MQ

Hello !
Trying to get MQIPT to talk out to Z/OS over TLS. The z/os channel is set to use a named cert and not the QM default. MQIPT is acting as a TLS break between my internal QM and the Z/OS system i.e. not proxying the connections. 

It looks like I've come across something new to me which is that MQIPT doesn't, apparently, set the server_name extension with the channel name. Therefore, the Z/OS side defaults to the default QM cert and not the specified channel cert. I can see how the mqipt docs tell me that this is the behaviour and that the workaround is that I just let MQIPT  proxy the connection and not act as a TLS breakpoint. I have multiple connections going out from this QM to other customers and they all work because the customer is using the default QM cert.

How extremely annoying !  Proxying this one connection would make it entirely different from all the other connections I have going through MQIPT and would require me to add the clients certs into my QM db as well. All, very non-standard for our setup and requiring a whole load of new config and monitoring in the future.

Anyone got any other workarounds here ?? I've tried to see if there's a way of setting the SNI name as a java property but I can't see such a thing - anyone ever heard of one?

This is all particularly galling as MQIPT clearly knows what channel is being used and could set it if it wanted to !?

many thanks for any help!
John.

Hello !
Trying to get MQIPT to talk out to Z/OS over TLS. The z/os channel is set to use a named cert and not the QM default. MQIPT is acting as a TLS break between my internal QM and the Z/OS system i.e. not proxying the connections. 

It looks like I've come across something new to me which is that MQIPT doesn't, apparently, set the server_name extension with the channel name. Therefore, the Z/OS side defaults to the default QM cert and not the specified channel cert. I can see how the mqipt docs tell me that this is the behaviour and that the workaround is that I just let MQIPT  proxy the connection and not act as a TLS breakpoint. I have multiple connections going out from this QM to other customers and they all work because the customer is using the default QM cert.

How extremely annoying !  Proxying this one connection would make it entirely different from all the other connections I have going through MQIPT and would require me to add the clients certs into my QM db as well. All, very non-standard for our setup and requiring a whole load of new config and monitoring in the future.

Anyone got any other workarounds here ?? I've tried to see if there's a way of setting the SNI name as a java property but I can't see such a thing - anyone ever heard of one?

This is all particularly galling as MQIPT clearly knows what channel is being used and could set it if it wanted to !?

many thanks for any help!
John.