Ensure that MQIPT2 has a personal certificate, issued by the trusted
Certificate Authority (CA), stored in a key-ring file called myCert.pfx and
the encrypted password used to open the key-ring file is stored in
the file myCert.pwd.
Ensure that MQIPT1 has a copy of the trusted CA certificate that
will be used to authenticate the certificate sent by IPT2. This certificate
is stored in a key-ring file called caCerts.pfx and
the encrypted password used to open the key-ring file is stored in
the file caCerts.pwd.
The encrypted password files have been created by using the mqiptPW script.
About this task
In this scenario, we can connect the IBM MQ client to a queue manager (QM)
and place an IBM MQ message on the
target queue. Running an MQIPT trace
on MQIPT1 will show the LDAP server being used.
To demonstrate
how CRLs work, make sure that the personal certificate used by MQIPT2
is revoked by the trusted CA. Then the IBM MQ client
is not allowed to connect to the QM, as the connection from MQIPT1
to MQIPT2 is rejected.
It is not the intention of this scenario
to explain how to install and set up an LDAP server nor how to create
a key-ring file containing personal or trusted certificates. It assumes
that the LDAP server is available from a known and trusted CA. A backup
LDAP server is not used, but could be implemented by adding the appropriate
Route properties.
Figure 1. LDAP server network diagram
This diagram shows the connection from the IBM MQ client (client1.company1.com on
port 1415) through two instances of MQIPT to
the IBM MQ server (server1.company2.com
on port 1414). The first MQIPT has
a connection to an LDAP server (crl.ca_company.com on port 389).
Procedure
To retrieve CRLs by using an LDAP server, complete the
following steps:
where C:\mqiptHome
indicates the location of the MQIPT configuration file,
mqipt.conf.The following message indicates successful completion:
5639-L92 (C) Copyright IBM Corp. 2000, 2017 All Rights Reserved
MQCPI001 IBM MQ Internet Pass-Thru Version 2.1.0.3 starting
MQCPI004 Reading configuration information from C:\mqiptHome\mqipt.conf
MQCPI011 The path C:\mqiptHome\logs will be used to store the log files
MQCPI006 Route 1415 has started and will forward messages to :
MQCPI034 ....10.100.6.7(1416)
MQCPI035 ....using MQ protocols
MQCPI036 ....SSL Client side enabled with properties :
MQCPI031 ......CipherSuites <NULL>
MQCPI032 ......keyring file <NULL>
MQCPI047 ......CA keyring file C:\mqipt\ssl\caCerts.pfx
MQCPI071 ......site certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI075 ....LDAP main server at crl.ca_company.com(389)
MQCPI086 ......timeout of 4 second(s)
MQCPI084 ....CRL cache expiry timeout is 1 hour(s)
MQCPI085 ....CRLs will be saved in the key-ring file(s)
MQCPI078 Route 1415 ready for connection requests
where .. indicates that the MQIPT configuration file, mqipt.conf,
is in the parent directory.The following message indicates successful completion:
5639-L92 (C) Copyright IBM Corp. 2000, 2017 All Rights Reserved
MQCPI001 IBM IBM MQ Internet Pass-Thru Version 2.1.0.3 starting
MQCPI004 Reading configuration information from C:\mqipt\mqipt.conf
MQCPI011 The path C:\mqipt\logs will be used to store the log files
MQCPI006 Route 1416 is starting and will forward messages to :
MQCPI034 ....server1.company2.com(1414)
MQCPI035 ....using MQ protocols
MQCPI037 ....SSL Server side enabled with properties :
MQCPI031 ......CipherSuites <NULL>
MQCPI032 ......keyring file C:\mqipt\ssl\myCert.pfx
MQCPI047 ......CA keyring file <NULL>
MQCPI071 ......site certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI033 ......client authentication set to false
MQCPI078 Route 1416 ready for connection requests
At a command prompt on the IBM MQ client,
enter the following commands:
Set the MQSERVER environment variable:
SET MQSERVER=MQIPT.CONN.CHANNEL/tcp/10.9.1.2(1415)
Put a message:
amqsputc MQIPT.LOCAL.QUEUE MQIPT.QM1
Hello world
Press Enter twice after
typing the message string.