Running MQIPT in TLS proxy mode with a security manager

You can run MQIPT in TLS proxy mode, so that it accepts a TLS connection request from an IBM® MQ TLS client and tunnels it to an IBM MQ TLS server. By using a security manager with MQIPT, you can restrict the addresses to which messages can be sent.

Before you begin

[Deprecated]Note: The use of the Java security manager with MQIPT is deprecated due to the Java security manager having been deprecated for removal in a future release of Java.

Before you start to use this scenario, make sure that you have completed the prerequisite tasks listed in Getting started with IBM MQ Internet Pass-Thru.

About this task

Figure 1. SSL/TLS proxy mode network diagram
See text.

This diagram shows the connection flow from the IBM MQ client (client1.company1.com on port 1415) through MQIPT to the IBM MQ server (server1.company2.com on port 1414).

For further information on configuring TLS for IBM MQ, refer to Working with SSL/TLS.

Procedure

To run MQIPT in TLS proxy mode with a security manager, complete the following steps:

  1. Configure the IBM MQ client and server to use a TLS connection.
    1. Create a key repository for the queue manager.
    2. Create a key repository for the client in the C:\ProgramData\IBM\MQ directory. Call it clientkey.kdb.
    3. Create a personal certificate for the queue manager, in the queue manager key repository that you created in step 1.a.
    4. Create a personal certificate for the client, in the client key repository that you created in step 1.b.
    5. Extract the personal certificate from the server key repository and add it to the client repository.
    6. Extract the personal certificate from the client key repository and add it to the server key repository.
    7. Alter the MQIPT.CONN.CHANNEL server connection channel to use TLS by using the MQSC command:
      ALTER CHANNEL(MQIPT.CONN.CHANNEL) CHLTYPE(SVRCONN) TRPTYPE(TCP) 
      SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
  2. On the MQIPT computer (see the diagram), copy the sample Java security manager policy to the MQIPT home directory, by entering the following command at a command prompt:
    copy C:\mqipt\samples\mqiptSample.policy C:\mqiptHome\mqipt.policy
  3. Start the Policy Tool utility by using the following command:
    C:\mqipt\java\jre\bin\policytool
    In the policy tool:
    1. Click File > Open then select C:\mqiptHome\mqipt.policy..
    2. Select:
      file:/C:/Program Files/IBM/IBM MQ Internet Pass-Thru/lib/com.ibm.mq.ipt.jar
      then click Edit Policy Entry
    3. Change CodeBase from:
      file:/C:/Program Files/IBM/IBM MQ Internet Pass-Thru/lib/com.ibm.mq.ipt.jar
      to:
      file:/C:/mqipt/lib/com.ibm.mq.ipt.jar
    4. Change the file permissions for the IBM MQ Internet Pass-Thru, errors and logs directories from:
      C:\Program Files\IBM\IBM MQ Internet Pass-Thru
      to:
      C:\mqiptHome
    5. Change the other file permissions from:
      C:\Program Files\IBM\IBM MQ Internet Pass-Thru
      to:
      C:\mqipt
    6. Click Add Permission
      Complete the fields as follows:
      Permission: java.net.SocketPermission
      Target: client1.company1.com:1024-
      Actions: accept, listen, resolve
    7. Click File > Save to save the changes to the policy file.
  4. Edit mqipt.conf. Add the following properties to the [global] section and add the following route definition:
    [global]
    SecurityManager=true
    SecurityManagerPolicy=C:\mqiptHome\mqipt.policy
    
    [route]
    ListenerPort=1415
    Destination=server1.company2.com
    DestinationPort=1414
    SSLProxyMode=true
  5. Start MQIPT.
    Open a command prompt, and enter the following command:
    C:\mqipt\bin\mqipt C:\mqiptHome -n ipt1
    where C:\mqiptHome indicates the location of the MQIPT configuration file, mqipt.conf, and ipt1 is the name to be given to the instance of MQIPT.
    The following messages indicate that MQIPT has started successfully:
    5724-H72 (C) Copyright IBM Corp. 2000, 2024. All Rights Reserved
    MQCPI001 IBM MQ Internet Pass-Thru V9.4.0.0 starting
    MQCPI004 Reading configuration information from mqipt.conf
    MQCPI152 MQIPT name is ipt1
    MQCPI055 Setting the java.security.policy to C:\mqiptHome\mqipt.policy
    MQCPI053 Starting the Java Security Manager
    MQCPI021 Password checking has been enabled on the command port
    MQCPI011 The path C:\mqiptHome\mqipt\logs will be used to store the log files
    MQCPI006 Route 1415 has started and will forward messages to :
    MQCPI034 ....server1.company2.com(1414)
    MQCPI035 ....using SSLProxyMode protocol
    MQCPI078 Route 1415 ready for connection requests
  6. At a command prompt on the IBM MQ client system, enter the following command to run the TLS sample program:
    AMQSSSLC -m MQIPT.QM1 -c MQIPT.CONN.CHANNEL -x 10.9.1.2(1415)
             -k "C:\ProgramData\IBM\MQ\clientkey" -l cert_label -s TLS_RSA_WITH_AES_128_CBC_SHA256
    where cert_label is the label of the client certificate that you created in step 1.d.