Route properties

Route properties

The mqipt.conf configuration file can contain properties for individual routes.

The [route] section of the mqipt.conf configuration file can contain the following properties:
Active

The route accepts incoming connections only if the value of Active is set to true. This means that we can temporarily shut off access to the destination, by setting this value to false, without having to delete the [route] section from the configuration file. If you change this property to false, the route is stopped when a refresh command is issued. All connections to the route are stopped.

ClientAccess

The route allows incoming client channel connections only if the value of ClientAccess is set to true. Note that potentially we can configure MQIPT to accept client requests only, queue manager requests only, or both types of request. Use this property in conjunction with the QMgrAccess property. If you change this property to false, the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

Destination

The host name (or dotted decimal IP address) of the queue manager, or subsequent MQIPT instance, to which this route is to connect. Each [route] section must contain an explicit Destination value, but several [route] sections can refer to the same destination. If a change to this property affects a route, the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped. When using the SocksProxyHost property the Destination property must use the dotted decimal format.

DestinationPort

The port on the destination host to which this route is to connect. Each [route] section must contain an explicit DestinationPort value, but several routes can refer to the same combination of Destination and DestinationPortvalues. If a change to this property affects a route, the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

HTTP

Set HTTP to true for routes responsible for making outbound HTTP tunneling requests. The Destination property for the route must be the host name of another MQIPT when HTTP it set to true. Set HTTP to false for routes connected to IBM MQ queue managers. If you change this property, the route is stopped. At least one of the HTTPProxy or HTTPServer properties must also be specified when HTTP is set to true. This property cannot be used in conjunction with the SocksClient property.

HTTPProxy

The host name (or dotted decimal IP address) of the HTTP proxy used by all connections for this route. A CONNECT request is issued to the HTTP proxy, instead of the POST request that is normally used when no HTTP proxy is configured. If you change this property (and HTTP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

HTTPProxyPort

The port address to use on the HTTP proxy. The default value is 8080. If you change this property (and HTTP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

HTTPServer

The host name (or dotted decimal IP address) of the HTTP server used by all connections for this route. This is usually the host name of another MQIPT.

If HTTPProxy is not specified, MQIPT connects to the host specified in HTTPServer, and issues HTTP POST requests to the host specified in the route Destination property. If HTTPProxy is specified, MQIPT connects to the host specified in HTTPProxy instead.

If HTTPProxy is specified, the default value is the route Destination.

If you change this property (and HTTP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

HTTPS

Set HTTPS to true to make HTTPS requests. The HTTP and SSLClient properties must also be enabled, and the SSLClientKeyRing and SSLClientKeyRingPW properties set as for SSL/TLS operation. If you change the HTTPS property (and HTTP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

HTTPServerPort

The port address to use on the HTTP server. The default value is 8080, unless HTTPProxy is specified, in which case the default value is the route DestinationPort.

If you change this property (and HTTP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

IdleTimeout

The time, in minutes, after which an idle connection is closed. Note that queue manager to queue manager channels also have the DISCINT property. If you set the IdleTimeout parameter, take note of DISCINT. If IdleTimeout is set to 0, there is no idle timeout. Changes to this property take effect only when the route is restarted.

IgnoreExpiredCRLs

Set IgnoreExpiredCRLs to true to ignore an expired CRL. The default value is false. Note that if you set IgnoreExpiredCRLs to true, a revoked certificate could be used to make an SSL/TLS connection.

LDAP

Set LDAP to true to enable use of an LDAP server when using SSL/TLS connections. MQIPT will use the LDAP server to retrieve CRLs and ARLs. The SSLClient property or SSLServer property must also be set to true for this property to take effect.

