+

Search Tips | Advanced Search

Scenario: retrieving CRLs by using an LDAP server

We can configure MQIPT to use an LDAP server to retrieve certificate revocation lists (CRLs).


Before you begin


About this task

In this scenario, we can connect the IBM MQ client to a queue manager (QM) and place an IBM MQ message on the target queue. Running an MQIPT trace on MQIPT1 will show the LDAP server being used.

To demonstrate how CRLs work, make sure that the personal certificate used by MQIPT2 is revoked by the trusted CA. Then the IBM MQ client is not allowed to connect to the QM, as the connection from MQIPT1 to MQIPT2 is rejected.

It is not the intention of this scenario to explain how to install and set up an LDAP server nor how to create a key-ring file containing personal or trusted certificates. It assumes that the LDAP server is available from a known and trusted CA. A backup LDAP server is not used, but could be implemented by adding the appropriate Route properties.

Figure 1. LDAP server network diagram

This diagram shows the connection from the IBM MQ client (client1.company1.com on port 1415) through two instances of MQIPT to the IBM MQ server (server1.company2.com on port 1414). The first MQIPT has a connection to an LDAP server (crl.ca_company.com on port 389).


Procedure

To retrieve CRLs by using an LDAP server, complete the following steps:

  1. On MQIPT1:
    1. Edit mqipt.conf and add a route definition:
      [route]
      ListenerPort=1415
      Destination=10.100.6.7
      DestinationPort=1416
      SSLClient=true
      SSLClientCAKeyRing=C:\mqipt\ssl\caCerts.pfx
      SSLClientCAKeyRingPW=C:\mqipt\ssl\caCerts.pwd
      LDAP=true
      LDAPServer1=crl.ca_company.com
      LDAPServer1Timeout=4
    2. Open a command prompt and start MQIPT:
      C:\mqipt\bin\mqipt C:\mqiptHome
      where C:\mqiptHome indicates the location of the MQIPT configuration file, mqipt.conf.The following message indicates successful completion:
      5639-L92 (C) Copyright IBM Corp. 2000, 2017 All Rights Reserved
      MQCPI001 IBM MQ Internet Pass-Thru Version 2.1.0.3 starting
      MQCPI004 Reading configuration information from C:\mqiptHome\mqipt.conf
      MQCPI011 The path C:\mqiptHome\logs will be used to store the log files
      MQCPI006 Route 1415 has started and will forward messages to :
      MQCPI034 ....10.100.6.7(1416)
      MQCPI035 ....using MQ protocols
      MQCPI036 ....SSL Client side enabled with properties :
      MQCPI031 ......CipherSuites <NULL>
      MQCPI032 ......keyring file <NULL>
      MQCPI047 ......CA keyring file C:\mqipt\ssl\caCerts.pfx
      MQCPI071 ......site certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
      	                                           STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
      MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
      	                                           STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
      MQCPI075 ....LDAP main server at crl.ca_company.com(389)
      MQCPI086 ......timeout of 4 second(s)
      MQCPI084 ....CRL cache expiry timeout is 1 hour(s)
      MQCPI085 ....CRLs will be saved in the key-ring file(s)
      MQCPI078 Route 1415 ready for connection requests
  2. On MQIPT2:
    1. Edit mqipt.conf and add a route definition:
      [route]
      ListenerPort=1416
      Destination=server1.company2.com
      DestinationPort=1414
      SSLServer=true
      SSLServerKeyRing=C:\mqipt\ssl\myCert.pfx
      SSLServerKeyRingPW=C:\mqipt\ssl\myCert.pwd
    2. Open a command prompt and start MQIPT:
      C:
      cd \mqipt\bin
      mqipt ..
      where .. indicates that the MQIPT configuration file, mqipt.conf, is in the parent directory.The following message indicates successful completion:
      5639-L92 (C) Copyright IBM Corp. 2000, 2017 All Rights Reserved
      MQCPI001 IBM IBM MQ Internet Pass-Thru Version 2.1.0.3 starting
      MQCPI004 Reading configuration information from C:\mqipt\mqipt.conf
      MQCPI011 The path C:\mqipt\logs will be used to store the log files
      MQCPI006 Route 1416 is starting and will forward messages to :
      MQCPI034 ....server1.company2.com(1414)
      MQCPI035 ....using MQ protocols
      MQCPI037 ....SSL Server side enabled with properties :
      MQCPI031 ......CipherSuites <NULL>
      MQCPI032 ......keyring file C:\mqipt\ssl\myCert.pfx
      MQCPI047 ......CA keyring file <NULL>
      MQCPI071 ......site certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
      	                                           STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
      MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
      	                                           STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
      MQCPI033 ......client authentication set to false
      MQCPI078 Route 1416 ready for connection requests
  3. At a command prompt on the IBM MQ client, enter the following commands:
    1. Set the MQSERVER environment variable:
      SET MQSERVER=MQIPT.CONN.CHANNEL/tcp/10.9.1.2(1415)
    2. Put a message:
      amqsputc MQIPT.LOCAL.QUEUE MQIPT.QM1
      Hello world
      Press Enter twice after typing the message string.
    3. Get the message:
      amqsgetc MQIPT.LOCAL.QUEUE MQIPT.QM1
      The message, "Hello world" is returned.