Using the IBM WebSphere MQ Explorer to connect to a remote queue manager using SSL-enabled MQI channels

The IBM® WebSphere® MQ Explorer connects to remote queue managers using an MQI channel. If you want to secure the MQI channel using SSL security, you must establish the channel using a client channel definition table.

For information how to establish an MQI channel using a client channel definition table, see Overview of IBM WebSphere MQ MQI clients.

When you have established the channel using a client channel definition table, you can use the IBM WebSphere MQ Explorer to connect to a remote queue manager using SSL-enabled MQI channel, as described in Tasks on the system that hosts the remote queue manager and Tasks on the system that hosts the IBM WebSphere MQ Explorer.

Tasks on the system that hosts the remote queue manager

On the system hosting the remote queue manager, perform the following tasks:
  1. Define a server connection and client connection pair of channels, and specify the appropriate value for the SSLCIPH variable on the server connection on both channels. For more information about the SSLCIPH variable, see Protecting channels with SSL
  2. Send the channel definition table AMQCLCHL.TAB , which is found in the queue manager's @ipcc directory, to the system hosting the IBM WebSphere MQ Explorer.
  3. Start a TCP/IP listener on a designated port.
  4. Place both the CA and personal SSL certificates into the SSL directory of the queue manager:
    • /var/mqm/qmgrs/+QMNAME+/SSL for UNIX and Linux® systems
    • C:\Program Files\WebSphere MQ\qmgrs\+QMNAME+\SSL for Windows systems

      Where +QMNAME+ is a token representing the name of the queue manager.

  5. Create a key database file of type CMS named key.kdb . Stash the password in a file either by checking the option in the iKeyman GUI, or by using the -stash option with the runmqckm commands.
  6. Add the CA certificates to the key database created in the previous step.
  7. Import the personal certificate for the queue manager into the key database.
For more detailed information about working with the Secure Sockets Layer on Windows systems, see Working with SSL or TLS on UNIX, Linux and Windows systems .

Tasks on the system that hosts the IBM WebSphere MQ Explorer

On the system hosting the IBM WebSphere MQ Explorer, perform the following tasks:
  1. Create a key database file of type JKS named key.jks. Set a password for this key database file.

    The IBM WebSphere MQ Explorer uses Java keystore files (JKS) for SSL security, and so the keystore file being created for configuring SSL for the IBM WebSphere MQ Explorer must match this.

  2. Add the CA certificates to the key database created in the previous step.
  3. Import the personal certificate for the queue manager into the key database.
  4. On Windows and Linux systems, start MQ Explorer by using the system menu, the MQExplorer executable file, or the strmqcfg command.
  5. From the IBM WebSphere MQ Explorer toolbar, click Window -> Preferences, then expand WebSphere MQ Explorer and click SSL Client Certificate Stores. Enter the name of, and password for, the JKS file created in step 1 of Tasks on the system that hosts the IBM WebSphere MQ Explorer, in both the Trusted Certificate Store and the Personal Certificate Store, then click OK.
  6. Close the Preferences window, and right-click Queue Managers. Click Show/Hide Queue Managers, and then click Add on the Show/Hide Queue Managers screen.
  7. Type the name of the queue manager, and select the Connect directly option. Click next.
  8. Select Use client channel definition table (CCDT) and specify the location of the channel table file that you transferred from the remote queue manager in step 2 in Tasks on the system that hosts the remote queue manager on the system hosting the remote queue manager.
  9. Click Finish. You can now access the remote queue manager from the IBM WebSphere MQ Explorer.