LDAPCacheTimeout

The expiry time, in hours, of the temporary cache in which a CRL retrieved from an LDAP server, is stored. After this time, the entire CRL cache is emptied. For example, specifying a value of 1 hour means that the cache is emptied once per hour. The default value is 24. If you specify a timeout value of 0, entries in the cache will not expire until the route is restarted. If you change this property (and LDAP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

LDAPIgnoreErrors

Set LDAPIgnoreErrors to true to ignore any connection or timeout errors when performing an LDAP search. If MQIPT cannot perform a successful search, it will not allow the client connection to complete, unless this property has been enabled. A successful search means that a CRL has been retrieved or there are no CRLs available for the specified CA. If you change this property (and LDAP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped. Note: If you enable this property, a revoked certificate could be used to make an SSL/TLS connection.

LDAPSaveCRLs

LDAPSaveCRLs is deprecated in version 2.1 of MQIPT. The parameter is included for compatibility with earlier versions, but has no effect. LDAP CRLs are therefore no longer cached on disk in the key-ring file, but are retrieved after each restart.

LDAPServer1

The host name or IP address of the main LDAP server. This property must be set if LDAP has been set to true. If you change this property (and LDAP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

LDAPServer1Port

The listening port number of the main LDAP server. The default value is 389. If you change this property (and LDAP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

LDAPServer1Userid

The user ID needed to access the main LDAP server. This property must be set if authorization to access the main LDAP server is required. If you change this property (and LDAP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

LDAPServer1Password

The password needed to access the main LDAP server. This property must be set if LDAPServer1Userid has been set to true. If you change this property (and LDAP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

LDAPServer1Timeout

The time, in seconds, that MQIPT waits for a response from the main LDAP server. The default value is 0, which means the connection will not time out. If you change this property (and LDAP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

LDAPServer2

The host name or IP address of the backup LDAP server. This property is optional. If you change this property (and LDAP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

LDAPServer2Port

The listening port number of the backup LDAP server. The default value is 389. If you change this property (and LDAP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

LDAPServer2Userid

The userid needed to access the backup LDAP server. This property must be set if authorization to access the backup LDAP server is required. If you change this property (and LDAP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

LDAPServer2Password

The password needed to access the backup LDAP server. This property must be set if LDAPServer2 has been set to true. If you change this property (and LDAP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to this route are stopped.

LDAPServer2Timeout

The time, in seconds, that MQIPT will wait for a response from the backup LDAP server. The default value is 0, which means the connection will not time out. If you change this property (and LDAP is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

ListenerAddress

Use this property if the MQIPT system has multiple IP addresses and you need to bind the route listener port to a specific address. This is useful for restricting inbound connections to those from a particular network interface. The value of this property should be an IP address belonging to one of the network interfaces on the system where MQIPT is running. The default is to accept connections from all network interfaces.

ListenerPort

The port number on which the route should listen for incoming requests. Each [route] section must contain an explicit ListenerPort value The ListenerPort values set in each section must be distinct. Any valid port number can be used, including ports 80 and 443, provided that the ports chosen are not already in use by any other TCP/IP listener running on the same host.

LocalAddress

The IP address to bind all connections to for this route on this computer. The chosen address must be an IP address that is associated with one of the network interfaces on the computer on which MQIPT is running. If you change this property, the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

MaxConnectionThreads

The maximum number of connection threads, and thus the maximum number of concurrent connections, that can be handled by this route. If this limit is reached, the MaxConnectionThreads value also indicates the number of connections that are queued when all the threads are in use. Beyond that number, subsequent connection requests are refused. The minimum allowed value is the greater of 1 and the value of MinConnectionThreads. If a change to this property affects a route, the new value is used when the refresh command is issued. All connections use the new value immediately. The route is not stopped.

MinConnectionThreads

The number of connection threads allocated to handle incoming connections on a route when the route is started. The number of threads allocated does not drop below this value during the time the route is active. The minimum allowed value is the lesser of 0 and the value of MaxConnectionThreads. Changes to this property take effect only when the route is restarted.

Name

A name to help identify the route. This property is optional. The value is shown in console messages and tracing information. Changes to this property take effect only when the route is restarted.

