Configuring a highly available IBM MQ queue manager

Use a client channel definition table (CCDT) and mqccred security exit to connect IBM® App Connect on IBM Cloud to one of a list of IBM MQ queue managers.

About this task

You might want to ensure high availability access to an IBM MQ queue manager for IBM App Connect Enterprise flows in IBM App Connect on IBM Cloud. For example, if an IBM MQ on IBM Cloud instance is unavailable in one region due to maintenance, you can connect to an instance in a different region. You can achieve this high availability behavior by purchasing an IBM MQ on IBM Cloud instance in another region, then configuring access to a list of IBM MQ queue managers. The first queue manager that connects successfully is used for IBM MQ interactions.

IBM MQ uses the following mechanisms to provide access to a list of queue managers.
  • A client channel definition table (CCDT) lists the queue managers that you can connect to.
  • A security exit that is called mqccred allows different passwords to be used for each system.

To use these mechanisms for your flows in App Connect on IBM Cloud, you add a CCDT in JSON format to your MQ policy, and provide an mqccred.ini file as a new type of policy. You provide one mqccred.ini file for each integration server.

Procedure

To connect to a list of queue managers, complete the following steps.

  1. Create an MQCCDT.json file in the format of the following example. 
    {
  "channel":
  [
    {
      "name": "CLOUD.APP.SVRCONN",
      "type": "clientConnection",
      "general":
      {
        "description": "A SSL channel"
      },
      "clientConnection":
      {
        "queueManager": "*",
        "connection":
        [
          {
            "host": "test1-1bf5.qm2.eu-gb.mq.appdomain.cloud",
            "port": 32454
          },
          {
            "host": "barrysmqmgr-314e.qm.eu-gb.mq.appdomain.cloud",
            "port": 32468
          }
        ]
      },
      "transmissionSecurity":
      {
        "cipherSpecification": "TLS_RSA_WITH_AES_256_CBC_SHA256"
      },
      "exits":
      {
        "security":
        {
          "name": "mqccred(ChlExit)",
          "userData": "DEBUG"
        }
      }
    }
  ]
}
    • You can find values for the channel.clientConnection.connection.host and channel.clientConnection.connection.port parameters for each queue manager in the IBM MQ queue manager configuration.
    • The value for the channel.clientConnection.transmissionSecurity.cipherSpecification parameter must match the queue manager channel SSL cipher spec property from the IBM MQ Console.
    • If you set channel.exits.security.userData to DEBUG, logging is directed to the integration server. If you do not need to direct logging to the integration server, you can remove this parameter.
  2. In the Policies view of IBM App Connect on IBM Cloud, create an MQ policy and complete the following fields.
    (For more information about creating policies, see Configuring integration servers by using policies.)
    1. Enter a Policy name.
    2. The Host and Port fields are overridden by the values that are specified in the CCDT. Therefore, you can enter any values for these fields.
    3. Set the Queue manager field to * (asterisk).
    4. Set the Channel name field to the name of the SVRCONN channel that is used by the queue manager to receive messages (such as CLOUD.APP.SVRCONN).
    5. The Username and Password fields are overridden by the mqccred.ini file policy, which contains credentials for each queue manager. Therefore, you can enter any value for these fields.
    6. Select Connect to IBM MQ via the public internet.
    7. Select Use SSL.
    8. Set the SSL cipher spec field to an appropriate cipher specification (such as TLS_RSA_WITH_AES_256_CBC_SHA256).
    9. Select or drag the CCDT file that you created.
    10. Click Create.
  3. If different passwords are required for each queue manager, use an mqccred.ini file, as shown in the following example.
    This file overrides the values that are set in the MQ policy. Apply one mqccred.ini file to each integration server. If two files are applied to an integration server, only the latest file is used.
    QueueManager:
   OPW=<obfuscated API key>
   Name=TEST1
   User=app1
   Force=TRUE
​
QueueManager:
   OPW=<obfuscated API key>
   Name=MyMQMgr
   User=app1
   Force=TRUE

    To obfuscate the API key for each channel, use the runmqccred tool that is described in runmqccred (obfuscate passwords for mqccred exit) in the IBM MQ documentation.

  4. In the Policies view of IBM App Connect on IBM Cloud, create an MQCCRED INI file policy and complete the following fields.
    1. Enter a Policy name.
    2. Select or drag the mqccred.ini file that you created.
    3. Click Create.
  5. Apply the policies to your integration server.
    1. In the Policies view, open the Actions menu for the policy that you want to attach, then click Apply policy.
    2. Select the integration server that you want to attach the policy to, then click Apply.