Scenario: running MQIPT in SSL/TLS proxy mode with a security manager
We can run MQIPT in SSL/TLS proxy mode, so that it accepts an SSL/TLS connection request from an IBM MQ SSL/TLS client and tunnels it to a IBM MQ SSL/TLS server. By using a security manager with MQIPT, we can restrict the addresses to which messages can be sent.
Before you begin
- Before you start to use this scenario, make sure that we have completed the prerequisite tasks listed in Scenarios: Getting started with MQIPT.
- Set up the IBM MQ client and queue manager to use an SSL/TLS channel.
- Configure the IBM MQ client and server to use an SSL/TLS connection.
About this task
This diagram shows the connection flow from the IBM MQ client (client1.company1.com on port 1415) through MQIPT to the IBM MQ server (server1.company2.com on port 1414).
For further information on setting up SSL/TLS for IBM MQ, refer to the Security section of the IBM MQ product documentation.
Procedure
To run MQIPT in SSL/TLS proxy mode with a security manager, complete the following steps:
- On the MQIPT computer (see the diagram), copy the sample Java Security Manager policy to the MQIPT home directory, by entering the following command at a command prompt:
copy C:\mqipt\ssl\mqiptSample.policy C:\mqiptHome\mqipt.policy- Add a policy definition by using the following command:
C:\mqipt\java\jre\bin\policytoolIn the policy tool:
- Click File > Open > C:\mqiptHome\mqipt.policy.
- Select:
file:/C:/Program Files/IBM/IBM MQ Internet Pass-Thru/lib/com.ibm.mq.ipt.jarthen click Edit Policy Entry- Change CodeBase from:
file:/C:/Program Files/IBM/IBM MQ Internet Pass-Thru/lib/com.ibm.mq.ipt.jarto:file:/C:/mqipt/lib/com.ibm.mq.ipt.jar- Change the file permissions for the “IBM MQ Internet Pass-Thru", errors and logs directories from:
C:\Program Files\IBM\IBM MQ Internet Pass-Thruto:C:\mqiptHome- Change the other file permissions from:
C:\Program Files\IBM\IBM MQ Internet Pass-Thruto:C:\mqipt- Click Add Permission Complete the fields as follows: Permission: SocketPermission
Target: client1.company1.com:1024-
Actions: accept, listen, resolve- Click File > Save to save the changes to the policy file.
- Edit mqipt.conf and add the following properties to the [global] section and add a new route definition:
[global] SecurityManager=true SecurityManagerPolicy=C:\mqiptHome\mqipt.policy [route] ListenerPort=1415 Destination=server1.company2.com DestinationPort=1414 SSLProxyMode=true- Start MQIPT. Open a command prompt, and enter the following command:
C:\mqipt\bin\mqipt C:\mqiptHomewhere C:\mqiptHome indicates the location of the MQIPT configuration file, mqipt.conf.The following message indicates successful completion:5639-L92 (C) Copyright IBM Corp. 2000, 2017 All Rights Reserved MQCPI001 IBM MQ Internet Pass-Thru Version 2.1.0.3 starting MQCPI004 Reading configuration information from C:\mqiptHome\mqipt\mqipt.conf MQCPI055 Setting the java.security.policy to C:\mqiptHome\mqipt.policy MQCPI053 Starting the Java Security Manager MQCPI011 The path C:\mqiptHome\mqipt\logs will be used to store the log files MQCPI006 Route 1415 has started and will forward messages to : MQCPI034 ....server1.company2.com(1414) MQCPI035 ....using SSLProxyMode MQCPI078 Route 1415 ready for connection requests- At a command prompt on the IBM MQ client, enter the following commands:
- Set the MQSERVER environment variable:
SET MQSERVER=MQIPT.CONN.CHANNEL/tcp/10.9.1.2(1415)- Put a message:
amqsputc MQIPT.LOCAL.QUEUE MQIPT.QM1 Hello worldPress Enter twice after typing the message string.- Get the message:
amqsgetc MQIPT.LOCAL.QUEUE MQIPT.QM1The message, "Hello world" is returned.