xmitq(QM2) conname('192.168.1.64(22222)') | runmqsc QM1 echo def chl(QM2.QM1) chltype(rcvr) replace | runmqsc QM1 Page 2 of 20
  • 3. Connecting Version 6 MQ Queue Managers using SSL @rem Create queues for test echo def ql(Q1) replace | runmqsc QM1 echo def qr(QM2.Q2) replace rname(Q2) rqmname(QM2) | runmqsc QM1 Similarly, these commands (from a command prompt on the machine where QM2 is running) create the objects that QM2 needs to communicate with QM1: echo def ql(QM1) replace usage(xmitq) trigger trigdata(QM2.QM1) initq(SYSTEM.CHANNEL.INITQ) | runmqsc QM2 echo def chl(QM2.QM1) chltype(sdr) replace xmitq(QM1) conname('192.168.1.65(11111)') | runmqsc QM2 echo def chl(QM1.QM2) chltype(rcvr) replace | runmqsc QM2 @rem Create queues for test echo def ql(Q2) replace | runmqsc QM2 echo def qr(QM1.Q1) replace rname(Q1) rqmname(QM1) | runmqsc QM2 1.3 Checking the channels Before proceeding, open a command prompt and check that the channels you intend to use with SSL (in our example configuration QM1.QM2 and QM2.QM1) run correctly. The example below assumes that the channels are already running, or the transmission queue is triggered: Page 3 of 20
  • 4. Connecting Version 6 MQ Queue Managers using SSL Test Machine Run QM1 to QM2 Same as QM1 C:>amqsput QM2.Q2 QM1 Sample AMQSPUT0 start target queue is QM2.Q2 test msg 1 Sample AMQSPUT0 end C:> Same as QM2 C:>amqsget Q2 QM2 Sample AMQSGET0 start message <test msg 1> no more messages Sample AMQSGET0 end C:> QM2 to QM1 Same as QM2 C:>amqsput QM1.Q1 QM2 Sample AMQSPUT0 start target queue is QM1.Q1 test msg 2 Sample AMQSPUT0 end C:> Same as QM1 C:>amqsget Q1 QM1 Sample AMQSGET0 start message <test msg 2> no more messages Sample AMQSGET0 end C:> Page 4 of 20
  • 5. Connecting Version 6 MQ Queue Managers using SSL With both queue managers and their channels up and running, we are ready to set up an SSL connection. 1.4 SSL: the very basics In the SSL protocol, the party that starts a conversation (in this case, the MQ sender channel) is the SSL client. The other party (MQ receiver channel) is the SSL server. The SSL client (sender channel) authenticates the server by requesting the server's certificate. This is sometimes called one-way authentication. Optionally, the server (receiver channel) may require client authentication (this is mutual, or two-way, authentication). In MQ, most customers using SSL channels will probably set them up to request mutual authentication. In this example we will set up one-way authentication first, and then mutual authentication. Incidentally, one-way authentication is what happens when you shop online: your browser, an SSL client, receives a certificate from the online shop, so you know it is safe to give them your credit card, but the shop does not request a certificate from you. When we start a sender channel (say, QM2.QM1), this is what happens (this is called SSL handshake): QM2 starts the connection and requests a certificate. QM1 sends its certificate. This is encrypted (“signed”) using the Certification Authority certificate—more about this below) . QM2 verifies QM1's digital signature in the certificate. QM2 now knows QM1 is who it claims to be. If mutual authentication is required, QM2 sends its certificate to QM1. The handshake continues with the selection of a secret key that both parties can use to sign and/or encrypt messages. From the list above, it follows that: 1. The party being authenticated must have a certificate. This is called a “Personal Certificate”. 2. The authenticating party must be able to decipher the certificate's signature: it must have the Certification Authority’s certificate used to sign the other party’s Personal certificate. 1.5 Process Overview We will follow this process to establish an SSL connection between QM1 and QM2: 1. Create a key repository for each queue manager. 2. Obtain a certificate for each queue manager. 3. Install the certificates in the key repositories. 4. Set up the channels for SSL authentication and test. Page 5 of 20
  • 6. Connecting Version 6 MQ Queue Managers using SSL 1.6 Step-by-step instructions Create a key repository for each queue manager The instructions below show how to create a key repository for queue manager QM1; you need to repeat these steps for QM2. Open a Windows Command prompt and enter strmqikm. This starts the IBM Key Management (iKeyMan) GUI. Create a key repository for the queue manager: Select Key Database File  New and create a repository as follows: • Key Database Type: CMS • File name: key.kdb • Location: <MQdir>QmgrsQM1ssl. In this example: C:MQV6QmgrsQM1ssl You should see this: Click OK. Then enter a password (and remember it; you will need it!) and tick Stash the password to a file? Page 6 of 20
