How to configure a SSL connection between WebSphere MQ Server and TIBCO ActiveMatrix (R) Adapter for WebSphere MQ?
Article ID: KB0088202
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix Adapter for Websphere MQ | - |
| Not Applicable | - |
Description
Resolution:
Description:
==========
In some secured environments it is required to have a requirement for configuring a SSL connection between WebSphere MQ Server and TIBCO ActiveMatrix Adapter for WebSphere MQ.
Environment:
==========
TIBCO ActiveMatrix(R) Adapter for WebSphere MQ 5.x, 6.x
Windows platform
Resolution:
=========
There is no special configuration required in the adapter to support a SSL connection with MQ server. The configuration is to be done at the MQSeries application level between the MQ client and the MQ server. The MQ adapter in turn uses the secure connection between the MQ client and the MQ server for establishing SSL connectivity with the MQ server.
The following steps should be followed for configuring a SSL connection between a MQ client and a MQ server:
On the MQ server:-
- Run “IBM Key Management” program on MQ server.
- Create a key database named as “key.kdb”, choose its type to “CMS” and save it under <WebSphereMQ install path>\ Qmgrs\queue manager name\ssl.
- Enter and confirm password. Please notice that you should check the option “save key to a file” and make sure the password matches the request of “Password Strength”.
- Create a self signed certificate. Make sure that the Key label is like the following:
“ibmwebspheremq###” where ### stands for the queue manager name in lower case.
For example, ibmwebspheremqqueuemanager”.
- Click “extract certificate” button and save the self signed certificate as “cert.arm”.
- Create a Server-connection channel and enable it for SSL by specifying a proper CypherSpec. Note that you should choose “optional” in the “Authentication of parties initiating connections” list.
- Create a Client-connection channel with a name the same as the server-connection channel. Make sure the “connection name” is MQ Server’s IP address and listener’s port, such as 192.168.66.9(1414). Then enable it for SSL by specifying a proper CypherSpec which should be the same with Server-connection channel’s CypherSpec.
On the MQ Client side:-
- Copy “cert.arm” to client machine into a temporary directory.
- Copy the client channel table file AMQCLCHL.TAB(in WebSphere MQ\Qmgrs\queue manager name\SSL\@ipcc)to the client machine.
- Run “IBM Key Management” program on the client side, such as MQ Adapter.
- Create a key database named as “key.kdb” and save it in a directory. The step is the same with configuration on the MQ server.
- Click the “Add” button and choose the “cert.arm” which you copied from the MQ Server machine. Then enter the Key label which should be the same as the server side.
- Set MQCHLLIB and MQCHLTAB environment variables. Such as “set MQCHLTAB=AMQCLCHL.TAB”, “set MQCHLLIB=<WebSphere MQ install path \Qmgrs\QManager name\@ipcc”.
- Set MQSSLKEYR to point to the directory where the key database resides. Such as “set MQSSLKEYR=C:\sslclient\key”. Note that the kdb file is without an extension.
- For testing your configuration you could use 'amqsputc <Qname> <Qmanager_name>' in the command prompt.
References:
=========
You could refer to the MQ document to find more details for working with WebSphere MQ SSL support. The following is the steps for finding related information in the MQ document.
1). Open MQ document which you should have installed.
2). Enter SSL as a keyword in the Search box of the MQ document and click the "go" button.
3). In the list of search list, you coud find "Working with WebSphere MQ SSL support". Click it and then you will see more details about MQ SSL configuration.
Description:
==========
In some secured environments it is required to have a requirement for configuring a SSL connection between WebSphere MQ Server and TIBCO ActiveMatrix Adapter for WebSphere MQ.
Environment:
==========
TIBCO ActiveMatrix(R) Adapter for WebSphere MQ 5.x, 6.x
Windows platform
Resolution:
=========
There is no special configuration required in the adapter to support a SSL connection with MQ server. The configuration is to be done at the MQSeries application level between the MQ client and the MQ server. The MQ adapter in turn uses the secure connection between the MQ client and the MQ server for establishing SSL connectivity with the MQ server.
The following steps should be followed for configuring a SSL connection between a MQ client and a MQ server:
On the MQ server:-
- Run “IBM Key Management” program on MQ server.
- Create a key database named as “key.kdb”, choose its type to “CMS” and save it under <WebSphereMQ install path>\ Qmgrs\queue manager name\ssl.
- Enter and confirm password. Please notice that you should check the option “save key to a file” and make sure the password matches the request of “Password Strength”.
- Create a self signed certificate. Make sure that the Key label is like the following:
“ibmwebspheremq###” where ### stands for the queue manager name in lower case.
For example, ibmwebspheremqqueuemanager”.
- Click “extract certificate” button and save the self signed certificate as “cert.arm”.
- Create a Server-connection channel and enable it for SSL by specifying a proper CypherSpec. Note that you should choose “optional” in the “Authentication of parties initiating connections” list.
- Create a Client-connection channel with a name the same as the server-connection channel. Make sure the “connection name” is MQ Server’s IP address and listener’s port, such as 192.168.66.9(1414). Then enable it for SSL by specifying a proper CypherSpec which should be the same with Server-connection channel’s CypherSpec.
On the MQ Client side:-
- Copy “cert.arm” to client machine into a temporary directory.
- Copy the client channel table file AMQCLCHL.TAB(in WebSphere MQ\Qmgrs\queue manager name\SSL\@ipcc)to the client machine.
- Run “IBM Key Management” program on the client side, such as MQ Adapter.
- Create a key database named as “key.kdb” and save it in a directory. The step is the same with configuration on the MQ server.
- Click the “Add” button and choose the “cert.arm” which you copied from the MQ Server machine. Then enter the Key label which should be the same as the server side.
- Set MQCHLLIB and MQCHLTAB environment variables. Such as “set MQCHLTAB=AMQCLCHL.TAB”, “set MQCHLLIB=<WebSphere MQ install path \Qmgrs\QManager name\@ipcc”.
- Set MQSSLKEYR to point to the directory where the key database resides. Such as “set MQSSLKEYR=C:\sslclient\key”. Note that the kdb file is without an extension.
- For testing your configuration you could use 'amqsputc <Qname> <Qmanager_name>' in the command prompt.
References:
=========
You could refer to the MQ document to find more details for working with WebSphere MQ SSL support. The following is the steps for finding related information in the MQ document.
1). Open MQ document which you should have installed.
2). Enter SSL as a keyword in the Search box of the MQ document and click the "go" button.
3). In the list of search list, you coud find "Working with WebSphere MQ SSL support". Click it and then you will see more details about MQ SSL configuration.
Issue/Introduction
How to configure a SSL connection between WebSphere MQ Server and TIBCO ActiveMatrix (R) Adapter for WebSphere MQ?
Feedback
Yes
No
Powered by
