2.2 Configure Queue Manager and Channel for TLS
After the Queue Manager is deployed, configure the TLS settings at Queue Manager and Channel level.
When you are implementing the DevOps pipeline, these steps would be part of your MQSC script.
Click on Queue Manager Properties and go to the SSL tab:
Notice the name of ‘Cert label’. This is the ‘name’ for the pair of the Key and Cert that we supplied in the helm chart. If you have configured more than one Key pairs, provide the appropriate label name here. This ‘Cert label’ will be used when you are connecting from the clients as described in this section above under ‘CONDITION 2’ and the CERTLABL supplied at the Channel level will be ignored.
Note that by default CHLAUTH and CONNAUTH are enabled. You may keep them enabled or disable them if you do not require those. For this demonstration, to keep it simple, we have disabled those.
Under ‘Extended’ tab, delete the entry in the ‘Connection authentication’ field.
Under the ‘Communication’ tab, disable ‘CHLAUTH records’
Now go to the Server Connection channel under the SSL tab. Specify the ‘SSL cipher spec’ and appropriate ‘Cert label’ that was created as part of the helm deployment. Since we are not using mutual authentication, so ‘SSL authentication’ has been made ‘Optional’. Setting it to ‘Optional’ will disable the client authentication.
If your client application is using the clients as specified in this section above under ‘CONDITION 1’, the ‘Cert label’ specified at the channel will be used and the ‘Cert label’ specified at Queue Manager will be ignored.
If you intend to remotely administer the Queue Manager, you may specify MCA user as ‘mqm’, which will give complete authority on the Queue Manager to the clients connecting to it via this channel. It is recommended not to do this and configure the authentication appropriately.
Make sure that you ‘REFRESH SECURITY’ of the Queue Manager after making the security related changes. To refresh the security, go to the Queue Manager properties and refresh all three types of securities.
2.3 Import the certificate in Client’s TrustStore
The client that tries to connect to the Queue Manager over SSL, must accept the TLS certificate presented by the Queue Manager. This would require you to import the TLS certificate into the client’s truststore. If you are using a Java trust-store, you can use the Keytool command or the iKeyMan tool supplied with IBM MQ to import the certificate.
In this case, we created tls.key and tls.crt at step 2.1. Import tls.crt into the client’s truststore and give it any label name.
2.4 Connect from Client’s specified under CONDITION 2
If you are using MQ clients as specified in this section above under ‘CONDITION 2’, you can proceed with the connection now.
Let us connect to the Queue Manager from MQ Explorer 9.1.0.
Click on ‘Add Remote Queue Manager’ and enter the Queue Manager Name and click Next
Get the route name for the Queue Manager service.
oc get route -n <namespace>
Enter this route host name as Host name, port as 443 and the name of the channel.
Click on ‘Next’ thrice to reach the SSL configuration page. Click on ‘Enable SSL key repositories’ and enter the path of client truststore and password for truststore.
Click on Next. Enable SSL Options and select a Cipher spec. Here we have selected ANY_TLS12. Note that we specified ANY_TLS12 cipher spec at server connection channel also. Since at channel we have specified ANY_TLS12, we can select any cipher spec here that TLS12 supports.
Click on Finish. It will connect to the Queue Manager successfully.
2.5 Connect from Client’s specified under CONDITION 1
If you are connecting from client’s specified under CONDITION 1, the SNI will be set to the MQ channel. Client applications that set the SNI to the MQ channel require a new OpenShift Route to be created for each channel you wish to connect to. You also have to use unique channel names across your Red Hat OpenShift cluster, to allow routing to the correct queue manager.
To determine the required host name for each of your new OpenShift Routes, you need to map each channel name to an SNI address as documented here:
https://www.ibm.com/support/pages/ibm-websphere-mq-how-does-mq-provide-multiple-certificates-certlabl-capability
The SNI address used by MQ is based upon the channel name that is being requested, followed by a suffix of “.chl.mq.ibm.com”.
Since here we are using the channel ‘DEF.SVRCONN’, it will translate to the SNI address below:
def2e-svrconn.chl.mq.ibm.com
You must then create a new OpenShift Route (for each channel) by applying the following yaml in your cluster:
oc get svc -n mq
Create a yaml file with the content below, say ‘mqroute.yaml’
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: defsvrconnmqroute
namespace: mq
spec:
host: def2e-svrconn.chl.mq.ibm.com
to:
kind: Service
name: mq-tls-rel-ibm-mq
port:
targetPort: 1414
tls:
termination: passthrough
oc create -f <route yaml file>
Now let us connect to the Queue Manager from MQ Explorer 9.1.3.
Click on ‘Add Remote Queue Manager’ and enter Queue Manager name.
Click Next and Enter Route name as host name, port as 443 and Channel name
You can get the route host name using below command
oc get route -n <namespace>
Click on Next thrice to reach the SSL configuration page. Specify the client Truststore that has the public key for the CERLABL specified in the channel and enter password to open the Truststore.
Click on Next. Enable SSL options and specify the SSL CipherSpec. Since on channel we have specified ‘ANY_TLS12’, you can use any of the Cipher spec supported by TLS12.
Click on Finish and it would successfully connect to the Queue Manager.
Refer to the article below to connect to Queue Manager over TLS.
MQ with TLS