  • 7. Connecting Version 6 MQ Queue Managers using SSL Click OK. You will see this dialog: Click OK. You have created a key repository for queue manager QM1. After creating the key repository, the GUI shows the installed Certification Authority certificates provided with iKeyMan. Use the pull-down (top right) to switch to viewing Personal Certificates: Page 7 of 20
  • 8. Connecting Version 6 MQ Queue Managers using SSL Keep the iKeyMan GUI open; we will come back to it shortly. At the machine where queue manager QM2 runs, repeat the steps above for QM2. Obtain a certificate for each queue manager The instructions below show how to obtain a certificate for queue manager QM1; you need to repeat these steps for QM2. There are a number of ways to obtain a certificate for your queue manager: • You can create self-signed certificates. • You can have an in-house Certification Authority. • You can request a certificate from a Certification Authority. The instructions below are for obtaining a demo (valid for 30 days) personal certificate from globalsign.com. There are other sites for requesting certificates (for example Thawte, or VeriSign); GlobalSign is convenient because it does not require registration. Note that certificates for purposes other than a demo will cost money (dispensing certificates is what Certification Authorities do for a living). To obtain a certificate: Open Internet Explorer and go to http://www.globalsign.com. Page 8 of 20
  • 9. Connecting Version 6 MQ Queue Managers using SSL Select “Buy Certificates”; this opens a list. From the list, select “Personal Certificates”. This should open: http://www.globalsign.com/digital_certificate/personalsign/index.cfm Select PersonalSign Demo (click on the “Get Yours Now!” button). This takes you to a screen showing an 8-step process for obtaining your certificate: Step Comments Step 1. CHECK ROOT This should already be installed. First, you need to install GlobalSign´s Root Certificate. Step 2. SUBMIT YOUR E- This asks your internet e-mail address and a MAIL ADDRESS password that you will need in step 4. After you press "go to step 3" GlobalSign will send you an e-mail. Submit your e-mail address and provide a password. Step 3. CHECK YOUR You will receive and e-mail from "ca@globalsign.net" MAILBOX within one minute. The e-mail contains a hyperlink -- click on it (make sure that clicking on the You will receive an e-mail hyperlink invokes the same browser you were from GlobalSign in your using before). mailbox. You have to check your mailbox and click on the hyperlink. Step 4. ENTER YOUR Enter the password you gave in step 2. PASSWORD Enter the password you provided in step 2. Step 5. PROVIDE PERSONAL Click on "Go to step 6" without making any changes. DATA In particular, leave “Protect private key” set to “No”. Enter some personal information. Step 6. ACCEPT Click on "Agree (Go to step 7)" AGREEMENT Read the subscriber agreement. Step 7. CHECK YOUR You will receive another e-mail within 5 minutes. It MAILBOX contains a hyperlink that downloads your certificate and opens a browser page with an "Install" button. You will receive an e-mail Make sure it is the same browser as before. from GlobalSign containing a hyperlink. Check your mailbox! Page 9 of 20
  • 10. Connecting Version 6 MQ Queue Managers using SSL Step 8. INSTALL Click on "Install". CERTIFICATE Click “OK” to any browser warnings. You should receive a message confirming that your When receiving our mail, certificate is installed. Click OK. click on the hyperlink in order to install your certificate. How do you know the certificate is installed? The following is extracted from the final confirmation screen: Note for Microsoft Internet Explorer Users: After having installed your certificate, you can now verify that you OWN a Globalsign Certificate. Go to the "Tools" menu, select "Internet options", click on the "Content" tab and finally click on "Certificates". By doing so, you will have opened the certificate manager and you will see a GlobalSign Certificate "issued to" your e-mail address. Repeat these steps for queue manager QM2 (on the machine where QM2 runs). Install the certificates in the key repositories The instructions below show how to install the certificate you just obtained for queue manager QM1; you need to repeat these steps for QM2. The certificate you have just obtained is accessible from Internet Explorer. To install it for QM1, you need to: • Export the certificate from Internet Explorer. • Import the certificate into QM1’s key repository. Export the certificate from Internet Explorer Open Internet Explorer and select: Tools  Internet Options …  Content  Certificates … You will see the certificate you just obtained and installed: Page 10 of 20
  • 11. Connecting Version 6 MQ Queue Managers using SSL Select (click on) the certificate; then select Export … This opens the Export Certificate Wizard: At the Welcome screen, click Next. At the Export Private Key dialog, select Yes. Page 11 of 20
  • 12. Connecting Version 6 MQ Queue Managers using SSL At the Export File Format dialog, select Include all certificates … Click Next. At the Password dialog, enter a password to protect the exported certificate (you will need it when importing). At the File to Export dialog, Enter (or navigate to): <MQdir>QmgrsQM1sslQM1.pfx. (In this example: C:MQV6QmgrsQM1sslQM1.pfx.) Click Next. Page 12 of 20
  • 13. Connecting Version 6 MQ Queue Managers using SSL At the completion dialog, verify the settings: The settings must be: File Name: C:MQV6QmgrsQM1sslQM1.pfx Export Keys: Yes Include all …: Yes File Format: Personal Information Exchange (*.pfx) Click Finish. You should see the message “The export was successful”. The next step is to import the certificate into QM1’s key repository. Import the certificate Switch to the iKeyMan GUI, which you left open at the end of step (Create a key repository for each queue manager). If iKeyMan is closed: • Enter strmqikm from a command prompt • Key Database File  Open  <MQdir>QmgrsQM1sslkey.kdb Page 13 of 20
  • 14. Connecting Version 6 MQ Queue Managers using SSL • Enter the password • From pull-down, select Personal Certificates The Personal Certificates pane is empty. Click on the Import … button: This opens the Import Key dialog. Select PKCS12 from the Key file type pull- down: Click on the Browse … button • Navigate to <MQdir>QmgrsQM1ssl • Select All files from the pull-down (see picture, below) • Select QM1.pfx (the certificate exported from Internet Explorer) Page 14 of 20
  • 15. Connecting Version 6 MQ Queue Managers using SSL Click Open. This returns to the Import Key dialog. Click OK. Enter the password you gave when exporting the certificate from Internet Explorer. The Change labels dialog asks “Would you like to change any of these labels…?” and shows four certificates2: three are for the Certification Authority (they all have “globalsign” somewhere in the label) and one is the personal certificate (the label is a hexadecimal string). Click on the personal certificate (this enables the new label field, at the bottom). 2 If you see only one certificate, it is because you did not select Include all certificates when exporting the certificate from Internet Explorer. The import may work, but if it doesn’t, repeat the export process, this time including all certificates. Page 15 of 20
  • 16. Connecting Version 6 MQ Queue Managers using SSL Enter the label. This must be ibmwebspheremq followed by queue manager name, all in lowercase: ibmwebspheremqqm1. Click on Apply. Click OK. You will see the certificate listed under Personal Certificates, and the Certification Authority certificates listed under Signer Certificates: Page 16 of 20
  • 17. Connecting Version 6 MQ Queue Managers using SSL Close the repository: Close the iKeyMan GUI. Repeat these steps for queue manager QM2 (on the machine where QM2 runs). Set up the channels for SSL authentication and test Open MQ Explorer and start the queue managers. Set up channels on QM1 Select Channels (under Advanced). Right-click on QM1.QM2  Properties  SSL Page 17 of 20
  • 18. Connecting Version 6 MQ Queue Managers using SSL Set the SSL Cipherspec to NULL_MD5 (any other cipherspec will do, as long as it matches that of the receiver channel in QM2): Click Apply. Click OK. Right-click on QM2.QM1  Properties  SSL Set the SSL Cipherspec to NULL_MD5 (again, any cipherspec will do, as long as it matches that of the sender channel in QM2). Leave Authentication of partner (…) as Required: Click Apply. Click OK. Page 18 of 20
  • 19. Connecting Version 6 MQ Queue Managers using SSL Set up channels on QM2 Select Channels (under Advanced). Right-click on QM2.QM1  Properties  SSL Set the SSL Cipherspec to NULL_MD5. Click Apply. Click OK. Right-click on QM1.QM2  Properties  SSL Set the SSL Cipherspec to NULL_MD5. Leave Authentication of partner (…) as Required. Click Apply. Click OK. Verify the key repository location From MQ Explorer: right-click on queue manager QM1  Properties  SSL. Check that the key repository matches the location and name of the key repository you created. In our example, this is <MQdir>qmgrsQM1sslkey (note that the key repository file extension, .kdb, is omitted): Page 19 of 20
  • 20. Connecting Version 6 MQ Queue Managers using SSL Repeat the check for queue manager QM2. Start the channels Start the sender channel QM1.QM2. You should see the channel status change to Running. Switch to the QM2 machine, and start the sender channel QM2.QM1. This concludes the SSL setup for two Windows queue managers using an external Certification Authority. Page 20 of 20