Running the TLS sample program

To run the TLS sample program you must first set up your TLS environment. You then run the sample from the command line, supplying a number of parameters.

About this task

The following instructions run the sample program using personal certificates. By varying the command you can, for example, use CA certificates and check their status using an OCSP responder. See the instructions within the sample.

Procedure

  1. Create a queue manager with the name QM1. For more information, see crtmqm.
  2. Create a key repository for the queue manager. For more information, see Setting up a key repository on AIX®, Linux®, and Windows.
  3. Create a key repository for the client. Call it clientkey.kdb.
  4. Create a personal certificate for the queue manager. For more information, see Creating a self-signed personal certificate on AIX, Linux, and Windows.
  5. Create a personal certificate for the client.
  6. Extract the personal certificate from the server key repository and add it to the client repository. For more information, see Extracting the public part of a self-signed certificate from a key repository on AIX, Linux, and Windows, and Adding a CA certificate (or the public part of a self-signed certificate) into a key repository, on AIX, Linux, and Windows systems.
  7. Extract the personal certificate from the client key repository and add it to the server key repository.
  8. Create a server connection channel using the MQSC command: 
    
DEFINE CHANNEL(QM1SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
    For more information see Server-connection channel
  9. Define and start a channel listener on the queue manager. For more information see DEFINE LISTENER and START LISTENER.
  10. Run the sample program using the following command: 
    
AMQSSSLC -m QM1 -c QM1SVRCONN -x localhost
-k "C:\Program Files\IBM\MQ\clientkey" -s TLS_RSA_WITH_AES_128_CBC_SHA256 
-o http://dummy.OCSP.responder

Results

The sample program performs the following actions:
  1. Connects to any specified queue manager, or to the default queue manager, using any options specified.
  2. Opens the queue manager and inquires on its name.
  3. Closes the queue manager.
  4. Disconnects from the queue manager.
If the sample program runs successfully, it displays output similar to the following example:

Sample AMQSSSLC start
Connecting to queue manager QM1
Using the server connection channel QM1SVRCONN
on connection name localhost.
Using TLS CipherSpec TLS_RSA_WITH_AES_128_CBC_SHA256
Using TLS key repository stem C:\Program Files\IBM\MQ\clientkey
Using OCSP responder URL http://dummy.OCSP.responder
Connection established to queue manager QM1

Sample AMQSSSLC end
If the sample program encounters a problem, it displays an appropriate error message, for example if you specify an invalid OCSP responder URL, you receive the following message:

MQCONNX ended with reason code 2553
For a list of reason codes see API completion and reason codes.