MQ

This document describes the steps required to connect an IBM MQ Managed File Transfer agent running on premise to a queue manager running in an OpenShift Cluster.

Assumptions

This document assumes that:

• IBM MQ Managed File Transfer Redistributable Package v9.2.4 has been unpacked on a RedHat Linux x86-64 v8.5 system.

• MQ Operator is installed in an OpenShift Cluster.

• OpenShift Cluster client utility, oc is installed on the Linux machine.

• Security token for a user has been retrieved via the OpenShift Web Console.

• An OpenShift project, ibmmqft has been created in the OpenShift cluster.

• User has logged into Linux machine with a valid user, say student.

 

Phase 1: Create a certificate and keystore for secure connection

Agents running on premise can be connected securely, with TLS 1.2 or higher, to the queue manager running in OpenShift cluster. Non-secure connections are not allowed.

1) Create a certificate using openssl. The private key will be used by the queue manager while the public key will be used by the MFT agent.
 

openssl req -newkey rsa:2048 -nodes -keyout tls.key -subj "/CN=localhost" -x509 -days 365 -out tls.crt

2) Create a pkcs12 type keystore for using with agent. Note the keystore is created under logged in user's home directory. When prompted type in a password, say passw0rd  

keytool -importcert -trustcacerts -keystore /student/agenttls.p12 -storetype pkcs12 -alias root -file tls.crt

3) Change the permission on the keystore file so that only the creator has rw authority.

chmod 600 /student/agenttls.p12

4) Create a credential file, MQMFTCredentials.xml containing the following containing credentials to access keystore in user's home directory.

<?xml version="1.0" encoding="UTF-8"?>
<tns:mqmftCredentials  xmlns:tns="http://wmqfte.ibm.com/MQMFTCredentials"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://wmqfte.ibm.com/MQMFTCredentials MQMFTCredentials.xsd">   
   <tns:file  path="/student/agenttls.p12"  password="passw0rd"/>
</tns:mqmftCredentials>

5) Change the permission on the file.

chmod 600 /student/MQMFTCredentials.xml

 

 Phase 2: Create OpenShift resources

1) Login to OpenShift cluster with token retrieved earlier.

     oc login --token=<security token> --server=<OpenShift cluster URL>

2) Create a secret using the certificate created above.

oc create secret tls secure-tls-secret --key="tls.key" --cert="tls.crt"

3) Create a yaml file, configmap.yaml with the following content. The content is a configmap containing definitions to create MQ objects when the queue manager starts. The config map contains MQ object definition for agent also.

