Running MQIPT in TLS proxy mode

We can run MQIPT in TLS proxy mode, so that it accepts a TLS connection request from an IBM MQ TLS client and tunnels it to a IBM MQ TLS server.

Before starting

Before you start to use this scenario, make sure that we have completed the prerequisite tasks listed in Getting started with IBM MQ Internet Pass-Thru.

About this task

This diagram shows the connection flow from the IBM MQ client (client1.company1.com on port 1415) through MQIPT to the IBM MQ server (server1.company2.com on port 1414).

For further information on configuring TLS for IBM MQ, refer to Work with SSL/TLS.

Procedure

To run MQIPT in TLS proxy mode, complete the following steps:

1. Configure the IBM MQ client and server to use a TLS connection.
   1. Create a key repository for the queue manager. For more information, see Set up a key repository on UNIX, Linux, and Windows.
   2. Create a key repository for the client in the C:\ProgramData\IBM\MQ directory. Call it clientkey.kdb.
   3. Create a personal certificate for the queue manager, in the queue manager key repository that you created in step 1.a. For more information, see Create a self-signed personal certificate on UNIX, Linux, and Windows.
   4. Create a personal certificate for the client, in the client key repository that you created in step 1.b.
   5. Extract the personal certificate from the server key repository and add it to the client repository. For more information, see Extracting the public part of a self-signed certificate from a key repository on UNIX, Linux, and Windows, and Adding a CA certificate (or the public part of a self-signed certificate) into a key repository, on UNIX, Linux or Windows systems.
   6. Extract the personal certificate from the client key repository and add it to the server key repository.
   7. Alter the MQIPT.CONN.CHANNEL server connection channel to use TLS by using the MQSC command:

      ALTER CHANNEL(MQIPT.CONN.CHANNEL) CHLTYPE(SVRCONN) TRPTYPE(TCP) 
      SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)

2. To run MQIPT in TLS proxy mode, complete the following steps:
   1. Edit mqipt.conf and add the following route definition:

      [route]
      ListenerPort=1415
      Destination=server1.company2.com
      DestinationPort=1414
      SSLProxyMode=true

   2. Start MQIPT. Open a command prompt and enter the following command:

      C:\mqipt\bin\mqipt C:\mqiptHome -n ipt1

      where C:\mqiptHome indicates the location of the MQIPT configuration file, mqipt.conf, and ipt1 is the name to be given to the instance of MQIPT. The following messages indicate that MQIPT has started successfully:

      5724-H72 (C) Copyright IBM Corp. 2000, 2020 All Rights Reserved
      MQCPI001 IBM MQ Internet Pass-Thru V9.2.0.0 starting
      MQCPI004 Reading configuration information from mqipt.conf
      MQCPI152 MQIPT name is ipt1
      MQCPI021 Password checking has been enabled on the command port
      MQCPI011 The path C:\mqiptHome\logs will be used to store the log files
      MQCPI006 Route 1415 has started and will forward messages to :
      MQCPI034 ....server1.company2.com(1414)
      MQCPI035 ....using SSLProxyMode protocol
      MQCPI078 Route 1415 ready for connection requests

3. At a command prompt on the IBM MQ client system, enter the following command to run the TLS sample program:

   AMQSSSLC -m MQIPT.QM1 -c MQIPT.CONN.CHANNEL -x 10.9.1.2(1415)
            -k "C:\ProgramData\IBM\MQ\clientkey" -l cert_label -s TLS_RSA_WITH_AES_128_CBC_SHA256

   where cert_label is the label of the client certificate that you created in step 1.d.

Parent topic: Getting started with IBM MQ Internet Pass-Thru