Configuring IBM Control Center and Websphere MQ to monitor Sterling Secure Proxy

Body

IBM Control Center (ICC) 6.0 introduced the ability to monitor Sterling Secure Proxy (SSP), however unlike the monitoring of Connect:Direct and Sterling integrator, there is no direct connection between ICC and the monitored server. Instead WebSphere MQ is used is used as intermediary message broker to facilitate the passing of events between SSP and ICC.



This article will guide you through the installation and configuration of the various components required for ICC, to successfully monitor SSP.



Firstly, an instance of WebSphere MQ must be installed and configured with a Queue Manager and Topic. This will allow SSP as the Producer to publish message events to the WebSphere MQ queue and SCC as the consumer to Subscribe and retrieve these event messages.



Download a copy of WebSphere MQ (Windows or Linux) and start the installer by selecting "WebSphere MQ" and "Launch IBM WebSphere MQ Installer".

After accepting the license terms, select a "Typical" set-up type:

Proceed with the installation, depending on the machine this may take several minutes to complete.

After the installation completes, the WebSphere MQ Configuration Wizard will automatically start:

If prompted about domain controllers, select "No" to prevent any interaction with any Windows Domain controllers that may be within range or "Yes" if your WebSphere MQ is to use a Domain Controller for user authentication.

After the Configuration Wizard completes, select "Launch WebSphere MQ Explorer" to continue with configuring the required Queue and Topic:

Once the WebSphere MQ Explorer has started, select "Queue Managers" and right click to create a New Queue Manager:

Give the Queue Manager a meaningful name. WebSphere MQ can potentially manager a large number of Queue Managers and using easily identifiable names will make life easier when troubleshooting any problems.



Leave all other values to default and click next:

Click next:

Ensure that the Queue manager is set to start automatically when WebSphere MQ is started.

Click Finish.

WebSphere MQ 8.0 introduced secure client connections by default, for test environments this is not really necessary so may be disabled.



Select the Queue Manager, right click and select "Properties":

Select "Communication" and set "Channel Authentication records" to "Disabled".

Click apply and OK.:

Now that you have a Queue Manager, you can create a Topic to which both SSP and ICC can subscribe.



From the Queue Manager drop down, select "Topics", right click and "New" "Topic":

Again, a single WebSphere MQ Queue Manager may be managing multiple Topics so give it a meaningful name.

The only required parameter is "Topic String" and this can be the same as the Topic name".

Click Finish to continue creating the Topic:

Ensure that it is created successfully:

Finally, check that the Topic is visible in the "Topics" display:

Make a note of the port that this Queue Manger is listening on, by selecting "Listeners" and check that the Listener is active. By default port 1414 is chosen and the LISTENER.TCP is active when the green arrow is pointing upwards. If the LISTENER.TCP is not active, a red arrow pointing downwards is displayed, this usually occurs when another Queue Manager is running and using this port. If this happens, edit your Queue Manager configuration and select another unused port.

Now that WebSphere MQ is configured and running successfully, SSP can be configured to subscribe and publish messages to the Queue Manager Topic.



Start the SSP CM Dashboard and select the "JMS Configuration" from the "System" tab.



You have the choice to create a new JMS Configuration or "Edit" the existing "AuditLogJmsConfig".

Enter the configuration details to enable SSP to connect to the WebSphere MQ Queue Manager and save when complete.



Userid: & Password: The Windows Administrator credentials or the Linux user credentials that the WebSphere MQ instance was installed under.

Host: IP Address or Host name where WebSphere MQ is installed.

Port: WebSphere MQ Queue Manager Listening Port.

Topic: WebSphere MQ Queue Manager Topic that SSP will publish messages to.

Provider Type: WebSphere MQ or ActiveMQ server where the Queue Manger is running; While SSP supports ActiveMQ, SCC currently only supports WebSphere MQ at this time.

Queue Manager: WebSphere MQ Queue Manager name.

Channel Name: WebSphere MQ Channel name used by SSP to connect to the Queue Manager, "SYSTEM.DEF.SVRCONN" is the default channel name if Secure Channel Authentication is enabled in a production environment the WebSphere MQ Administrator will supply the name to be used.

Once the SSP JMS Configuration is complete, select the "Globals" option and check "Enable JMS queuing for CM" so as to start SSP publishing event messages to the WebSphere MQ Queue Manager Topic. If you created a new JMS configuration, select the name from the "JMS connection info" drop down list. then click save.

Restart the SSP Configuration Manager to start SSP publishing event messages to WebSphere MQ.



The final step is to configure ICC to monitor the SSP Server by adding a new monitored server.

Enter the SSP Server name and click next:

Select "Sterling Secure Proxy" as the Server Type, click next and enter the "Connection" details.



Userid: & Password: The Windows Administrator credentials or the Linux user credentials that the WebSphere MQ instance was installed under.

Host: IP Address or Host name where WebSphere MQ is installed.

Port: WebSphere MQ Queue Manager Listening Port.

Topic: WebSphere MQ Queue Manager Topic that SSP will publish messages to.

Subscriber Name: A name that will uniquely identify this ICC instance to WebSphere MQ

Channel Name: WebSphere MQ Channel name used by SSP to connect to the Queue Manager, "SYSTEM.DEF.SVRCONN" is the default channel name if Secure Channel Authentication is enabled in a production environment the WebSphere MQ Administrator will supply the name to be used.

Queue Manager: WebSphere MQ Queue Manager name.
 

Click "Test Connection", if successful continue adding the monitored server to ICC by clicking next on each panel:

After a short while the status should change from "unknown" showing a question mark character(?):

And show as being monitored:

The IBM ICC Web Console will display statistic on SSP Monitored Servers, Engines and Adapters:

This includes the state of any adapters not running:

In this article, you learned how to quickly install and configure the various components needed for ICC and Websphere MQ to successfully monitor SSP.