Scenario: Authenticating an SSL/TLS server
In this scenario, we can test an SSL/TLS connection by using the sample test certificate (sslSample.pfx) key-ring file, provided with MQIPT in the ssl subdirectory.
Before you begin
- Before you start to use this scenario, make sure that we have completed the prerequisite tasks listed in Scenarios: Getting started with MQIPT.
About this task
The connection is made between a IBM MQ client and a IBM MQ server through two instances of MQIPT. During the SSL/TLS handshake, the server sends its test certificate to the client and the client uses its copy of the certificate with the trust-as-peer flag set to authenticate the server. The CipherSuite SSL_RSA_WITH_AES_256_CBC_SHA256 is used. (Based on mqipt.conf created from Scenario: Verifying that MQIPT is working correctly). For details on how to create a test certificate to use in this example, see Scenario: Creating test certificates.
This diagram shows the connection from the IBM MQ client (called client1.company1.com on port 1415) through two instances of MQIPT to the IBM MQ server (called server1.company2.com on port 1414).
Procedure
To authenticate an SSL/TLS server, complete the following steps:
- On MQIPT1:
- Edit mqipt.conf and add a route definition:
[route] ListenerPort=1415 Destination=10.100.6.7 DestinationPort=1416 SSLClient=true SSLClientKeyRing=C:\mqipt\ssl\sslSample.pfx SSLClientKeyRingPW=C:\mqipt\ssl\sslSample.pwd SSLClientCipherSuites=SSL_RSA_WITH_AES_256_CBC_SHA256- Open a command prompt and start MQIPT:
C:\mqipt\bin\mqipt C:\mqiptHomewhere C:\mqiptHome indicates the location of the MQIPT configuration file, mqipt.conf.The following message indicates successful completion:5639-L92 (C) Copyright IBM Corp. 2000, 2017 All Rights Reserved MQCPI001 IBM MQ Internet Pass-Thru Version 2.1.0.3 starting MQCPI004 Reading configuration information from mqipt.conf MQCPI021 Password checking has been enabled on the command port MQCPI008 Listening for control commands on port 1881 MQCPI011 The path C:\mqiptHome\logs will be used to store the log files MQCPI006 Route 1415 is starting and will forward messages to : MQCPI034 ....10.100.6.7(1416) MQCPI035 ....using MQ protocols MQCPI036 ....SSL Client side enabled with properties : MQCPI139 ......secure socket protocols <NULL> MQCPI031 ......cipher suites SSL_RSA_WITH_AES_256_CBC_SHA256 MQCPI032 ......keyring file C:\mqipt\ssl\sslSample.pfx MQCPI047 ......CA keyring file <NULL> MQCPI071 ......site certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,STREET=*,L=*,S T=*,PC=*,C=*,DNQ=* MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,STREET=*,L=*,S T=*,PC=*,C=*,DNQ=* MQCPI078 Route 1415 ready for connection requests- On MQIPT2:
- Edit mqipt.conf and add a route definition:
[route] ListenerPort=1416 Destination=Server1.company2.com DestinationPort=1414 SSLServer=true SSLServerKeyRing=C:\mqipt\ssl\sslSample.pfx SSLServerKeyRingPW=C:\mqipt\ssl\sslSample.pwd SSLServerCipherSuites=SSL_RSA_WITH_AES_256_CBC_SHA256- Open a command prompt and start MQIPT:
C:\mqipt\bin\mqipt C:\mqiptHomewhere C:\mqiptHome indicates the location of the MQIPT configuration file, mqipt.conf.The following message indicates successful completion:5639-L92 (C) Copyright IBM Corp. 2000, 2017 All Rights Reserved MQCPI001 IBM MQ Internet Pass-Thru Version 2.1.0.3 starting MQCPI004 Reading configuration information from mqipt.conf MQCPI021 Password checking has been enabled on the command port MQCPI008 Listening for control commands on port 1882 MQCPI011 The path C:\mqiptHome\logs will be used to store the log files MQCPI006 Route 1416 is starting and will forward messages to : MQCPI034 ....Server1.company2.com(1414) MQCPI035 ....using MQ protocols MQCPI037 ....SSL Server side enabled with properties : MQCPI139 ......secure socket protocols <NULL> MQCPI031 ......cipher suites SSL_RSA_WITH_AES_256_CBC_SHA256 MQCPI032 ......keyring file C:\mqipt\ssl\sslSample.pfx MQCPI047 ......CA keyring file <NULL> MQCPI071 ......site certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,STREET=*,L=*,S T=*,PC=*,C=*,DNQ=* MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,STREET=*,L=*,S T=*,PC=*,C=*,DNQ=* MQCPI033 ......client authentication set to false MQCPI078 Route 1416 ready for connection requests- At a command prompt on the IBM MQ client, enter the following commands:
- Set the MQSERVER environment variable:
SET MQSERVER=MQIPT.CONN.CHANNEL/tcp/10.9.1.2(1415)- Put a message:
amqsputc MQIPT.LOCAL.QUEUE MQIPT.QM1 Hello worldPress Enter twice after typing the message string.- Get the message:
amqsgetc MQIPT.LOCAL.QUEUE MQIPT.QM1The message, "Hello world" is returned.