Retrieving CRLs by using an LDAP server

You can configure MQIPT to use an LDAP server to retrieve certificate revocation lists (CRLs).

Before you begin

  • Before you start to use this scenario, make sure that you have completed the prerequisite tasks listed in Getting started with IBM MQ Internet Pass-Thru.
  • Ensure that MQIPT 2 has a personal certificate, issued by the trusted Certificate Authority (CA), stored in a key ring file called myCert.pfx.
  • Ensure that MQIPT 1 has a copy of the trusted CA certificate that will be used to authenticate the certificate sent by MQIPT 2. This certificate is stored in a key ring file called caCerts.pfx.
  • The passwords to access the key rings have been encrypted using the mqiptPW command.

About this task

In this scenario, you can connect the IBM MQ client to a queue manager (QM) and place an IBM MQ message on the target queue. Running an MQIPT trace on MQIPT 1 will show the LDAP server being used.

To demonstrate how CRLs work, make sure that the personal certificate used by MQIPT 2 is revoked by the trusted CA. Then the IBM MQ client is not allowed to connect to the QM, as the connection from MQIPT 1 to MQIPT 2 is rejected.

It is not the intention of this scenario to explain how to install and set up an LDAP server nor how to create a key ring file containing personal or trusted certificates. It assumes that the LDAP server is available from a known and trusted CA. A backup LDAP server is not used, but could be implemented by adding the appropriate Route properties.

Figure 1. LDAP server network diagram
See text.

This diagram shows the connection from the IBM MQ client (client1.company1.com on port 1415) through two instances of MQIPT to the IBM MQ server (server1.company2.com on port 1414). The first MQIPT has a connection to an LDAP server (crl.ca_company.com on port 389).

Procedure

To retrieve CRLs by using an LDAP server, complete the following steps:

  1. On the MQIPT 1 system:
    1. Edit mqipt.conf and add the following route definition: 
      [route]
ListenerPort=1415
Destination=10.100.6.7
DestinationPort=1416
SSLClient=true
SSLClientCAKeyRing=C:\mqiptHome\ssl\caCerts.pfx
SSLClientCAKeyRingPW=encrypted_key_ring_password
LDAP=true
LDAPServer1=crl.ca_company.com
LDAPServer1Timeout=4
      where encrypted_key_ring_password is the password for the caCerts.pfx key ring, encrypted using the mqiptPW command.
    2. Open a command prompt and start MQIPT: 
      C:\mqipt\bin\mqipt C:\mqiptHome -n ipt1
      where C:\mqiptHome indicates the location of the MQIPT configuration file, mqipt.conf, and ipt1 is the name to be given to the instance of MQIPT.
      The following messages indicate that MQIPT has started successfully:
      5724-H72 (C) Copyright IBM Corp. 2000, 2026. All Rights Reserved
MQCPI001 IBM MQ Internet Pass-Thru V9.2.0.0 starting
MQCPI004 Reading configuration information from mqipt.conf
MQCPI152 MQIPT name is ipt1
MQCPI021 Password checking has been enabled on the command port
MQCPI011 The path C:\mqiptHome\logs will be used to store the log files
MQCPI006 Route 1415 has started and will forward messages to :
MQCPI034 ....10.100.6.7(1416)
MQCPI035 ....using MQ protocol
MQCPI036 ....SSL Client side enabled with properties :
MQCPI031 ......CipherSuites <NULL>
MQCPI032 ......key ring file <NULL>
MQCPI047 ......CA key ring file C:\mqiptHome\ssl\caCerts.pfx
MQCPI071 ......site certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
	                                           STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
	                                           STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI075 ....LDAP main server at crl.ca_company.com(389)
MQCPI086 ......timeout of 4 second(s)
MQCPI084 ....CRL cache expiry timeout is 1 hour(s)
MQCPI085 ....CRLs will be saved in the key-ring file(s)
MQCPI078 Route 1415 ready for connection requests
  2. On the MQIPT 2 system:
    1. Edit mqipt.conf and add the following route definition: 
      [route]
ListenerPort=1416
Destination=server1.company2.com
DestinationPort=1414
SSLServer=true
SSLServerKeyRing=C:\mqipt\ssl\myCert.pfx
SSLServerKeyRingPW=encrypted_key_ring_password
      where encrypted_key_ring_password is the password for the myCert.pfx key ring, encrypted using the mqiptPW command.
    2. Open a command prompt and start MQIPT: 
      C:
cd \mqipt\bin
mqipt .. -n ipt2
      where .. indicates that the MQIPT configuration file, mqipt.conf, is in the parent directory, and ipt2 is the name to be given to the instance of MQIPT.
      The following message indicates successful completion: 
      5724-H72 (C) Copyright IBM Corp. 2000, 2026. All Rights Reserved
MQCPI001 IBM MQ Internet Pass-Thru V9.2.0.0 starting
MQCPI004 Reading configuration information from mqipt.conf
MQCPI152 MQIPT name is ipt2
MQCPI021 Password checking has been enabled on the command port
MQCPI011 The path C:\mqipt\logs will be used to store the log files
MQCPI006 Route 1416 is starting and will forward messages to :
MQCPI034 ....server1.company2.com(1414)
MQCPI035 ....using MQ protocol
MQCPI037 ....SSL Server side enabled with properties :
MQCPI031 ......CipherSuites <NULL>
MQCPI032 ......key ring file C:\mqipt\ssl\myCert.pfx
MQCPI047 ......CA key ring file <NULL>
MQCPI071 ......site certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
	                                           STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
	                                           STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI033 ......client authentication set to false
MQCPI078 Route 1416 ready for connection requests
  3. At a command prompt on the IBM MQ client system, enter the following commands:
    1. Set the MQSERVER environment variable: 
      SET MQSERVER=MQIPT.CONN.CHANNEL/tcp/10.9.1.2(1415)
    2. Put a message: 
      amqsputc MQIPT.LOCAL.QUEUE MQIPT.QM1
Hello world
      Press Enter twice after typing the message string.
    3. Get the message: 
      amqsgetc MQIPT.LOCAL.QUEUE MQIPT.QM1
      The message, "Hello world" is returned.