Example: Configuring a Native HA queue manager
This example shows how you deploy a queue manager using the native high availability feature into the Red Hat® OpenShift® Container Platform (OCP) using the IBM® MQ Operator.
Before you begin
To complete this example, you must first have completed the following prerequisites:
- Install the IBM MQ client, and add the installed
samp/bin and bin directories to your
PATH. The client provides the runmqakm,
amqsputc and amqsgetc applications required by this example.
Install the IBM MQ client as follows:
- For Windows and Linux®: Install the IBM MQ redistributable client for your operating system from https://ibm.biz/mq92redistclients
- For Mac: Download and set up the IBM MQ MacOS Toolkit. See https://ibm.biz/mqdevmacclient.
- Install the OpenSSL tool for your operating system. You need this to generate a self-signed certificate for the queue manager, if you do not already have a private key and certificate.
- Create a Red Hat OpenShift Container Platform (OCP) project/namespace for this example and follow the steps in the task Preparing your Red Hat OpenShift project for IBM MQ
- On the command line, log in to the OCP cluster, and switch to the namespace that you just created.
- Ensure the IBM MQ Operator is installed and available in the namespace.
- Configure a default storage class in the OCP, to be used by your queue manager. If you want to complete this tutorial without setting a default storage class, see Note 2: Using a non-default storage class.
About this task
Native HA queue managers involve an active and two replica Kubernetes Pods. These run as part of a Kubernetes Stateful Set with exactly three replicas and a set of Kubernetes Persistent Volumes. For more information about native HA queue managers, see High availability for IBM MQ in containers.
The example provides a custom resource YAML that defines a native HA queue manager that uses persistent storage and is configured with TLS. After deploying the queue manager into the OCP, you simulate failure of the active queue manager pod. You see automatic recovery occur, and prove that it has succeeded by putting and getting messages after the failure.
Example
- Create a TLS private key and certificates for MQ server
- You can create a self-signed certificate for the queue manager, and add the certificate to a key database to act as the truststore for the client. If you already have a private key and certificate, you can use those instead. Note that you should only use self-signed certificates for development purposes.
- Create a TLS private key and certificates for internal use by Native HA
- The three pods in a Native HA queue manager replicate data over the network. You can create a self-signed certificate for use when replicating internally. Note that you should only use self-signed certificates for development purposes.
- Add the queue manager public key to a client key database
- A client key database is used as the truststore for the client application.
- Create a secret containing TLS certificates for queue manager deployment
- So that your queue manager can reference and apply the key and certificate, create a Kubernetes TLS secret, referencing the files created above. When
you do this, ensure you are in the namespace you created before you began this
task.
oc create secret tls example-ha-secret --key="tls.key" --cert="tls.crt"
- Create a secret containing the internal native HA TLS certificate and key
- So that your queue manager can reference and apply the key and certificate, create a Kubernetes TLS secret, referencing the files created
above. When you do this, ensure you are in the namespace you created before you began
this
task.
oc create secret tls example-ha-secret-internal --key="nativeha.key" --cert="nativeha.crt"
- Create a config map containing MQSC commands
- Create a Kubernetes config map containing the MQSC
commands to create a new queue and a SVRCONN Channel, and to add a channel authentication record
that allows access to the channel by blocking only those users called
nobody.
Note that this approach should be used only for development purposes.
- Configure routing
- If you are using an IBM MQ client or toolkit at IBM MQ 9.2.1 or later, you can configure routing to the queue manager by using a queue manager configuration file (an INI file). Within the file, you set the OutboundSNI variable to route based on hostname rather than channel name.
- Deploy the queue manager
- Important: In this example we use the MQSNOAUT variable to disable
authorization on the queue manager, which allows us to focus on the steps required to connect a
client using TLS. This is not recommended in a production deployment of IBM MQ, because it causes any applications connecting to have
full administrative powers, with no mechanism to lower the permissions for individual
applications.
Validation
In this section we validate that the queue manager behaves as expected.
- Confirm that the queue manager is running
- The queue manager is now being deployed. Confirm it is in
Running
state before proceeding. For example:oc get qmgr nativeha-example
- Test the connection to the queue manager
- To confirm the queue manager is configured for one-way TLS communication, use the
amqsputc and amqsgetc sample applications:
- Find the queue manager hostname
- To find the queue manager hostname for route
nativeha-example-ibm-mq-qm
, run the following command. The hostname is returned in theHOST
field.oc get routes nativeha-example-ibm-mq-qm
- Specify the queue manager details
- Create a file CCDT.JSON that specifies the queue manager details. Replace
the host value with the hostname returned by the previous
step.
{ "channel": [ { "name": "HAQMCHL", "clientConnection": { "connection": [ { "host": "<host from previous step>", "port": 443 } ], "queueManager": "HAEXAMPLE" }, "transmissionSecurity": { "cipherSpecification": "ECDHE_RSA_AES_128_CBC_SHA256" }, "type": "clientConnection" } ] }
- Export environment variables
- Export the following environment variables, in the manner appropriate for your operating system. These variables will be read by amqsputc and amqsgetc.
- Put messages to the queue
- Run the following command:
amqsputc EXAMPLE.QUEUE HAEXAMPLE
- Retrieve the messages from the queue
- Run the following command:
amqsgetc EXAMPLE.QUEUE HAEXAMPLE
- Force the active pod to fail
- To validate the automatic recovery of the queue manager, simulate a pod failure:
- View the active and standby pods
- Run the following
command:
Note that, in the READY field, the active pod returns the valueoc get pods --selector app.kubernetes.io/instance=nativeha-example
1/1
, whereas the replica pods return the value0/1
. - Delete the active pod
- Run the following command, specifying the full name of the active
pod:
oc delete pod nativeha-example-ibm-mq-<value>
- View the pod status again
- Run the following
command:
oc get pods --selector app.kubernetes.io/instance=nativeha-example
- View the queue manager status
- Run the following command, specifying the full name of one of the other
pods:
oc exec -t Pod -- dspmq -o nativeha -x -m HAEXAMPLE
- Put and get messages again
- After the standby pod becomes the active pod (that is, after the
READY
field value becomes1/1
), use the following commands again, as previously described, to put messages to the queue manager then retrieve messages from the queue manager:amqsputc EXAMPLE.QUEUE HAEXAMPLE
amqsgetc EXAMPLE.QUEUE HAEXAMPLE
Congratulations, you have successfully deployed a native HA queue manager, and shown that it can automatically recover from a pod failure.
Additional information
- Note 1: Creating a route
- If you are using an IBM MQ client or toolkit earlier than IBM MQ 9.2.1, you need to create an Route.
- Note 2: Using a non-default storage class
- This example expects a default storage class to have been configured in Red Hat OpenShift Container Platform, therefore no
storage information is required in the queue manager
custom resource YAML. If you do not have a storage class configured as default, or you want
to use a different storage class, add
defaultClass: <storage_class_name>
underspec.queueManager.storage
.