-
Create a MQ queue manager
First, we create a Qmgr on Cloud Pak for Integration v2020.2.1 enabling PKI. Although v2020.3.1 is latest GA release available, the instrutions should remain the same.
Login to OCP
oc login <OpenShift API Hostname> -u <username> -p <password>
Create Cert & Key
openssl req -newkey rsa:2048 -nodes -keyout <keyname>.key -x509 -days 365 -out <certname>.crt -subj "Subject name"
- Example
:
openssl req -newkey rsa:2048 -nodes -keyout flagstaff.qmgr.key -x509 -days 365 -out flagstaff.qmgr.crt \
-subj "/C=IN/ST=Karnataka/L=Bengaluru/O=IBM/OU=ISL/CN=flagstaff"
“flagstaff” is the name of my queue manager here.
Create OCP secret for Qmgr
oc create secret tls <secret-name> --key="key file name" --cert="cert filename -n <namespace>
- Example
:
oc create secret tls flagstaff-mq-secret --key="flagstaff.qmgr.key" --cert="flagstaff.qmgr.crt" -n cp4i
Create p12 keystore from cert and key
openssl pkcs12 -export -in <cert filename> -inkey <key filename> -out <p12 keystore name>
- Example
:
openssl pkcs12 -export -in flagstaff.qmgr.crt -inkey flagstaff.qmgr.key -out flagstaff.p12
Use keytool to convert p12 keystore to JKS keystore
keytool -importkeystore -srckeystore <p12 keystore filename> \
-srcstoretype PKCS12 \
-destkeystore <jks keystore filename> \
-deststoretype JKS
- Example
:
keytool -importkeystore -srckeystore flagstaff.p12 \
-srcstoretype PKCS12 \
-destkeystore flagstaff.jks \
-deststoretype JKS
Create the config map, Qmgr and route for MQ channel
I have used the following yaml to do all tasks in one command. I have chosen to disable chlauth security for this demo.
To customize the config map, SNI address for MQ channels and CHLAUTH security options,refer to the following knowledge center links for more information.
ConfigMap:
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.ctr.doc/ctr_supply_mqsc_ini.htm
Creating CHLAUTH
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q132580_.htm
SNI Address for MQ channels:
https://www.ibm.com/support/pages/ibm-websphere-mq-how-does-mq-provide-multiple-certificates-certlabl-capability
kind: ConfigMap
apiVersion: v1
metadata:
name: configmqsc
namespace: cp4i
data:
createchl.mqsc: |-
define ql(SNOWBOWL)
DEFINE CHANNEL(FLAGSTAFF) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCAUTH(OPTIONAL) SSLCIPH('ANY_TLS12')
set chlauth(FLAGSTAFF) TYPE(BLOCKUSER) USERLIST(NOBODY)
REFRESH SECURITY TYPE(CONNAUTH)
---
apiVersion: mq.ibm.com/v1beta1
kind: QueueManager
metadata:
name: flagstaff
spec:
version: 9.2.0.0-r1
license:
accept: true
license: L-RJON-BN7PN3
use: "NonProduction"
pki:
keys:
- name: default
secret:
secretName: flagstaff-mq-secret
items:
- tls.key
- tls.crt
web:
enabled: true
queueManager:
availability:
type: SingleInstance
storage:
queueManager:
type: ephemeral
mqsc:
- configMap:
name: configmqsc
items:
- createchl.mqsc
template:
pod:
containers:
- env:
- name: MQSNOAUT
value: 'yes'
name: qmgr
---
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: flagstaff-qmgr-ibm-mq-qm
namespace: cp4i
spec:
host: flagstaff.chl.mq.ibm.com
to:
kind: Service
name: flagstaff-ibm-mq
port:
targetPort: 1414
tls:
termination: passthrough
wildcardPolicy: None
Apply the yaml:
oc apply -f flagstaff.yaml
Verify the installation:
Note the qmgr route for use in the next steps.
-
Setup iKeyman, create CMS keystore and password stash file
Use IKEYMAN to convert JKS to CMS format
- Install MQClient for Windows from IBM Fix Central. You can find the iKeyman installed at the following location.
- IKEYMAN location – “C:\Program Files\IBM\MQ\java\jre\bin\ikeyman.exe”
- Open the jks files create in previous step and save it as cms file.
Open JKS file: [ Menu > File > Open ]
Navigate to the jks file location and change the key database type to “JKS”
Save as CMS key database type: [Menu > File > Save As ]
Click OK to continue.
On the next screen, check the “Stash password to a file” option. Click OK.
Here are all the files created.
-
Configure RFHUTIL
Configure MQSERVER environment variable
Open a new windows command line window and set the MQSERVER parameter.
SET MQSERVER=<CHANNEL-NAME>/TCP/<ROUTE-HOSTNAME>(443)
Example:
SET ROUTE=flagstaff-ibm-mq-qm-cp4i.tmforum-7ec5d722a0ab3f463fdc90eeb94dbc70-0000.che01.containers.appdomain.cloud
SET MQSERVER=FLAGSTAFF/TCP/%ROUTE%(443)
Launch RFHUTIL from the command line.
Configure SSL on RFHUTIL
- On the main window, you should see the Qmgr name already populated since we set the MQSERVER env variable.
- Find and click the “Set Conn Id” button on the main window
- Enter the Certification Store location, provide the absolute path for the file without the “.kdb” extension.
- Check “SSL” box.
- Select the SSL Cipher Algorithm. In this case it is “ANY_TLS12”. Click “OK” to proceed.
- Back on the main window, navigate the menu bar to MENU > MQ > MQCONN
- You should see a message “Connected to Qmgr”
- Next, key in the queue name we created as part of the configmap and hit the “Read Q” button.
- You should see a message “2033 No messages in queue”.
-
Troubleshooting
Refer to the Application logs in Event Viewer for troubleshooting any errors.
-
References
IBM Knowledge center
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.ctr.doc/ctr_supply_mqsc_ini.htm
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q132580_.htm
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.ctr.doc/cc_conn_qm_openshift.htm
Connecting to a queue manager deployed in an OpenShift cluster
https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.ctr.doc/cc_conn_qm_openshift.htm