Introduction
In contemporary software ecosystems, the deployment of a queue manager on an OpenShift Container Platform (OCP) cluster through the mq-operator has become a prevalent technique. However, end-users frequently encounter a multitude of complications when attempting to establish a connection between the MQ Explorer client and said queue manager deployed on OCP. These issues often arise due to the inadvertent execution of incorrect procedural steps or the oversight of crucial configuration settings.
How is it usually done?
To successfully accomplish the intended connectivity, it is recommended to follow the typical steps outlined in the self-help page provided by IBM Messaging on their GitHub repository - Configuring a Route to connect to a queue manager from outside of OCP . Although the page specifically talks about connecting OCP queue manager to MQ Explorer's MFT plugin it applies to MQ Explorer in general as well. (Note: it is advisable to keep the page open while reading through this blog)
This page is both comprehensive and exhibits descriptive precision. It incorporates meticulously captured screenshots from MQ Explorer, which serve as a lucid visual aid for seamlessly helping an individual through the process of establishing the desired connectivity via SSL connection and OCP routes.
Recent ask
But as seen in the recent past, often users have reservations in creating explicit route as mentioned in Step 7 of the page. i.e., creating route using SVRCONN channel name and mapping it to the OCP queue manager deployment name. In general, when Step 7 asks us to create a route with hostname in the format,
<SVRCONN_Channel_Name>.chl.mq.ibm.com
The limitation of this is that if another queue manager is created from same OCP cluster, it cannot use the same channel name which was previous used. That goes on to say, the channel name must be unique for each of the queue manager created. This is because of the all important parameter OutboundSNI which by default gets set to value CHANNEL. To know in detail about this property one can refer this page, specifically while using it in MQ clients - SSL Client Config
Solution
1) As given in Step 10, you can make use of below automatically created by IBM MQ,
secureqm-ibm-mq-qm secureqm-ibm-mq-qm-xxx.xxx.xxx.com secureqm-ibm-mq 1414 passthrough None
(Please note the "xxx.xxx.xxx" shown above is just a wildcard and refers to the OCP cluster name.)
2) What can be done to avoid Step 7 and use the route automatically created by IBM MQ as specified in Step 10?
Answer: MQExplorer.ini setting. You will have to set the OutboundSNI property in the MQExplorer.ini, by adding the below line to it,
-Dcom.ibm.mq.cfg.SSL.outboundSNI=HOSTNAME
3) Afterwards restart the MQ Explorer for the new property to be picked up. Later the user can continue as it is, from Step 11 onwards. Like said before, now the hostname to be used in the Explorer would be secureqm-ibm-mq-qm-xxx.xxx.xxx.com
Important Note
Valid values for OutboundSNI are CHANNEL and HOSTNAME. Note CHANNEL here means just the word CHANNEL, not the actual channel name like SYSTEM.DEF.SVRCONN. Same for HOSTNAME as well - it is just the word HOSTNAME and not the actual hostname of OCP cluster upon which the queue manager has been deployed.