Running MQIPT in TLS proxy mode with a security
manager
You can run MQIPT in TLS proxy mode, so
that it accepts a TLS connection request from an IBM® MQ
TLS client and tunnels it to an IBM MQ TLS server. By
using a security manager with MQIPT, you can restrict
the addresses to which messages can be sent.
Before you begin
Note: The use of the Java security manager with MQIPT is deprecated due to the Java security manager having been deprecated for removal in a future
release of Java.
This
diagram shows the connection flow from the IBM MQ client (client1.company1.com on
port 1415) through MQIPT to the IBM MQ server (server1.company2.com on
port 1414).
For further information on configuring TLS for IBM MQ, refer to Working with
SSL/TLS.
Procedure
To run MQIPT in TLS proxy mode with a
security manager, complete the following steps:
Configure the IBM MQ client and
server to use a TLS connection.
Extract the personal certificate from the client key repository and add it to the
server key repository.
Alter the MQIPT.CONN.CHANNEL server connection channel to use TLS by using the MQSC
command:
ALTER CHANNEL(MQIPT.CONN.CHANNEL) CHLTYPE(SVRCONN) TRPTYPE(TCP)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
On the MQIPT computer (see the diagram), copy the
sample Java security manager policy to the MQIPT home directory, by entering the following command at a
command prompt:
Open a command prompt, and enter the following command:
C:\mqipt\bin\mqipt C:\mqiptHome -n ipt1
where C:\mqiptHome
indicates the location of the MQIPT configuration
file, mqipt.conf, and ipt1 is the name to be given to the
instance of MQIPT.
The following messages indicate that MQIPT has
started
successfully:
5724-H72 (C) Copyright IBM Corp. 2000, 2024. All Rights Reserved
MQCPI001 IBM MQ Internet Pass-Thru V9.4.0.0 starting
MQCPI004 Reading configuration information from mqipt.conf
MQCPI152 MQIPT name is ipt1
MQCPI055 Setting the java.security.policy to C:\mqiptHome\mqipt.policy
MQCPI053 Starting the Java Security Manager
MQCPI021 Password checking has been enabled on the command port
MQCPI011 The path C:\mqiptHome\mqipt\logs will be used to store the log files
MQCPI006 Route 1415 has started and will forward messages to :
MQCPI034 ....server1.company2.com(1414)
MQCPI035 ....using SSLProxyMode protocol
MQCPI078 Route 1415 ready for connection requests
At a command prompt on the IBM MQ client
system, enter the following command to run the TLS sample program: