MQ

 View Only

Recipe: Connect to MQ on CP4I with RFHUtil

By Keshav Anand posted Mon September 27, 2021 04:07 PM

  
Connect to MQ on CP4I with RFHUtil


Contents

Overview

Skill Level: Any Skill Level

Basic knowledge of MQ and Cloud Pak for Integration is required

A quick recipe to connect to a MQ Queue manager deployed as a container on Cloud Pak for Integration using MQ-RFHUtil tool.

RFHUtil is a nifty tool which helps developer with message creation, editing and replay to help test MQ and IIB/ACE applications.

Ingredients

  1. CP4I installation with MQ
  2. OC command line
  3. MQClient installation on Windows workstation. (Admin access requried)
  4. RFHUtil tool

Step-by-step

  1. Create a MQ queue manager

    First, we create a Qmgr on Cloud Pak for Integration v2020.2.1 enabling PKI. Although v2020.3.1 is latest GA release available, the instrutions should remain the same.

    Login to OCP

    oc login <OpenShift API Hostname> -u <username> -p <password>

     

    Create Cert & Key

     

    openssl req -newkey rsa:2048 -nodes -keyout <keyname>.key -x509 -days 365 -out <certname>.crt -subj "Subject name"

  2. Example
    :
    openssl req -newkey rsa:2048 -nodes -keyout flagstaff.qmgr.key -x509 -days 365 -out flagstaff.qmgr.crt \
    -subj "/C=IN/ST=Karnataka/L=Bengaluru/O=IBM/OU=ISL/CN=flagstaff"

    flagstaff” is the name of my queue manager here.

     

    Create OCP secret for Qmgr

    oc create secret tls <secret-name> --key="key file name" --cert="cert filename -n <namespace>

  3. Example
    :
    oc create secret tls flagstaff-mq-secret --key="flagstaff.qmgr.key" --cert="flagstaff.qmgr.crt" -n cp4i

     

    Create p12 keystore from cert and key

    openssl pkcs12 -export -in <cert filename> -inkey <key filename> -out <p12 keystore name>

  4. Example
    :
    openssl pkcs12 -export -in flagstaff.qmgr.crt -inkey flagstaff.qmgr.key -out flagstaff.p12

     

    Use keytool to convert p12 keystore to JKS keystore

    keytool -importkeystore -srckeystore  <p12 keystore filename> \
    -srcstoretype PKCS12 \
    -destkeystore <jks keystore filename> \
    -deststoretype JKS


  5. Example
    :
    keytool -importkeystore -srckeystore flagstaff.p12 \
    -srcstoretype PKCS12 \
    -destkeystore flagstaff.jks \
    -deststoretype JKS

     

    Create the config map, Qmgr and route for MQ channel

    I have used the following yaml to do all tasks in one command. I have chosen to disable chlauth security for this demo.

    To customize the config map, SNI address for MQ channels and CHLAUTH security options,refer to the following knowledge center links for more information.

    ConfigMap:

    https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.ctr.doc/ctr_supply_mqsc_ini.htm

     

    Creating CHLAUTH

    https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q132580_.htm

     

    SNI Address for MQ channels:

    https://www.ibm.com/support/pages/ibm-websphere-mq-how-does-mq-provide-multiple-certificates-certlabl-capability

     