NDAdvisor

Set NDAdvisor to true for routes managed by the Network Dispatcher to allow the route to respond to requests from the custom advisor. If you change this property to false, the route is stopped when a refresh command is issued. All connections to the route are stopped. To use the NDAdvisorReplaceMode property, set NDAdvisor to true.

NDAdvisorReplaceMode

Set NDAdvisorReplaceMode to true to use the replace mode of the Network Dispatcher custom advisor. You must have started the mqipt_replace custom advisor for the port number specified in ListenerPort. Set this property to false to use normal mode. You must set the NDAdvisor property to true to use this property.

OutgoingPort

The starting port number used by outgoing connections. The range of port numbers match the MaxConnectionThread value for this route. The default value of 0 uses a system-defined port number. If you change this property, the route is stopped and restarted when a refresh command is issued. All connections to this route are stopped. When HTTP is used, each channel connection requires two outgoing ports. See Port number control.

QMgrAccess

Set QMgrAccess to true to allow incoming queue manager channel connections (for example sender channels). If you change this property to false, the route is stopped when a refresh command is issued. All connections to this route are stopped.

RouteRestart

Set RouteRestart to false to stop the route from restarting when other route properties have been changed and a refresh command has been issued. The default value for this property is true.

SecurityExit

Set SecurityExit to true to enable a user-defined security exit. The default value for this property is false.

SecurityExitName

The class name of the user-defined security exit. This property must be set if SecurityExit has been set to true. If you change this property (and SecurityExit is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to this route are stopped.

SecurityExitPath

The fully-qualified path name containing the user-defined security exit. If this property has not been set, then it will default to the exits subdirectory. This property can also define the name of a Java archive (JAR) file containing the user-defined security exit. If you change this property (and SecurityExit is set to true), the route is stopped and restarted when a refresh command is issued. All connections to this route are stopped.

SecurityExitTimeout

The timeout value (in seconds) used by MQIPT to determine how long to wait for a response when validating a connection request. The default value is 30. If you change this property (and SecurityExit is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SocksClient

Set SocksClient to true to make the route act as a SOCKS client and define all connections through the SOCKS proxy with the SocksProxyHost and SocksProxyPort properties. If you change this property, the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped. This property cannot be used with:

HTTP
SocksServer
SSLClient
SSLProxyMode

SocksProxyHost

The host name (or dotted decimal IP address) of the SOCKS proxy that all connections for this route use. If you change this property (and SocksClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to this route are stopped. When using the SocksProxyHost property the Destination property must use the dotted decimal format.

SocksProxyPort

The port number to use on a SOCKS proxy. The default value is 1080. If you change this property (and SocksClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SocksServer

Set SocksServer to true to make the route act as a SOCKS proxy and accept SOCKS client connections. If you change this property, the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped. This property cannot be used with the following properties:

SocksClient
SSLProxyMode
SSLServer

SSLClient

Set SSLClient to true to make the route act as an SSL/TLS client and make outgoing SSL/TLS connections. Setting SSLClient to true implies that the destination is either another instance of MQIPT acting as an SSL/TLS server, or an HTTP proxy/server. You must specify the name of a key-ring file either with the SSLClientKeyRing property or theSSLClientCAKeyRing property. If you change SSLClient, the route is stopped, and restarted when a refresh command is issued. All connections to this route are stopped. This property cannot be used in conjunction with the following property:

SSLProxyMode

SSLClientCAKeyRing

The fully-qualified file name of the key-ring file containing CA certificates, used to authenticate certificates from the SSL/TLS server. On Windows platforms, you must use a double backslash (\\) as the file separator. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientCAKeyRingPW

The fully-qualified file name of the file containing the password to open the client CA key-ring file. On Windows platforms, you must use a double backslash (\\) as the file separator. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to this route are stopped.

