Authenticating a TLS client

In this scenario, you can test a TLS connection by using the sample test certificate to perform server and client authentication.

Before you begin

Before you start to use this scenario, make sure that you have completed the prerequisite tasks listed in Getting started with IBM MQ Internet Pass-Thru, and have read the topic SSL/TLS support in MQIPT.

About this task

The connection is made between an IBM MQ client and a IBM MQ server through two instances of MQIPT. The connection between MQIPT 1 and MQIPT 2 uses TLS, with MQIPT 1 acting as the TLS client, and MQIPT 2 acting as the TLS server.

During the TLS handshake, the server sends its test certificate to the client. The client uses its copy of the certificate, with the trust-as-peer flag, to authenticate the server. The client then sends its test certificate to the server. The server uses its copy of the certificate, with the trust-as-peer flag, to authenticate the client. The CipherSuite SSL_RSA_WITH_AES_256_CBC_SHA256 is used. The mqipt.conf configuration file in this scenario is based on the configuration file created in the Verifying that MQIPT is working correctly scenario.

Figure 1. SSL/TLS client network diagram
See text.

This diagram shows the connection from the IBM MQ client (called client1.company1.com on port 1415) through two instances of MQIPT to the IBM MQ server (called server1.company2.com on port 1414).

Procedure

To authenticating a TLS client, complete the following steps:

  1. On the MQIPT 1 system:
    1. Edit mqipt.conf and add the following route definition:
      [route]
      ListenerPort=1415
      Destination=10.100.6.7
      DestinationPort=1416
      SSLClient=true
      SSLClientKeyRing=C:\\mqipt\\samples\\ssl\\sslSample.pfx
      SSLClientKeyRingPW=<mqiptPW>1!PCaB1HWrFMOp43ngjwgArg==!6N/vsbqru7iqMhFN+wozxQ==
      SSLClientCipherSuites=SSL_RSA_WITH_AES_256_CBC_SHA256
    2. Open a command prompt and start MQIPT:
      C:\mqipt\bin\mqipt C:\mqiptHome -n ipt1
      where C:\mqiptHome indicates the location of the MQIPT configuration file, mqipt.conf, and ipt1 is the name to be given to the instance of MQIPT.
      The following messages indicate that MQIPT has started successfully:
      5724-H72 (C) Copyright IBM Corp. 2000, 2024. All Rights Reserved
      MQCPI001 IBM MQ Internet Pass-Thru V9.2.0.0 starting
      MQCPI004 Reading configuration information from mqipt.conf
      MQCPI152 MQIPT name is ipt1
      MQCPI021 Password checking has been enabled on the command port
      MQCPI011 The path C:\mqiptHome\logs will be used to store the log files
      MQCPI006 Route 1415 is starting and will forward messages to :
      MQCPI034 ....10.100.6.7(1416)
      MQCPI035 ....using MQ protocol
      MQCPI036 ....SSL Client side enabled with properties :
      MQCPI139 ......secure socket protocols <NULL>
      MQCPI031 ......cipher suites SSL_RSA_WITH_AES_256_CBC_SHA256
      MQCPI032 ......key ring file C:\\mqipt\\samples\\ssl\\sslSample.pfx
      MQCPI047 ......CA key ring file <NULL>
      MQCPI071 ......site certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
      MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
      MQCPI078 Route 1415 ready for connection requests
  2. On the MQIPT 2 system:
    1. Edit mqipt.conf and add the following route definition:
      [route]
      ListenerPort=1416
      Destination=Server1.company2.com
      DestinationPort=1414
      SSLServer=true
      SSLServerAskClientAuth=true
      SSLServerKeyRing=C:\\mqipt\\samples\\ssl\\sslSample.pfx
      SSLServerKeyRingPW=<mqiptPW>1!PCaB1HWrFMOp43ngjwgArg==!6N/vsbqru7iqMhFN+wozxQ==
      SSLServerCipherSuites=SSL_RSA_WITH_AES_256_CBC_SHA256
    2. Open a command prompt and start MQIPT:
      C:
      cd \mqipt\bin
      mqipt .. -n ipt2
      where .. indicates that the MQIPT configuration file, mqipt.conf, is in the parent directory, and ipt2 is the name to be given to the instance of MQIPT.
      The following messages indicate that MQIPT has started successfully:
      5724-H72 (C) Copyright IBM Corp. 2000, 2024. All Rights Reserved
      MQCPI001 IBM MQ Internet Pass-Thru V9.2.0.0 starting
      MQCPI004 Reading configuration information from mqipt.conf
      MQCPI152 MQIPT name is ipt2
      MQCPI021 Password checking has been enabled on the command port
      MQCPI011 The path C:\mqipt\logs will be used to store the log files
      MQCPI006 Route 1416 is starting and will forward messages to :
      MQCPI034 ....Server1.company2.com(1414)
      MQCPI035 ....using MQ protocol
      MQCPI037 ....SSL Server side enabled with properties :
      MQCPI139 ......secure socket protocols <NULL>
      MQCPI031 ......cipher suites SSL_RSA_WITH_AES_256_CBC_SHA256
      MQCPI032 ......key ring file C:\\mqipt\\samples\\ssl\\sslSample.pfx
      MQCPI047 ......CA key ring file <NULL>
      MQCPI071 ......site certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
      MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
      MQCPI033 ......client authentication set to true
      MQCPI078 Route 1416 ready for connection requests
  3. At a command prompt on the IBM MQ client system, enter the following commands:
    1. Set the MQSERVER environment variable:
      SET MQSERVER=MQIPT.CONN.CHANNEL/tcp/10.9.1.2(1415)
    2. Put a message:
      amqsputc MQIPT.LOCAL.QUEUE MQIPT.QM1
      Hello world
      Press Enter twice after typing the message string.
    3. Get the message:
      amqsgetc MQIPT.LOCAL.QUEUE MQIPT.QM1
      The message, "Hello world" is returned.