Configuring a Route to connect to a queue manager from outside a Red Hat OpenShift cluster
You need a Red Hat® OpenShift® Route to connect an application to an IBM® MQ queue manager from outside a Red Hat OpenShift cluster. You must enable TLS on your IBM MQ queue manager and client application, because SNI is only available in the TLS protocol when a TLS 1.2 or higher protocol is used. The Red Hat OpenShift Container Platform Router uses SNI for routing requests to the IBM MQ queue manager.
About this task
The required configuration of the Red Hat OpenShift Route depends on the Server Name Indication (SNI) behavior of your client application. IBM MQ supports two different SNI header settings depending on configuration and client type. An SNI Header is set to the hostname of the client's destination or alternatively set to the IBM MQ channel name. For information on how IBM MQ maps a channel name to a hostname, see How IBM MQ provides multiple certificates capability.
Whether an SNI header is set to an IBM MQ channel name or a hostname is controlled using the
OutboundSNI attribute. Possible values are OutboundSNI=CHANNEL
(the default value) or OutboundSNI=HOSTNAME
. For more information, see SSL stanza of the client configuration file.
Note that CHANNEL
and HOSTNAME
are the exact values that you use;
they are not variable names that you replace with an actual channel name or host name.
- Client behaviors with different OutboundSNI settings
-
If OutboundSNI is set to HOSTNAME, the following clients set a hostname SNI as long as a hostname is provided in the connection name:
- C Clients
- .NET Clients in unmanaged mode
- Java/JMS Clients
- OutboundSNI, multiple certificates, and Red Hat OpenShift routes
-
IBM MQ uses the SNI header to provide multiple certificates functionality. If an application is connecting to an IBM MQ channel that is configured to use a different certificate through the CERTLABL field, then the application must connect with an OutboundSNI setting of CHANNEL.
Example
Client applications that set the SNI to the MQ channel require a new Red Hat OpenShift Route to be created for each channel you wish to connect to. You also have to use unique channel names across your Red Hat OpenShift Container Platform cluster, to allow routing to the correct queue manager.
It is important that MQ channel names do not end in a lower-case letter due to the way IBM MQ maps channel names to SNI headers.
To determine the required host name for each of your new Red Hat OpenShift Routes, you need to map each channel name to an SNI address. See How IBM MQ provides multiple certificates capability for more information.
yaml
in your
cluster: apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: <provide a unique name for the Route>
namespace: <the namespace of your MQ deployment>
spec:
host: <SNI address mapping for the channel>
to:
kind: Service
name: <the name of the Kubernetes Service for your MQ deployment (for example "<Queue Manager Name>-ibm-mq")>
port:
targetPort: 1414
tls:
termination: passthrough
Configuring your client application connection details
oc get route <Name of hostname based Route (for example "<Queue Manager Name>-ibm-mq-qm")>
-n <namespace of your MQ deployment> -o jsonpath="{.spec.host}"
The port for your client connection should be set to the port used by the Red Hat OpenShift Container Platform Router - normally 443.