Troubleshooting
Problem
You are configuring WebSphere MQ TCP/IP channels to go through a firewall and want to limit which ports you must open through your firewall.
Cause
Every TCP/IP connection has two ends, each with an IP address and a port number. These attributes, sometimes called a "4-tuple", uniquely identify the TCP/IP connection:
- Source IP Address: 192.0.2.4
Source Port Number: 60474
Destination IP Address: 203.0.113.7
Destination Port Number: 1414
In most cases the source port is chosen automatically by the operating system, to the point that many are unaware it exists. This is known as an "ephemeral port" since the operating system chooses a free port more or less randomly to be used for the duration of the connection.
Most users only need to know the destination address and port, but when configuring access through a firewall it may be necessary to control the source values as well. WebSphere MQ allows administrators to control both the source and destination address and port values.
Resolving The Problem
The CONNAME attribute on WebSphere MQ channels controls the destination address and port number. By default MQ uses a port number of 1414, but you can give a different destination port after the destination hostname or IP address. In the runmqsc command-line interface you must use single quotes when a property value includes parentheses:
DEFINE CHANNEL(SAMPLE.CHL) CHLTYPE(SDR) +
TRPTYPE(TCP) XMITQ(SAMPLE.XQ) +
CONNAME('mqhost.example.com(1422)')
WebSphere MQ requests an ephemeral source port when a channel establishes an outward connection, but you can choose a specific port number or a range of numbers. This may be necessary in order to limit the number of open ports allowed across some firewalls. Simply add the port number or range to the LOCLADDR field of the channel definition. The LOCLADDR field is available on all channel types which can establish outbound connections:
DEFINE CHANNEL(SAMPLE1.CHL) CHLTYPE(SDR) +
TRPTYPE(TCP) XMITQ(SAMPLE1.XQ) +
CONNAME('mqhost.example.com(1422)') +
LOCLADDR('(1800)')
DEFINE CHANNEL(SAMPLE2.CHL) CHLTYPE(SVR) +
TRPTYPE(TCP) XMITQ(SAMPLE2.XQ) +
CONNAME('mqhost.example.com(1422)') +
LOCLADDR('(1800,1815)')
If your system has multiple network cards, you can also use the LOCLADDR attribute to direct MQ to use a specific one. For example, if one of your network cards has the IP address 192.168.1.101, you can use this in the LOCLADDR field with or without any port restrictions:
DEFINE CHANNEL(SAMPLE3.CHL) CHLTYPE(SDR) +
TRPTYPE(TCP) XMITQ(SAMPLE3.XQ) +
CONNAME('mqhost.example.com(1422)') +
LOCLADDR('192.168.1.101(1800,1815)')
There is one important TCP/IP restriction to bear in mind when controlling port numbers with LOCLADDR. When a TCP/IP connection ends, the operating system will not allow that specific connection to start again for approximately two minutes. During this TIME_WAIT period the operating system discards any delayed or retransmitted packets which show up for that connection.
Until the TIME_WAIT period expires, this exact connection (the "4-tuple" of source address, source port, destination address and destination port) cannot be restarted. Since the source address, destination address and destination port are fixed, the channel will be able to start again quickly only if it can use a different source port. If you use LOCLADDR to restrict the channel to one source port or to a very small range of ports, be aware the channel may not be able to restart right away.
Older MQSeries versions provided an environment variable called MQTCPSDRPORT to choose the source port range. If your system uses the MQTCPSDRPORT environment variable you should remove this variable and set the LOCLADDR property instead.
Product Synonym
WMQ MQ
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21159801