Skip to content

Instantly share code, notes, and snippets.

@kumar-de

kumar-de/IBM-MQ-with-TLS.md

Last active July 20, 2023 14:55
Show Gist options
  • Save kumar-de/dd767fca1a949cf398310d37556a1365 to your computer and use it in GitHub Desktop.
Save kumar-de/dd767fca1a949cf398310d37556a1365 to your computer and use it in GitHub Desktop.
Download ZIP
Setting up IBM MQ with SSL/TLS enabled #IBMMQ #SSL #TLS
Raw
IBM-MQ-with-TLS.md

Dockerized IBM MQ with TLS enabled

Setting up the Server-keyStore and certificate

Run a container using latest IBM-MQ image

docker volume create qmdata
docker pull ibmcom/mq:latest
docker run -ti --entrypoint=/bin/bash --volume qmdata:/mnt/mqm ibmcom/mq:latest

Change to the directory that is mounted on the volume to create digital certificates for the server

cd /mnt/mqm
mkdir -p MQServer/certs
cd MQServer/certs

Create a key database (also called the keyStore or certificate store), and add and stash the password for it

runmqakm -keydb -create -db key.p12 -pw k3ypassw0rd -type pkcs12 -expire 1000 -stash

Check what you've created so far

ls
> key.p12  key.sth

Check the contents of the keyStore

runmqakm -cert -list all -db key.p12 -stashed

> No certificates were found.

Create a self-signed certificate

runmqakm -cert -create -db key.p12 -label ibmwebspheremqqm1 -dn "cn=qm,o=ibm,c=uk" -size 2048 -default_cert yes -stashed

Check the contents of the keyStore

runmqakm -cert -list all -db key.p12 -stashed

> Certificates found
* default, - personal, ! trusted, # secret key
-       ibmwebspheremqqm1

Extract public-key for client to communicate with the Queue Manager

runmqakm -cert -extract -db key.p12 -stashed -label ibmwebspheremqqm1 -target QM1.cert

Check your creations

ls

> QM1.cert key.p12  key.sth

Exit the container - your certificate data would remain safe in the volume

exit
docker rm <container-ID>

MQ queue-manager in docker

Create a docker network that can be shared between client and server containers (if your client is also containerized)

docker network create mq-demo-network

Start up a new container, start the queue manager and let it pick up the certificate from the Docker volume. We are including commands to attach the volume, specify the network, and the location of the keyStore with its password.

docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --volume qmdata:/mnt/mqm --publish 1414:1414 --publish 9443:9443 \
    --network mq-demo-network --network-alias qmgr --detach --env MQ_APP_PASSWORD=passw0rd --env \
    MQ_TLS_KEYSTORE=/mnt/mqm/MQServer/certs/key.p12 --env MQ_TLS_PASSPHRASE=k3ypassw0rd ibmcom/mq:latest
Alternatively, to start an MQ with password authentication disabled on the queue-manager
docker run --env LICENSE=accept --env MQ_QMGR_NAME=QM1 --volume qmdata:/mnt/mqm --publish 1414:1414 \
    --publish 9443:9443 --network mq-demo-network --network-alias qmgr --detach \
    --env MQ_TLS_KEYSTORE=/mnt/mqm/MQServer/certs/key.p12 --env MQ_TLS_PASSPHRASE=k3ypassw0rd \
    --name mqdemo ibmcom/mq:latest

Enter the newly created container

docker exec -ti /your-container-id/ /bin/bash

Once inside the container, start the MQSC interface for the queue manager

runmqsc QM1

> Starting MQSC for queue manager QM1

Issue the command to show the channel configuration for the channel the application will use

DISPLAY CHANNEL(DEV.APP.SVRCONN)

> AMQ8414I: Display Channel details.
   CHANNEL(DEV.APP.SVRCONN)                CHLTYPE(SVRCONN)
   ALTDATE(2018-04-20)                     ALTTIME(17.01.22)
   CERTLABL( )                             COMPHDR(NONE)
   COMPMSG(NONE)                           DESCR( )
   DISCINT(0)                              HBINT(300)
   KAINT(AUTO)                             MAXINST(999999999)
   MAXINSTC(999999999)                     MAXMSGL(4194304)
   MCAUSER(app)                            MONCHL(QMGR)
   RCVDATA( )                              RCVEXIT( )
   SCYDATA( )                              SCYEXIT( )
   SENDDATA( )                             SENDEXIT( )
   SHARECNV(10)                            SSLCAUTH(OPTIONAL)
   SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
   SSLPEER( )                              TRPTYPE(TCP)

The DEV.APP.SVRCONN channel has been configured to use the TLS_RSA_WITH_AES_128_CBC_SHA256 CipherSpec. When the SSLCIPH option is set, it turns on TLS encryption for any connections to the queue manager using this channel. We will need to specify the same CipherSpec on the client side for the client and server to be able to connect and carry out the TLS handshake.
The other property to note is SSLCAUTH, which is set to OPTIONAL in this case. This allows for both 1-Way and 2-Way TLS authentication. The server authentication by the client is mandatory so the server always needs a certificate. This is 1-Way authentication. If the client also has a certificate, 2-way authentication can happen. If a client provides a certificate then it will be used for authentication, however if it does not then client authentication does not happen but the connection is still allowed. We are using 1-Way authentication in this tutorial as only the server has a certificate, so our TLS configuration is set up for encryption and server authentication only. The client authentication is carried out separately using the application name and password.

End the MQSC interface

END

Exit the Queue Manager container

exit

Setting up the client's truststore

New container for the client

docker run -ti --entrypoint=/bin/bash  --volume qmdata:/mnt/mqm --network mq-demo-network ibmcom/mq:latest

Change to the mounted directory and create a directory for digital certificates

cd /mnt/mqm
mkdir -p MQClient/certs
cd MQClient/certs

Use runmqakm to create a client trustStore

runmqakm -keydb -create -db client_key.p12 -pw tru5tpassw0rd -type pkcs12 -expire 1000

Check your creations

ls

> client_key.p12

Inspect the truststore (It would be empty at this point)

runmqakm -cert -list all -db client_key.p12 -pw tru5tpassw0rd

From the /mnt/mqm/MQClient/certs folder, run the command to add the public key certificate to the client’s trustStore

runmqakm -cert -add -label QM1.cert -db client_key.p12 -type pkcs12 -pw tru5tpassw0rd -trust enable -file ../../MQServer/certs/QM1.cert

Inspecting the contents of the trustStore

runmqakm -cert -list all -db client_key.p12 -pw tru5tpassw0rd

> Certificates found
* default, - personal, ! trusted, # secret key
!       QM1.cert

Alternatively, QM1.cert can be directly converted into truststore.jks using the following:

sudo keytool -importcert -file QM1.cert -keystore keystore.jks -alias "Alias"
@djangofan
Copy link

The instructions here don't match your instructions. https://github.com/ibm-messaging/mq-container/blob/master/docs/usage.md Have things changed since you made this document?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment