MQ

Expand all | Collapse all

SNI and MQIPT

  • 1.  SNI and MQIPT

    Posted 9 days ago

    Hello !
    Trying to get MQIPT to talk out to Z/OS over TLS. The z/os channel is set to use a named cert and not the QM default. MQIPT is acting as a TLS break between my internal QM and the Z/OS system i.e. not proxying the connections. 

    It looks like I've come across something new to me which is that MQIPT doesn't, apparently, set the server_name extension with the channel name. Therefore, the Z/OS side defaults to the default QM cert and not the specified channel cert. I can see how the mqipt docs tell me that this is the behaviour and that the workaround is that I just let MQIPT  proxy the connection and not act as a TLS breakpoint. I have multiple connections going out from this QM to other customers and they all work because the customer is using the default QM cert.

    How extremely annoying !  Proxying this one connection would make it entirely different from all the other connections I have going through MQIPT and would require me to add the clients certs into my QM db as well. All, very non-standard for our setup and requiring a whole load of new config and monitoring in the future.

    Anyone got any other workarounds here ?? I've tried to see if there's a way of setting the SNI name as a java property but I can't see such a thing - anyone ever heard of one?

    This is all particularly galling as MQIPT clearly knows what channel is being used and could set it if it wanted to !?

    many thanks for any help!
    John.



    ------------------------------
    John Hawkins
    TallJHawkins consulting Ltd
    ------------------------------


  • 2.  RE: SNI and MQIPT

    Posted 9 days ago
    Hi John,

    Please vote on this RFE:

    RFE 127800: MQIPT (MS81) TLS Server Name Indication (SNI) Pass-through Support

    This is to request IBM add SNI passthrough support.

    ------------------------------
    Josh McIver
    ------------------------------



  • 3.  RE: SNI and MQIPT

    Posted 7 days ago
    Thanks Josh - have done.
    Shame they haven't done it themselves already - seems like a big thing to miss out on IMO and probably not that hard to fix.

    ah well.

    cheers,
    john.

    ------------------------------
    John Hawkins
    TallJHawkins Consulting Ltd
    ------------------------------