apiVersion: v1
kind: ConfigMap
metadata:
  name: secureqm-tls-configmap
data:
  mqexpl.mqsc: |
    DEFINE CHANNEL(SECUREQMCHL) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCAUTH(OPTIONAL) SSLCIPH('ANY_TLS12_OR_HIGHER')
    SET CHLAUTH(SECUREQMCHL) TYPE(BLOCKUSER) USERLIST('nobody') ACTION(ADD)
    DEFINE TOPIC('SYSTEM.FTE') TOPICSTR('SYSTEM.FTE') REPLACE
    ALTER TOPIC('SYSTEM.FTE') NPMSGDLV(ALLAVAIL) PMSGDLV(ALLAVAIL)
    DEFINE QLOCAL(SYSTEM.FTE) LIKE(SYSTEM.BROKER.DEFAULT.STREAM) REPLACE
    ALTER QLOCAL(SYSTEM.FTE) DESCR('Stream for MQMFT Pub/Sub interface')
    DISPLAY NAMELIST(SYSTEM.QPUBSUB.QUEUE.NAMELIST)
    ALTER NAMELIST(SYSTEM.QPUBSUB.QUEUE.NAMELIST) +
    NAMES(SYSTEM.BROKER.DEFAULT.STREAM+
,SYSTEM.BROKER.ADMIN.STREAM,SYSTEM.FTE)
    DISPLAY QMGR PSMODE
    ALTER QMGR PSMODE(ENABLED)
    DEFINE QLOCAL(SYSTEM.FTE.COMMAND.SRCAGENT) +
     DEFPRTY(0) +
     DEFSOPT(SHARED) +
     GET(ENABLED) +
     MAXDEPTH(5000) +
     MAXMSGL(4194304) +
     MSGDLVSQ(PRIORITY) +
     PUT(ENABLED) +
     RETINTVL(999999999) +
     SHARE +
     NOTRIGGER +
     USAGE(NORMAL) +
     REPLACE
    DEFINE QLOCAL(SYSTEM.FTE.DATA.SRCAGENT) +
     DEFPRTY(0) +
     DEFSOPT(SHARED) +
     GET(ENABLED) +
     MAXDEPTH(5000) +
     MAXMSGL(4194304) +
     MSGDLVSQ(PRIORITY) +
     PUT(ENABLED) +
     RETINTVL(999999999) +
     SHARE +
     NOTRIGGER +
     USAGE(NORMAL) +
     REPLACE
    DEFINE QLOCAL(SYSTEM.FTE.REPLY.SRCAGENT) +
     DEFPRTY(0) +
     DEFSOPT(SHARED) +
     GET(ENABLED) +
     MAXDEPTH(5000) +
     MAXMSGL(4194304) +
     MSGDLVSQ(PRIORITY) +
     PUT(ENABLED) +
     RETINTVL(999999999) +
     SHARE +
     NOTRIGGER +
     USAGE(NORMAL) +
     REPLACE
    DEFINE QLOCAL(SYSTEM.FTE.STATE.SRCAGENT) +
     DEFPRTY(0) +
     DEFSOPT(SHARED) +
     GET(ENABLED) +
     MAXDEPTH(5000) +
     MAXMSGL(4194304) +
     MSGDLVSQ(PRIORITY) +
     PUT(ENABLED) +
     RETINTVL(999999999) +
     SHARE +
     NOTRIGGER +
     USAGE(NORMAL) +
     REPLACE
    DEFINE QLOCAL(SYSTEM.FTE.EVENT.SRCAGENT) +
     DEFPRTY(0) +
     DEFSOPT(SHARED) +
     GET(ENABLED) +
     MAXDEPTH(5000) +
     MAXMSGL(4194304) +
     MSGDLVSQ(PRIORITY) +
     PUT(ENABLED) +
     RETINTVL(999999999) +
     SHARE +
     NOTRIGGER +
     USAGE(NORMAL) +
     REPLACE
    DEFINE QLOCAL(SYSTEM.FTE.AUTHAGT1.SRCAGENT) +
     DEFPRTY(0) +
     DEFSOPT(SHARED) +
     GET(ENABLED) +
     MAXDEPTH(0) +
     MAXMSGL(0) +
     MSGDLVSQ(PRIORITY) +
     PUT(ENABLED) +
     RETINTVL(999999999) +
     SHARE +
     NOTRIGGER +
     USAGE(NORMAL) +
     REPLACE
    DEFINE QLOCAL(SYSTEM.FTE.AUTHTRN1.SRCAGENT) +
     DEFPRTY(0) +
     DEFSOPT(SHARED) +
     GET(ENABLED) +
     MAXDEPTH(0) +
     MAXMSGL(0) +
     MSGDLVSQ(PRIORITY) +
     PUT(ENABLED) +
     RETINTVL(999999999) +
     SHARE +
     NOTRIGGER +
     USAGE(NORMAL) +
     REPLACE
    DEFINE QLOCAL(SYSTEM.FTE.AUTHOPS1.SRCAGENT) +
     DEFPRTY(0) +
     DEFSOPT(SHARED) +
     GET(ENABLED) +
     MAXDEPTH(0) +
     MAXMSGL(0) +
     MSGDLVSQ(PRIORITY) +
     PUT(ENABLED) +
     RETINTVL(999999999) +
     SHARE +
     NOTRIGGER +
     USAGE(NORMAL) +
     REPLACE
    DEFINE QLOCAL(SYSTEM.FTE.AUTHSCH1.SRCAGENT) +
     DEFPRTY(0) +
     DEFSOPT(SHARED) +
     GET(ENABLED) +
     MAXDEPTH(0) +
     MAXMSGL(0) +
     MSGDLVSQ(PRIORITY) +
     PUT(ENABLED) +
     RETINTVL(999999999) +
     SHARE +
     NOTRIGGER +
     USAGE(NORMAL) +
     REPLACE
    DEFINE QLOCAL(SYSTEM.FTE.AUTHMON1.SRCAGENT) +
     DEFPRTY(0) +
     DEFSOPT(SHARED) +
     GET(ENABLED) +
     MAXDEPTH(0) +
     MAXMSGL(0) +
     MSGDLVSQ(PRIORITY) +
     PUT(ENABLED) +
     RETINTVL(999999999) +
     SHARE +
     NOTRIGGER +
     USAGE(NORMAL) +
     REPLACE
    DEFINE QLOCAL(SYSTEM.FTE.AUTHADM1.SRCAGENT) +
     DEFPRTY(0) +
     DEFSOPT(SHARED) +
     GET(ENABLED) +
     MAXDEPTH(0) +
     MAXMSGL(0) +
     MSGDLVSQ(PRIORITY) +
     PUT(ENABLED) +
     RETINTVL(999999999) +
     SHARE +
     NOTRIGGER +
     USAGE(NORMAL) +
     REPLACE
    DEFINE QLOCAL(SYSTEM.FTE.HA.SRCAGENT) +
     DEFPRTY(0) +
     DEFSOPT(SHARED) +
     GET(ENABLED) +
     MAXDEPTH(0) +
     MAXMSGL(0) +
     MSGDLVSQ(PRIORITY) +
     PUT(ENABLED) +
     RETINTVL(999999999) +
     SHARE +
     NOTRIGGER +
     USAGE(NORMAL) +
     REPLACE

4) Run the following command to create the configmap in your OpenShift cluster

oc apply -f configmap.yaml

5) Create a yaml file, route.yaml with the following content. The content is the definition of the route for using with queue manager.