SSLClientCipherSuites

The name of the SSL/TLS CipherSuite to use on the SSL/TLS client side. This can be one or more of the supported CipherSuites. If you leave this property blank, the SSL/TLS client uses the supported CipherSuites from the SSLClientKeyRing. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to this route are stopped.

SSLClientConnectTimeout

The time (in seconds) that an SSL/TLS client waits for an SSL/TLS connection to be accepted. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientDN_C

Use this property to accept certificates received from the SSL/TLS server that match this country name. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, all country names are accepted. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientDN_CN

Use this property to accept certificates received from the SSL/TLS server that match this common name. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, all common names are accepted. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientDN_DC

Use this property to accept certificates received from the SSL/TLS server that match this domain component. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. We can specify multiple DCs by separating them with commas. Each DC represents an element in a domain name, for example the domain name example.ibm.com is represented as example,ibm,com using commas to separate the multiple values. If we do not specify this property, all domain components are accepted. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientDN_DNQ

Use this property to accept certificates received from the SSL/TLS server that match this domain qualifier. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, all domain qualifiers are accepted. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientDN_L

Use this property to accept certificates received from the SSL/TLS server that match this location. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, you imply "all locations". If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientDN_O

Use this property to accept certificates received from the SSL/TLS server that match this organization. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted from all organizations. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientDN_OU

Use this property to accept certificates received from the SSL/TLS server that match this Organizational Unit (OU). The name can be prefixed or suffixed with an asterisk (*) to extend its scope. We can specify multiple OUs by separating them with commas. (Match a literal comma by prefixing it with a backslash (\) character.) Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any OU name. If you change this property (and SSLClient is set to true), the route is stopped and restarted when a refresh command is issued. All connections to this route are stopped.

SSLClientDN_PC

Use this property to accept certificates received from the SSL/TLS server that match this postal code. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, all postal codes are accepted. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientDN_ST

Use this property to accept certificates received from the SSL/TLS server that match this state. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted from servers in all states. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientDN_Street

Use this property to accept certificates received from the SSL/TLS server that match this street name. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, all street names are accepted. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientDN_T

Use this property to accept certificates received from the SSL/TLS server that match this title. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, all titles are accepted. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientDN_UID

Use this property to accept certificates received from the SSL/TLS server that match this user ID. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, all user IDs are accepted. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientExit

Use this property to enable or disable the use of an exit when the route is acting as an SSL/TLS client. This allows you to define exit details in the configuration file without them actually being used.

SSLClientKeyRing

The fully-qualified file name of the key-ring file containing the client certificate; on Windows platforms, you must use a double backslash (\\) as the file separator. You must specify SSLClientKeyRing if you set SSLClient to true. If you change SSLClientKeyRing (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientKeyRingPW

The fully-qualified file name containing the password to open the client key-ring file; on Windows platforms, you must use a double backslash (\\) as the file separator. You must specify SSLClientKeyRingPW if you set SSLClient to true. If you change SSLClientKeyRingPW (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientProtocols

Used to restrict the set of enabled secure socket protocols that are used to make outbound connections to the destination for a route when SSLClient is set to true. We can specify multiple values by separating them with commas. If we do not specify this property, all supported JSSE protocols are enabled by default with the exception of SSL 3.0. From version 2.1.0.2 of MQIPT, you must explicitly set SSLv3 on this property for SSL 3.0 to be enabled.
Table 1. Permitted values for SSL/TLS protocols

Value Protocol

SSLv3 SSL 3.0

TLSv1 TLS 1.0

TLSv1.1 TLS 1.1

TLSv1.2 TLS 1.2

Use the entry listed in the Value column in the route property. The corresponding entry in the Protocol column is for information only.

