Stan's Corner

 View Only

Useful tips for ACE sensor configuration

By HOU FANG ZHAO posted Tue June 07, 2022 10:54 PM

  
[Authors: Hou Fang Zhao, Peng Deng]

Do you want to monitor IBM App Connect Enterprise software
by using IBM Observability by Instana?Read this blog for some useful tips about IBM App Connect Enterprise (ACE) sensor configuration. Ensure that you have explored the Instana documentation first. 

Note: The commands used in this blog are verified in the following environments:
  • Ubuntu 18.04
  • ACE 11.0.0.11
  • IBM MQ 9.2.0.0.

How to determine the REST API port

Run the command mqsilist, and then you can see the REST API port number in the administration URI for each broker.  


How to test the ACE credentials and whether credentials are required

To test the ACE credentials, run either of the following commands. After you input the password, you can see the payload listed.

curl -u <USERNAME> --header "Accept: application/json" "http://<ACE_HOST>:<INTEGTATION_NODE_API_PORT>/apiv2" # If you are using IIB10, replace the apiv2 with apiv1
curl -k -u <USERNAME> --header "Accept: application/json" "https://<ACE_HOST>:<INTEGTATION_NODE_API_PORT>/apiv2" # If you are using IIB10, replace the apiv2 with apiv1. Use this command when TLS is enabled.



You can also remove the username to test whether the credentials are not required, by running either of the following commands. If you can see the payload output correctly after running the command, then it means ACE credentials are not required. 

curl --header  "Accept: application/json"  "http://<ACE_HOST>:<INTEGTATION_NODE_API_PORT>/apiv2"   # If you are using IIB10, replace the apiv2 with apiv1
curl  -k  --header   "Accept: application/json"   "https://<ACE_HOST>:<INTEGTATION_NODE_API_PORT>/apiv2"  # If you are using IIB10, replace the apiv2 with apiv1. Use this command when TLS is enabled.


How to get TLS encryption information

If you don't know if your ACE is configured with TLS encryption, you can check the node.conf.yaml file of the broker.  

For example,
to check whether TLS is enabled for the broker BK2, run the command 
cat /var/mqsi/components/BK2/overrides/node.conf.yaml
You can see the result as follows. If TLS encryption is enabled, you can get the keystore path and password in the node.conf.yaml file. 

Note:
  • If you are using local monitoring, you need to copy the path and password to your Instana configuration.yaml properly.
  • If you are using remote monitoring, you need to copy the keystore file from the path defined with sslCertificate in node.conf.yamto the Instana agent host, and set the configuration.yaml file by using the new target directory.

How to determine whether MQ or MQTT is in use

If you don't know whether MQTT or MQ is used in ACE, run the command mqsilist, and then you can get the information for each broker. 
See the following snapshot.
B
roker BRK1 is running and configured with MQ, and the queue manager name is QM1.
Broker BK3
and BK4 are running and configured with MQTT.


How to determine the MQ
and MQTT port

For MQTT:
If you are using MQTT, the default port is 11883. But it might be different if you create many brokers. You can use the following ways to check the port number.

  • Get the port number from the node.conf.yaml file of the broker

         For example, check the MQTT port for the broker BK3 by running the command

cat /var/mqsi/components/BK3/overrides/node.conf.yaml


        Then, you can get the exact port number for BK3, such as the port number 11885 in the following screenshot.
   


 

  • Get the port number from the process information by running the command ps -ef | grep bipMQTT | grep BROKER_NAME.
    For example, run the command ps -ef | grep bipMQTT | grep BK3, and then you can see the following result, where the port number is 11885
    .

For MQ:
  • If you are using MQ, get the listener port by running the command ps -ef | grep runmqlsr | grep QueueManager_Name.
  • For example, run the command ps -ef | grep runmqlsr | grep QM1, and then you can see the following result, where the listener port is 1414
Listener port


How to determine whether channel authentication is enable
d

You can run the command MQSC to check whether the channel authentication or even the QMGR connection authentication is enabled. 

  1. Start the MQSC by running the command runmqsc Your_Queue_Manager.
  2. Check whether the channel authentication is enabled by running the following command:
    dis qmgr connauth #Check the QMGR connection authentication 
    dis qmgr chlauth # Check the channel authentication
    dis chlauth(Your_Channel_Name) # Check the authentication record for specified channel
    dis chanel(Your_Channel_Name) MCAUSER # Check whether a MCAUSER is set or not.


    • If the connauth is empty and chlauth is disabled, when there is no specific mechanism to modify the userid associated with a channel, then by default, the OS userid associated with the running application program will be used for the connection.
    • If the connauth is not empty, or chlauth is enabled, or some authentication records are defined, then confirm with your MQ admin to make sure the credentials you have are valid and have authority to access.

    Notes:

    ​​





    Permalink