MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  SNI and MQIPT

    Posted Fri November 20, 2020 01:24 PM

    Hello !
    Trying to get MQIPT to talk out to Z/OS over TLS. The z/os channel is set to use a named cert and not the QM default. MQIPT is acting as a TLS break between my internal QM and the Z/OS system i.e. not proxying the connections. 

    It looks like I've come across something new to me which is that MQIPT doesn't, apparently, set the server_name extension with the channel name. Therefore, the Z/OS side defaults to the default QM cert and not the specified channel cert. I can see how the mqipt docs tell me that this is the behaviour and that the workaround is that I just let MQIPT  proxy the connection and not act as a TLS breakpoint. I have multiple connections going out from this QM to other customers and they all work because the customer is using the default QM cert.

    How extremely annoying !  Proxying this one connection would make it entirely different from all the other connections I have going through MQIPT and would require me to add the clients certs into my QM db as well. All, very non-standard for our setup and requiring a whole load of new config and monitoring in the future.

    Anyone got any other workarounds here ?? I've tried to see if there's a way of setting the SNI name as a java property but I can't see such a thing - anyone ever heard of one?

    This is all particularly galling as MQIPT clearly knows what channel is being used and could set it if it wanted to !?

    many thanks for any help!
    John.



    ------------------------------
    John Hawkins
    TallJHawkins consulting Ltd
    ------------------------------


  • 2.  RE: SNI and MQIPT

    Posted Fri November 20, 2020 09:27 PM
    Hi John,

    Please vote on this RFE:

    RFE 127800: MQIPT (MS81) TLS Server Name Indication (SNI) Pass-through Support

    This is to request IBM add SNI passthrough support.

    ------------------------------
    Josh McIver
    ------------------------------



  • 3.  RE: SNI and MQIPT

    Posted Mon November 23, 2020 07:51 AM
    Thanks Josh - have done.
    Shame they haven't done it themselves already - seems like a big thing to miss out on IMO and probably not that hard to fix.

    ah well.

    cheers,
    john.

    ------------------------------
    John Hawkins
    TallJHawkins Consulting Ltd
    ------------------------------



  • 4.  RE: SNI and MQIPT

    Posted Fri December 11, 2020 12:20 PM
    Hello IBM - I  note that this request is hanging off the old MQIPT supportpac - can IBM please confirm that this request is being carried forward to MQ base as MQIPT is now supported?
    I also note that you are doing some SNI work in the latest beta releases - perhaps you could add this in?

    thankyou,
    John.

    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------



  • 5.  RE: SNI and MQIPT

    Posted Mon December 14, 2020 05:07 AM
    Hello John,

    The change in MQIPT's status from a SupportPac to a more integrated part of MQ hasn't affected the way that RFEs are considered, so this request is being considered as a future enhancement to MQIPT. It's now an uncommitted candidate for a future version of MQIPT.

    Regards

    Gwydion

    ------------------------------
    Gwydion Tudur
    ------------------------------



  • 6.  RE: SNI and MQIPT

    Posted Mon December 14, 2020 05:49 AM
    Thanks Gwydion, I figured as much given the status change. FYI: a customer who's requested this didn't see it that way though.

    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------