SSLClientSiteDN_C

Use this property to specify a country name to select a certificate to send to the SSL/TLS server. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any country name. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientSiteDN_CN

Use this property to specify a common name to select a certificate to send to the SSL/TLS server. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any common name. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientSiteDN_DC

Use this property to specify a domain component name to select a certificate to send to the SSL/TLS server. Certificate matching is not case sensitive. We can specify multiple DCs by separating them with commas. Each DC represents an element in a domain name, for example the domain name example.ibm.com is represented as example,ibm,com using commas to separate the multiple values. If we do not specify this property, certificates are accepted with any domain component name. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientSiteDN_DNQ

Use this property to specify a domain qualifier to select a certificate to send to the SSL/TLS server. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any domain qualifier. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientSiteDN_L

Use this property to specify a Location name to select a certificate to send to the SSL/TLS server. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any location name. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientSiteDN_O

Use this property to specify an Organization name to select a certificate to send to the SSL/TLS server. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any organization name. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientSiteDN_OU

Use this property to specify an Organizational Unit (OU) name to select a certificate to send to the SSL/TLS server. We can specify multiple OUs by separating them with commas. (Match a literal comma by prefixing it with a backslash (\) character.) Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any OU name. If you change this property (and SSLClient is set to true), the route is stopped and restarted when a refresh command is issued. All connections to this route are stopped.

SSLClientSiteDN_PC

Use this property to specify a postal code to select a certificate to send to the SSL/TLS server. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any postal code. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientSiteDN_ST

Use this property to specify a State name to select a certificate to send to the SSL/TLS server. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any state name. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientSiteDN_Street

Use this property to specify a street name to select a certificate to send to the SSL/TLS server. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any street name. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientSiteDN_T

Use this property to specify a title to select a certificate to send to the SSL/TLS server. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any title. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientSiteDN_UID

Use this property to specify a user ID to select a certificate to send to the SSL/TLS server. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any user ID. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLClientSiteLabel

Use this property to specify a label name to select a certificate to send to the SSL/TLS server. If we do not specify this property, certificates are accepted with any label name. If you change this property (and SSLClient is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLExitData

Use this property to provide a user-defined string to be passed to the exit.

SSLExitName

Use this property to define the class name for the exit that will be called when the route is acting as an SSL/TLS client or an SSL/TLS server. The name must include any package name; for example, com.ibm.mq.ipt.exit.TestExit.

SSLExitPath

Use this property to define the location of the exit to be used to load a copy of the exit. The name must be a fully qualified name to be used to locate the class file or the name of a .jar file that contains the class file; for example, C:\mqipt\exits or C:\mqipt\exits\exits.jar.

SSLExitTimeout

Use this property to define how long MQIPT waits for the exit to complete before terminating the connection request. A value of 0 means that MQIPT waits indefinitely.

SSLPlainConnections

Use this property to specify whether SSL/TLS is mandatory for connections to the MQIPT listener port of a route configured to accept inbound SSL/TLS connections. This property is applicable to routes that have either the SSLServer or SSLProxyMode property set to true. If enabled, this property allows unencrypted connections to connect to the route listener port, which means that MQIPT can forward all IBM MQ connections to the queue manager's listener port regardless of whether the connection is encrypted. If we do not set this parameter, or set it to false, only inbound SSL/TLS connections are allowed. If you change this property, the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLProxyMode

Set this property to true to make the route accept only SSL/TLS client connection requests and to tunnel the request directly to the destination. If you change this property, the route is stopped and restarted when a refresh command is issued. All connections to this route are stopped. This property cannot be used in conjunction with the following properties:

SocksClient
SocksServer
SSLClient
SSLServer

SSLServer

Set this property to true to make the route act as an SSL/TLS server and accept incoming SSL/TLS connections. Setting SSLServer to true implies that the caller is another MQIPT acting as an SSL/TLS client, or is an IBM MQ client or queue manager with SSL/TLS enabled. If you change this property, the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped. This property cannot be used in conjunction with the following properties:

SocksServer
SSLProxyMode

SSLServerCAKeyRing

The fully-qualified file name of the key-ring file containing CA certificates, used to authenticate certificates from the SSL/TLS client. On Windows platforms, you must use a double backslash (\\) as the file separator. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to this route are stopped.

