MQ Internet Pass-Thru (MQIPT) is an IBM MQ product extension that helps you connect MQ queue managers or clients that are not on the same network securely. It’s free to download from the IBM MQ SupportPac website, and is fully supported when used with a supported version of IBM MQ.
As MQIPT fix pack 220.127.116.11 has just been released, I thought I’d take this opportunity to briefly highlight what this SupportPac offers.
What can MQIPT do?
MQIPT listens on one or more TCP ports and forwards MQ connections that it receives. These connections can be between two MQ queue managers, or an MQ client and a queue manager. The presence of MQIPT is completely transparent to the clients and queue managers.
It runs as a standalone service and doesn’t need to run on the same system as a queue manager or client. In a basic configuration MQIPT just forwards connections to a queue manager, as shown in this diagram.
As MQIPT understands the MQ network protocol it can perform various transformations on the connection, such as TLS encryption or decryption, and wrapping the connection in HTTP to enable MQ connections to be tunnelled through the firewall using existing HTTP proxies.
For more flexibility, you can use a pair (or more if you need to!) of MQIPT instances. In this example a pair of MQIPT instances is used to secure a connection with TLS between the two instances. The queue managers are unaware that MQIPT or TLS is in use.
Note that you don’t have to use a pair of MQIPT instances to use TLS. MQIPT can also communicate directly with MQ using TLS.
Why would I use MQIPT?
There are two main benefits to using MQIPT - improved security, and easier network administration. Let’s look at an example of how you could use MQIPT.
A common use of MQIPT is to place it in the DMZ, so that it acts as a single point of access to your MQ network from the internet. External queue managers or clients connect to MQIPT rather than directly to the queue manager, as shown in this diagram.
This has the benefit of pushing security checks out to the edge of your network, as MQIPT can apply rules to connections, such as checking the client TLS certificate, before the channel can connect to the queue manager.
If the MQ channels are using TLS, then MQIPT will also provide a break in the TLS session in the DMZ, which is something that many organizations require.
The other benefit of this configuration is that it reduces the number of firewall rules needed to allow connections to the queue manager, as all external connections to the queue manager will now come from the machine where MQIPT is running.
There’s more information on MQIPT in the IBM MQ Knowledge Center.
If you think you could benefit from using MQIPT, then head over to the IBM MQ SupportPac website where you can download MQIPT.