Use the IBM MQ Explorer to connect to a remote queue manager using TLS-enabled MQI channels

The IBM MQ Explorer connects to remote queue managers using an MQI channel. If you want to secure the MQI channel using TLS security, you must establish the channel using a client channel definition table.

For information how to establish an MQI channel using a client channel definition table, see Overview of IBM MQ MQI clients.

When we have established the channel using a client channel definition table, we can use the IBM MQ Explorer to connect to a remote queue manager using TLS-enabled MQI channel, as described in Tasks on the system that hosts the remote queue manager and Tasks on the system that hosts the IBM MQ Explorer.


Tasks on the system that hosts the remote queue manager

On the system hosting the remote queue manager, perform the following tasks:
  1. Define a server connection and client connection pair of channels, and specify the appropriate value for the SSLCIPH variable on the server connection on both channels. For more information about the SSLCIPH variable, see Protecting channels with TLS
  2. Send the channel definition table AMQCLCHL.TAB, which is found in the queue manager's @ipcc directory, to the system hosting the IBM MQ Explorer.
  3. Start a TCP/IP listener on a designated port.
  4. Place both the CA and personal TLS certificates into the SSL directory of the queue manager:

    • /var/mqm/qmgrs/+QMNAME+/SSL for UNIX and Linux systems
    • C:\Program Files\IBM\MQ\qmgrs\+QMNAME+\SSL for Windows systems

      Where +QMNAME+ is a token representing the name of the queue manager.

  5. Create a key database file of type CMS named key.kdb. Stash the password in a file either by checking the option in the iKeyman GUI, or by using the -stash option with the runmqckm commands.
  6. Add the CA certificates to the key database created in the previous step.
  7. Import the personal certificate for the queue manager into the key database.
For more detailed information about working with TLS on Windows systems, see Working with TLS on UNIX, Linux, and Windows.


Tasks on the system that hosts the IBM MQ Explorer

On the system hosting the IBM MQ Explorer, perform the following tasks:
  1. Create a key database file of type JKS named key.jks. Set a password for this key database file.

    The IBM MQ Explorer uses Java keystore files (JKS) for TLS security, and so the keystore file being created for configuring TLS for the IBM MQ Explorer must match this.

  2. Add the CA certificates to the key database created in the previous step.
  3. Import the personal certificate for the queue manager into the key database.
  4. On Windows and Linux systems, start IBM MQ Explorer by using the system menu, the MQExplorer executable file, or the strmqcfg command.
  5. From the IBM MQ Explorer toolbar, click Window -> Preferences, then expand IBM MQ Explorer and click SSL Client Certificate Stores. Enter the name of, and password for, the JKS file created in step 1 of Tasks on the system that hosts the IBM MQ Explorer, in both the Trusted Certificate Store and the Personal Certificate Store, then click OK.
  6. Close the Preferences window, and right-click Queue Managers. Click Show/Hide Queue Managers, and then click Add on the Show/Hide Queue Managers screen.
  7. Type the name of the queue manager, and select the Connect directly option. Click next.
  8. Select Use client channel definition table (CCDT) and specify the location of the channel table file that you transferred from the remote queue manager in step 2 in Tasks on the system that hosts the remote queue manager on the system hosting the remote queue manager.
  9. Click Finish. We can now access the remote queue manager from the IBM MQ Explorer.