SSLServerCAKeyRingPW

The fully-qualified file name containing the password to open the server CA key-ring file. On Windows platforms, you must use a double backslash (\\) as the file separator. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to this route are stopped.

SSLServerAskClientAuth

Use this property to request SSL/TLS client authentication by the SSL/TLS server. The SSL/TLS client must have its own certificate to send to the SSL/TLS server. The certificate is retrieved from the key-ring file. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to this route are stopped.

SSLServerCipherSuites

The name of the SSL/TLS CipherSuite to use on the SSL/TLS server side. This can be one or more of the supported CipherSuites. If you leave this blank, the SSL/TLS server uses the supported CipherSuites from the SSLServerKeyRing property. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to this route are stopped.

SSLServerDN_C

Use this property to accept certificates received from the SSL/TLS client of this country name. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any company name. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerDN_CN

Use this property to accept certificates received from the SSL/TLS client of this common name. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any common name. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerDN_DC

Use this property to accept certificates received from the SSL/TLS client of this domain component name. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. We can specify multiple DCs by separating them with commas. Each DC represents an element in a domain name, for example the domain name example.ibm.com is represented as example,ibm,com using commas to separate the multiple values. If we do not specify this property, certificates are accepted with any domain component name. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerDN_DNQ

Use this property to accept certificates received from the SSL/TLS client of this domain qualifier. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any domain qualifier. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerDN_L

Use this property to accept certificates received from the SSL/TLS client of this location. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any location. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerDN_O

Use this property to accept certificates received from the SSL/TLS client of this organization. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any organization. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerDN_OU

Use this property to accept certificates received from the SSL/TLS client of this Organizational Unit (OU). The name can be prefixed or suffixed with an asterisk (*) to extend its scope. We can specify multiple OUs by separating them with commas. (Match a literal comma by prefixing it with a backslash (\) character.) Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any OU name. If you change this property (and SSLServer is set to true), the route is stopped and restarted when a refresh command is issued. All connections to this route are stopped.

SSLServerDN_PC

Use this property to accept certificates received from the SSL/TLS client of this postal code. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any postal code. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerDN_ST

Use this property to accept certificates received from the SSL/TLS client of this state. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any state. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerDN_Street

Use this property to accept certificates received from the SSL/TLS client of this street name. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any street name. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerDN_T

Use this property to accept certificates received from the SSL/TLS client of this title. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any title. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerDN_UID

Use this property to accept certificates received from the SSL/TLS client of this user ID. The name can be prefixed or suffixed with an asterisk (*) to extend its scope. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any user ID. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerExit

Use this property to enable or disable the use of an exit when the route is acting as an SSL/TLS server. This allows you to define exit details in the configuration file without them actually being used.

SSLServerKeyRing

The fully-qualified file name of the key-ring file containing the server certificate; on Windows platforms, you must use a double backslash (\\) as the file separator. You must specify SSLServerKeyRing if you set SSLServer to true. If you change this SSLServerKeyRing property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerKeyRingPW

The fully-qualified file name containing the password to open the server key-ring file; on Windows platforms, you must use a double backslash (\\) as the file separator. You must specify SSLServerKeyRingPW if you set SSLServer to true. If you change this SSLServerKeyRingPW property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerProtocols

Used to restrict the set of enabled secure socket protocols that are used to accept inbound connections to the route listener port for a route when SSLServer is set to true). We can specify multiple values by separating them with commas. If we do not specify this property, all supported JSSE protocols are enabled by default with the exception of SSL 3.0. From version 2.1.0.2 of MQIPT, you must explicitly set SSLv3 on this property for SSL 3.0 to be enabled.
Table 2. Permitted values for SSL/TLS protocols

Value Protocol

SSLv3 SSL 3.0

TLSv1 TLS 1.0

TLSv1.1 TLS 1.1

TLSv1.2 TLS 1.2

Use the entry listed in the Value column in the route property. The corresponding entry in the Protocol column is for information only.