    kind: ConfigMap
    apiVersion: v1
    metadata:
    name: configmqsc
    namespace: cp4i
    data:
    createchl.mqsc: |-
    define ql(SNOWBOWL)
    DEFINE CHANNEL(FLAGSTAFF) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCAUTH(OPTIONAL) SSLCIPH('ANY_TLS12')
    set chlauth(FLAGSTAFF) TYPE(BLOCKUSER) USERLIST(NOBODY)
    REFRESH SECURITY TYPE(CONNAUTH)
    ---
    apiVersion: mq.ibm.com/v1beta1
    kind: QueueManager
    metadata:
    name: flagstaff
    spec:
    version: 9.2.0.0-r1
    license:
    accept: true
    license: L-RJON-BN7PN3
    use: "NonProduction"
    pki:
    keys:
    - name: default
    secret:
    secretName: flagstaff-mq-secret
    items:
    - tls.key
    - tls.crt
    web:
    enabled: true
    queueManager:
    availability:
    type: SingleInstance
    storage:
    queueManager:
    type: ephemeral
    mqsc:
    - configMap:
    name: configmqsc
    items:
    - createchl.mqsc
    template:
    pod:
    containers:
    - env:
    - name: MQSNOAUT
    value: 'yes'
    name: qmgr
    ---
    kind: Route
    apiVersion: route.openshift.io/v1
    metadata:
    name: flagstaff-qmgr-ibm-mq-qm
    namespace: cp4i
    spec:
    host: flagstaff.chl.mq.ibm.com
    to:
    kind: Service
    name: flagstaff-ibm-mq
    port:
    targetPort: 1414
    tls:
    termination: passthrough
    wildcardPolicy: None

     

    Apply the yaml:

    oc apply -f flagstaff.yaml

     

    Verify the installation:

    Qmgr_created-1

     

    Note the qmgr route for use in the next steps.

  6. Setup iKeyman, create CMS keystore and password stash file

    Use IKEYMAN to convert JKS to CMS format

    1. Install MQClient for Windows from IBM Fix Central. You can find the iKeyman installed at the following location.
    2. IKEYMAN location – “C:\Program Files\IBM\MQ\java\jre\bin\ikeyman.exe”
    3. Open the jks files create in previous step and save it as cms file.

     

    Open JKS file: [ Menu > File > Open ]

    Navigate to the jks file location and change the key database type to “JKS”

    OpenJKSpng

     

     

    Save as CMS key database type: [Menu > File > Save As ]

    SaveAsCMS

     

    Click OK to continue.

     

    On the next screen, check the “Stash password to a file” option. Click OK.

     

    CreatePassSTH

     

     

    Here are all the files created.

    files

     

  7. Configure RFHUTIL

    Configure MQSERVER environment variable

    Open a new windows command line window and set the MQSERVER parameter.

    SET MQSERVER=<CHANNEL-NAME>/TCP/<ROUTE-HOSTNAME>(443)

    Example:
    SET ROUTE=flagstaff-ibm-mq-qm-cp4i.tmforum-7ec5d722a0ab3f463fdc90eeb94dbc70-0000.che01.containers.appdomain.cloud
    SET MQSERVER=FLAGSTAFF/TCP/%ROUTE%(443)

    Launch RFHUTIL from the command line.

     

    Configure SSL on RFHUTIL

    • On the main window, you should see the Qmgr name already populated since we set the MQSERVER env variable.
    • Find and click the “Set Conn Id” button on the main window
    • Enter the Certification Store location, provide the absolute path for the file without the “.kdb” extension.
    • Check “SSL” box.
    • Select the SSL Cipher Algorithm. In this case it is “ANY_TLS12”. Click “OK” to proceed.
    RFHUTIL_SSL

     

     

    • Back on the main window, navigate the menu bar to MENU > MQ > MQCONN
    • You should see a message “Connected to Qmgr”
    • Next, key in the queue name we created as part of the configmap and hit the “Read Q” button.
    • You should see a message “2033 No messages in queue”.
    RFHUTIL_success

     

  8. Troubleshooting

    Refer to the Application logs in Event Viewer for troubleshooting any errors.

  9. References

    IBM Knowledge center

    https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.ctr.doc/ctr_supply_mqsc_ini.htm

    https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q132580_.htm

    https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.ctr.doc/cc_conn_qm_openshift.htm

     

    Connecting to a queue manager deployed in an OpenShift cluster

    https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.ctr.doc/cc_conn_qm_openshift.htm

     



#IBMCloudPakforIntegration(ICP4I)
#IBMMQ
#MQ
1 comment
94 views

Permalink

Comments

Fri April 28, 2023 03:14 AM

Have you tested this by enabling mTLS (setting SSLCAUTH to REQUIRED)? What changes are needed to make it work?