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: secureqm-tls-route
spec:
  host: secureqmchl.chl.mq.ibm.com
  to:
    kind: Service
    name: secureqm-ibm-mq
  port:
    targetPort: 1414
  tls:
    termination: passthrough

6) Run the following command to create the route in your OpenShift cluster.

oc apply -f route.yaml

7) Create a yaml file, qm.yaml with the following content. The content is the definition of a queue manager.

apiVersion: mq.ibm.com/v1beta1
kind: QueueManager
metadata:
  name: secureqm
spec:
  license:
    accept: true
    license: L-RJON-BUVMQX
    use: Production
  queueManager:
    name: SECUREQM
    mqsc:
    - configMap:
        name: secureqm-tls-configmap
        items:
        - mqexpl.mqsc
    storage:
      queueManager:
        type: ephemeral
template:
  pod:
    containers:
      - env:
          - name: MQSNOAUT
            value: 'yes'
        name: qmgr
version: 9.2.4.0-r1
web:
  enabled: false
pki:
  keys:
    - name: example
      secret:
        secretName: secure-tls-secret
        items:
        - tls.key
        - tls.crt

8) Run the following command to create a queue manager

oc apply -f qm.yaml

9) Run the following commands to view the status of the queue manager

oc get QueueManager

10) Once the queue manager is in running state, the command output would be something like below

 NAME       PHASE
secureqm   Running

11) Run the following command to list the routes created.

oc get routes

12) Note down the host name shown for the route named secureqm-ibm-mq-qm. The host name will be something like

secureqm-ibm-mq-qm-ibmmqft.xxx.xxx.xxx

This completes the configuration on OpenShift. Now it's time to configure agent on premise.

 

Phase 3: Configure an agent

1) Navigate to the bin directory where IBM MQ Managed File Transfer Redistributable package has been unpacked.

2) Create a data directory for use with Managed File Transfer, for example:

mkdir /student/mftdata

3) Run the following command to setup environment to configure Managed File Transfer agent.

source fteCreateEnvironment -d /student/mftdata

4) Run the following command to configure the coordination.

fteSetupCoordination -coordinationQMgr SECUREQM -coordinationQMgrHost <host name displayed in the oc get routes> -coordinationQMgrPort 443 -coordinationQMgrChannel SECUREQMCHL

 

5) Update the coordination.properties file with following properties.

coordinationSslCipherSpec=ECDHE_RSA_AES_256_CBC_SHA384
coordinationSslTrustStore=/student/agenttls.p12
coordinationSslTrustStoreType=pkcs12
coordinationSslTrustStoreCredentialsFile=/student/MQMFTCredentials.xml
coordinationSslKeyStoreCredentialsFile=/student/MQMFTCredentials.xml
coordinationSslKeyStore=/student/agenttls.p12
coordinationSslKeyStoreType=pkcs12

6) Run the following command to setup commands configuration.

fteSetupCommands -connectionQMgr SECUREQM -connectionQMgrHost <host name displayed in the oc get routes> -connectionQMgrPort 443 -connectionQMgrChannel SECUREQMCHL -p SECUREQM

 

7) Update the command.properties file with the following properties

connectionSslCipherSpec=ECDHE_RSA_AES_256_CBC_SHA384
connectionSslTrustStore=/student/agenttls.p12
connectionSslTrustStoreType=pkcs12
connectionSslTrustStoreCredentialsFile=/student/MQMFTCredentials.xml
connectionSslKeyStoreCredentialsFile=/student/MQMFTCredentials.xml
connectionSslKeyStore=/student/agenttls.p12
connectionSslKeyStoreType=pkcs12

8) Create an agent using the following command.

fteCreateAgent -agentName SRCAGENT -agentQMgr SECUREQM -agentQMgrHost <host name displayed by the oc get routes> -agentQMgrPort 443 -agentQMgrChannel SECUREQMCHL -p SECUREQM

 

9) Update the agent.properties file with the following properties

agentSslCipherSpec=ECDHE_RSA_AES_256_CBC_SHA384
agentSslTrustStore=/student/agenttls.p12
agentSslTrustStoreType=pkcs12
agentSslTrustStoreCredentialsFile=/student/MQMFTCredentials.xml
agentSslKeyStoreCredentialsFile=/student/MQMFTCredentials.xml
agentSslKeyStore=/student/agenttls.p12
agentSslKeyStoreType=pkcs12

10) Start the agent using following command

fteStartAgent OCPAGENT

11) Verify the agent has started using the following command. You can also use ftePingAgent and fteShowAgentDetails command to view the status of an agent.

fteListAgents
ftePingAgent SRCAGENT

This completes the configuration of connecting an on-premise MFT agent to queue manager running in OpenShift cluster. You can now create another agent with steps described above and run transfers between.

If you see transfers going into recovery, it may be due to slow connection between agents and queue manager. Try tweaking the acknowledgement timeouts by adding the following properties to the source and destination agent.properties file.

transferAckTimeout=120000
transferAckTimeoutRetries=10
recoverableTransferRetryInterval=120000