SSLServerSiteDN_C

Use this property to specify a country name to select a certificate to send to the SSL/TLS client. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any country name. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerSiteDN_CN

Use this property to specify a Common Name to select a certificate to send to the SSL/TLS client. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any common name. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerSiteDN_DC

Use this property to specify a domain component name to select a certificate to send to the SSL/TLS client. Certificate matching is not case sensitive. We can specify multiple DCs by separating them with commas. Each DC represents an element in a domain name, for example the domain name example.ibm.com is represented as example,ibm,com using commas to separate the multiple values. If we do not specify this property, certificates are accepted with any domain component name. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerSiteDN_DNQ

Use this property to specify a domain qualifier to select a certificate to send to the SSL/TLS client. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any domain qualifier. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerSiteDN_L

Use this property to specify a Location name to select a certificate to send to the SSL/TLS client. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any location name. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerSiteDN_O

Use this property to specify an organization name to select a certificate to send to the SSL/TLS client. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any organization name. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerSiteDN_OU

Use this property to specify an Organizational Unit (OU) name to select a certificate to send to the SSL/TLS client. We can specify multiple OUs by separating them with commas. (Match a literal comma by prefixing it with a backslash (\) character.) Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any OU name. If you change this property (and SSLServer is set to true), the route is stopped and restarted when a refresh command is issued. All connections to this route are stopped.

SSLServerSiteDN_PC

Use this property to specify a postal code to select a certificate to send to the SSL/TLS client. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any postal code. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerSiteDN_ST

Use this property to specify a State name to select a certificate to send to the SSL/TLS client. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any state name. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerSiteDN_Street

Use this property to specify a street name to select a certificate to send to the SSL/TLS client. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any street name. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerSiteDN_T

Use this property to specify a title to select a certificate to send to the SSL/TLS client. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any title. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerSiteDN_UID

Use this property to specify a user ID to select a certificate to send to the SSL/TLS client. Certificate matching is not case sensitive. If we do not specify this property, certificates are accepted with any user ID. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

SSLServerSiteLabel

Use this property to specify a label name to select a certificate to send to the SSL/TLS client. If we do not specify this property, certificates are accepted with any label name. If you change this property (and SSLServer is set to true), the route is stopped, and restarted when a refresh command is issued. All connections to the route are stopped.

TCPKeepAlive

Set this property to true to enable the sending of TCP/IP keep-alive packets periodically to prevent the connections on this route becoming idle. This reduces the chances of the MQIPT connections being severed by a firewall or router. The sending of TCP/IP keep-alive packets is controlled by operating system tuning parameters; consult your operating system documentation for further details on how to tune keep-alive. If we do not set this parameter, or set it to false, keep-alive packets are not sent.

Trace

The level of tracing required for this route. Enabling trace for one route does not enable trace for any other routes. If you need to trace more than one route, you must add the Trace property to the [route] section of each route to be traced. This property should be an integer in the range 0 - 5, where 0 indicates that trace is disabled, and any other value indicates that trace is enabled. The default value is 0. If the [route] section does not include a Trace property, the Trace property from the [global] section is used. For information about tracing threads that are not associated with a route, see Trace in the [global] section. If a change to this property affects a route, the new value is used when the refresh command is issued. All connections use the new value immediately. The route is not stopped.

UriName
This property can be used to change the name of the Uniform Resource Identifier of the resource when using an HTTP proxy, although the default value will suffice for most configurations:
HTTP://destination:destination_port/mqipt
If you change this property (and HTTP is set to true), the route is stopped, and restarted when a refresh command is issued.
Parent topic: Configuration reference information