+

Search Tips   |   Advanced Search

IBM MQ server: Transport chain security

System security for a connection between service integration and an IBM MQ network is provided by the Transport Level Security (TLS) and SSL protocols.

When WebSphere Application Server uses SSL, the administrator must create an SSL repertoire, a channel and a transport chain. The transport chain must be referenced by the IBM MQ server through the server transport chain attribute, and must also be a trusted transport for the service integration bus to which the IBM MQ server belongs. The default setting is for service integration buses to trust only the SSL transport.

Two default transport chains are created on each IBM MQ server: OutboundBasicWMQClient and OutboundSecureWMQClient. The OutboundSecureWMQClient transport chain uses SSL and is configured to use the server default SSL repertoire. To create our own transport chain, we must define it to every IBM MQ server that is a service integration bus member. Here is an example of how we might define our own transport chain using JACL:

wsadmin>tcs = AdminConfig.list("TransportChannelService" ).splitlines()[0]

AdminConfig.create("TCPOutboundChannel", tcs, [["name", "MyWMQChain.TCP"]])

wsadmin>ssl=...

wsadmin>AdminConfig.create("SSLOutboundChannel", tcs, [["name", "MyWMQChain.SLL"],
 ["sslConfigAlias", "MyRepertoire"]]) 

wsadmin>rmq=...

wsadmin>AdminConfig.create("RMQOutboundChannel", tcs, [["name", "MyWMQChain.RMQ"]])

wsadmin>tcp=...

wsadmin>AdminConfig.create("Chain", tcs, ["name", "MyWMQChain"], ["enable", "true"],
 ["transportChannels", [rmg, ssl, tcp]])
This example creates a transport chain suitable for connecting an IBM MQ server to IBM MQ using SSL. The chain is called MyWMQChain, and uses an SSL repertoire called yRepertoire.

IBM MQ uses a single cipher suite only for securing connections to a queue manager, although WAS SSL repertoires allow us to specify multiple cipher suites. Each cipher suite is tried sequentially until a successful connection is established, or until all the cipher suites have been tried. The most recent cipher suite that allowed a successful connection is cached on an IBM MQ server bus member basis, and is tried first on subsequent connection attempts.

When transport security is enabled, the transport chain used for connections to IBM MQ must be a permitted chain otherwise it is not possible to establish a connection to IBM MQ.

  • Create an IBM MQ server definition
  • createSIBWMQServer command