The connection is made between an IBM MQ client and a
IBM MQ server through two instances of MQIPT. The connection between MQIPT 1 and MQIPT
2 uses TLS, with MQIPT 1 acting as the TLS client, and
MQIPT 2 acting as the TLS server.
During the TLS handshake, the server sends its test certificate to the client. The client uses
its copy of the certificate, with the trust-as-peer flag, to authenticate the server. The client
then sends its test certificate to the server. The server uses its copy of the certificate, with the
trust-as-peer flag, to authenticate the client. The CipherSuite SSL_RSA_WITH_AES_256_CBC_SHA256 is
used. The mqipt.conf configuration file in this scenario is based on the
configuration file created in the Verifying that MQIPT is working correctly scenario.
This diagram shows the connection from the IBM MQ client (called client1.company1.com
on port 1415) through two instances of MQIPT to
the IBM MQ server (called server1.company2.com
on port 1414).
Procedure
To authenticating a TLS client, complete the following steps:
On the MQIPT 1 system:
Edit mqipt.conf and add the following route definition:
where C:\mqiptHome
indicates the location of the MQIPT configuration
file, mqipt.conf, and ipt1 is the name to be given to the
instance of MQIPT.
The following messages indicate that MQIPT has
started
successfully:
5724-H72 (C) Copyright IBM Corp. 2000, 2024. All Rights Reserved
MQCPI001 IBM MQ Internet Pass-Thru V9.2.0.0 starting
MQCPI004 Reading configuration information from mqipt.conf
MQCPI152 MQIPT name is ipt1
MQCPI021 Password checking has been enabled on the command port
MQCPI011 The path C:\mqiptHome\logs will be used to store the log files
MQCPI006 Route 1415 is starting and will forward messages to :
MQCPI034 ....10.100.6.7(1416)
MQCPI035 ....using MQ protocol
MQCPI036 ....SSL Client side enabled with properties :
MQCPI139 ......secure socket protocols <NULL>
MQCPI031 ......cipher suites SSL_RSA_WITH_AES_256_CBC_SHA256
MQCPI032 ......key ring file C:\\mqipt\\samples\\ssl\\sslSample.pfx
MQCPI047 ......CA key ring file <NULL>
MQCPI071 ......site certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI078 Route 1415 ready for connection requests
On the MQIPT 2 system:
Edit mqipt.conf and add the following route definition:
where .. indicates that the
MQIPT configuration file,
mqipt.conf, is in the parent directory, and ipt2 is the name
to be given to the instance of MQIPT.
The following messages indicate that MQIPT has
started
successfully:
5724-H72 (C) Copyright IBM Corp. 2000, 2024. All Rights Reserved
MQCPI001 IBM MQ Internet Pass-Thru V9.2.0.0 starting
MQCPI004 Reading configuration information from mqipt.conf
MQCPI152 MQIPT name is ipt2
MQCPI021 Password checking has been enabled on the command port
MQCPI011 The path C:\mqipt\logs will be used to store the log files
MQCPI006 Route 1416 is starting and will forward messages to :
MQCPI034 ....Server1.company2.com(1414)
MQCPI035 ....using MQ protocol
MQCPI037 ....SSL Server side enabled with properties :
MQCPI139 ......secure socket protocols <NULL>
MQCPI031 ......cipher suites SSL_RSA_WITH_AES_256_CBC_SHA256
MQCPI032 ......key ring file C:\\mqipt\\samples\\ssl\\sslSample.pfx
MQCPI047 ......CA key ring file <NULL>
MQCPI071 ......site certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI033 ......client authentication set to true
MQCPI078 Route 1416 ready for connection requests
At a command prompt on the IBM MQ client
system, enter the following commands:
Set the MQSERVER environment variable:
SET MQSERVER=MQIPT.CONN.CHANNEL/tcp/10.9.1.2(1415)
Put a message:
amqsputc MQIPT.LOCAL.QUEUE MQIPT.QM1
Hello world
Press Enter twice after
typing the message string.