Securing remote administration using runmqsc
This topic describes enabling TLS for remote administration of an IBM® MQ as a Service queue manager using runmqsc commands.
Before you begin
- This topic describes using a JSON format CCDT to tell runmqsc how to connect
to the queue manager
- To use JSON format CCDT you must have a runmqsc installation from IBM MQ v9.1.2 or above. Runmqsc versions prior to this do not support JSON format CCDT
- You can also connect runmqsc to a queue manager using a binary CCDT if you wish, but the instructions provided here are specific to JSON CCDT
- To configure the client keystore file you need tools such as runmqakm.
- These tools are available in either a full installation of IBM MQ, or an installation of the IBM MQ client for your operating system
- Both full and client installations are available from the MQ Downloads page
- There is also a MacOS toolkit for Developers client that allows native use of runmqsc on macOS.
Configuring runmqsc to use standard ("one way") TLS connections
Download or create a JSON CCDT file that describes the queue manager you want to connect to
You can download a JSON CCDT from the queue manager details page by clicking on the Connection information button and then selecting the JSON CCDT format. Note that the downloaded JSON CCDT does not contain the cipher specification that you associated with the channel, so you have to include that manually by adding a transmissionSecurity definition for each channel as shown in the example below.
Alternatively you can simply copy the example template provided here and update the host, port, queueManager and channel values to match your queue manager.
{
"channel": [
{
"name": "CLOUD.ADMIN.SVRCONN",
"clientConnection": {
"connection": [
{
"host": "qm1-1234.qm.us-south.mq.appdomain.cloud",
"port": 31500
}
],
"queueManager": "QM1"
},
"transmissionSecurity": {
"cipherSpecification": "ANY_TLS12_OR_HIGHER"
},
"type": "clientConnection"
}
]
}
Configure the necessary environment variables for the runmqsc environment
You configure environment variables to instruct the runmqsc client to use the JSON CCDT to obtain the queue manager connection details, which includes the name of the channel cipher spec that we defined in the previous step.
- Open a command prompt window and navigate to the IBM MQ
bindirectory of your installation. The location of this will depend on your operating system, for example:Operating System File location Linux® full IBM MQ installation /var/mqm/binWindows C:\Program Files\IBM\MQ\binLinux/macOS, using the client installation ~/mytoolkit/IBM-MQ-Toolkit-Mac-x64-9.1.2.0/bin - Set the
MQCCDTURLenvironment variable to instruct the runmqsc client to read the JSON CCDT, theMQCCDTURLvariable is a URL pointing to the JSON CCDT file.- MQCCCDTURL is the full file path from the system root to the ccdt
file.
# Linux/MacOS export MQCCDTURL=file:///Users/myuser/connection_info_ccdt.json unset MQSERVER # Windows set MQCCDTURL=file:///c:/temp/connection_info_ccdt.json set MQSERVER=Note: You MUST NOT have the MQSERVER variable set, otherwise that will take precedence over the settings from the JSON CCDT - There are two different ways of specifying your CCDT file location - if MQCCDTURL does not work
for you, try setting MQCHLTAB and MQCHLLIB as described below.
MQCHLLIB is the full path from the system root to the directory which holds the ccdt file.
export MQCHLLIB=/path/to/ccdt set MQCHLLIB=c:\path\to\ccdtMQCHLTAB is the filename of the ccdt file.
export MQCHLTAB=connection_info_ccdt.json set MQCHLTAB=connection_info_ccdt.json
- MQCCCDTURL is the full file path from the system root to the ccdt
file.
-
Set the MQSSLKEYR environment variable to allow the runmqsc client to trust the TLS certificate presented by the queue manager
The MQSSLKEYR variable must be set to the full path from the system root to a keystore file that contains the TLS certificate presented by the queue manager.
Note that the
.kdbsuffix of the file must NOT be included in theMQSSLKEYRvalue. So, for a key store namedkey.kdb, specify justkey.# Linux/MacOS export MQSSLKEYR=/Users/myuser/key # Windows set MQSSLKEYR=c:\temp\key
Execute the runmqsc command to connect to the queue manager
Now that we have set up the necessary environment we can execute the runmqsc command to connect to the queue manager.
- IBM MQ Administrator username and API key, which you obtain from the service console as described in Gather required connection details in Administering a queue manager using IBM MQ Explorer and the runmqsc command line. Note that this must an Administrator username and API key, and not an Application username and API key
- Queue manager name, which must match what is specified in the JSON CCDT file - for example
'QM1'.
<Path to MQ/bin directory>/runmqsc -c -u mqusername QM1
Configuring runmqsc to use mutual ('two way') TLS connections
The following steps describe how to extend the instructions above to configure mutual TLS connectivity between the runmqsc client and the queue manager.
In mutual TLS scenarios the client (for example,. runmqsc) presents a client certificate to the queue manager, and the queue manager must be configured to trust that incoming client certificate.
- Generate a TLS client certificate that will identify the runmqsc client:
In some organizations TLS client certificates are generated for you by a central certificate authority (CA). For the purposes of this example we will generate our own self-signed client certificate.
# Generate a new private key and public certificate for the client # (fill in the segments of the certificate as you wish when prompted) openssl req -newkey rsa:2048 -nodes -keyout clientKey.pem -x509 -days 365 -out clientCert.pem -addext "extendedKeyUsage = clientAuth" # Combine the private key and public certificate into a single file cat clientKey.pem > clientCombined.pem cat clientCert.pem >> clientCombined.pem - Add the newly generated client certificate to the local keystore file:
Import the combined client key/cert into the keystore file, making a note of the label that you use.
$ runmqakm -cert -add -db key.kdb -file clientCombined.pem -label runmqsc -stashed -type pkcs12 -format ascii -
Configure the queue manager to trust the client certificate:
- Import the public part of the client certificate by navigating to the queue manager details page in the IBM MQ as a Service service console user interface, and selecting the Trust store tab
- Click the Import certificate button, and select the file containing the
public part of the client certificate, for example
clientCert.pem - Click Next and pick a label for the certificate (it does not have to be the same label as in the client keystore file), then click
- After the certificate has been uploaded you are requested to refresh the queue manager SSL security configuration which you can do using IBM MQ Console, SaveIBM MQ Explorer or runmqsc as described in Administering a queue manager using IBM MQ Explorer and the runmqsc command line.
-
Configure the queue manager channel to require mutual TLS:
- The TLS mode for a channel is controlled by the
SSL Authenticationattribute of the channel, which must be set toRequiredto enable mutual TLS. You can set the attribute using IBM MQ Console or IBM MQ Explorer via the UI, or if you are using runmqsc then you must set the attributeSSLCAUTHtoREQUIRED.
- The TLS mode for a channel is controlled by the
-
Configure runmqsc to present the client certificate when it connects to the queue manager:
- Set the
MQCERTLABLenvironment variable to the label of the client certificate in the local keystore file, and then you can execute the runmqsc command to connect to the queue manager, which this time will be configured using mutual TLS authentication.export MQCERTLABL=runmqsc runmqsc -c -u mqusername QM1
- Set the
Next steps
If you want to connect applications to a queue manager that has TLS enabled on the channels then you can follow the instructions in the following topic;