IBM MQ Internet Pass-Thru (SupportPac MS81)

IBM MQ Internet Pass-Thru (MQIPT) is an extension to the base IBM MQ product. To download the MQIPT support pack, see MS81: IBM MQ internet pass-thru.

IBM MQ Internet Pass-Thru runs as a stand-alone service that can receive and forward IBM MQ message flows, either between two IBM MQ queue managers or between an IBM MQ client and an IBM MQ queue manager.

MQIPT enables this connection when the client and server are not on the same physical network.

One or more instances of MQIPT can be placed in the communication path between two IBM MQ queue managers, or between an IBM MQ client and an IBM MQ queue manager. The instances of MQIPT allow the two IBM MQ systems to exchange messages without needing a direct TCP/IP connection between the two systems. This is useful if the firewall configuration prohibits a direct TCP/IP connection between the two systems.

MQIPT listens on one or more TCP/IP ports for incoming connections, which can carry either normal IBM MQ messages, IBM MQ messages tunneled inside HTTP, or messages encrypted using Transport Layer Security (TLS) or Secure Sockets Layer (SSL). MQIPT can handle multiple concurrent connections.

The IBM MQ channel that makes the initial TCP/IP connection request is referred to as the caller, the channel to which it is attempting to connect as the responder, and the queue manager that it is ultimately trying to contact as the destination queue manager.

MQIPT holds data in memory as it forwards it from its source to its destination. No data is saved on disk (except for memory paged to disk by the operating system). The only time MQIPT accesses the disk explicitly is to read its configuration file and to write connection log and trace records.

The full range of IBM MQ channel types can be made through one or more instances of MQIPT. The presence of MQIPT in a communication path has no effect on the functional characteristics of the connected IBM MQ components, but there might be some effect on the performance of message transfer.

MQIPT can be used in conjunction with IBM MQ and IBM Integration Bus, as described in Possible configurations of MQIPT.

There are a number of potential uses for MQIPT:

MQIPT can be used as a channel concentrator

By using MQIPT in this way, channels to or from multiple separate hosts can appear to a firewall as if they are all to or from the MQIPT host. This makes it easier to define and manage firewall filtering rules.

MQIPT can be placed in a DMZ to provide a single point of access

If MQIPT is placed within a DMZ firewall (a firewall configuration for securing local area networks), on a computer with a known and trusted internet protocol (IP) address, MQIPT can be used to listen for incoming IBM MQ channel connections which it can then forward to the trusted intranet; the inner firewall must allow this trusted computer to make inbound connections. In this configuration, MQIPT prevents external requests for access from receiving the true IP addresses of the computers in the trusted intranet. In this way, MQIPT provides a single point of access.

MQIPT can communicate by means of HTTP tunneling

If two instances of MQIPT are deployed in line, they can communicate by using HTTP. The HTTP tunneling feature enables requests to be transmitted through firewalls, by the use of existing HTTP proxies. The first MQIPT inserts the IBM MQ protocol into HTTP and the second extracts the IBM MQ protocol from its HTTP wrapper and forwards it to the destination queue manager.

MQIPT can encrypt messages

If MQIPT is configured as in the previous example, requests can be encrypted before transmission through firewalls. The first MQIPT encrypts the data and the second decrypts it using SSL/TLS before sending it to the destination queue manager.