Scenario: Using a certificate exit to authenticate an SSL/TLS server
In this scenario, we can authenticate an SSL/TLS connection by using a certificate exit.
Before you begin
- Before you start to use this scenario, make sure that we have completed the prerequisite tasks listed in Scenarios: Getting started with MQIPT.
- Install Java 8.0 JDK.
- Add the Java bin subdirectory to the PATH environment variable.
About this task
This scenario performs the same function as the Authenticating an SSL/TLS server scenario, with the addition of a certificate exit.
By changing the value of the SSLExitData property, the SSL/TLS connection between the two MQIPT servers can be allowed or rejected.
This diagram shows the connection from the IBM MQ client (called client1.company1.com on port 1415) through two instances of MQIPT to the IBM MQ server (called server1.company2.com on port 1414).
Procedure
To use a certificate exit to authenticate an SSL/TLS server, complete the following steps:
- On MQIPT1:
- Open a command prompt and enter the following commands:
C: cd \mqipt\exits javac -classpath C:\mqipt\lib\com.ibm.mq.ipt.jar;. SampleCertificateExit.java- Edit mqipt.conf and add a route definition:
[route] ListenerPort=1415 Destination=9.100.6.7 DestinationPort=1416 SSLClient=true SSLClientKeyRing=C:\mqipt\ssl\sslSample.pfx SSLClientKeyRingPW=C:\mqipt\ssl\sslSample.pwd SSLClientExit=true SSLExitName=SampleCertificateExit SSLExitPath=C:\mqipt\exits SSLExitData=allow- Open a command prompt and start MQIPT:
C:\mqipt\bin\mqipt C:\mqiptHomewhere C:\mqiptHome indicates the location of the MQIPT configuration file, mqipt.conf.The following message indicates successful completion:5639-L92 (C) Copyright IBM Corp. 2000, 2017 All Rights Reserved MQCPI001 IBM MQ Internet Pass-Thru Version 2.1.0.3 starting MQCPI011 The path C:\mqiptHome\logs will be used to store the log files MQCPI006 Route 1415 has started and will forward messages to : MQCPI034 ....9.100.6.7(1416) MQCPI035 ....using MQ protocols MQCPI036 ....SSL Client side enabled with properties : MQCPI031 ......CipherSuites <null> MQCPI032 ......keyring file C:\ssl\mqipt\sslSample.pfx MQCPI047 ......CA keyring file <null> MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*, STREET=*,L=*,ST=*,PC=*,C=*,DNQ=* MQCPI129 ......using certificate exit C:\mqipt\exits\SampleCertificateExit MQCPI131 ......and certificate exit data 'allow' MQCPI078 Route 1415 ready for connection requests- On MQIPT2:
- Edit mqipt.conf and add a route definition:
[route] ListenerPort=1416 Destination=Server1.company2.com DestinationPort=1414 SSLServer=true SSLServerKeyRing=C:\mqipt\ssl\sslSample.pfx SSLServerKeyRingPW=C:\mqipt\ssl\sslSample.pwd- Open a command prompt and start MQIPT:
C: cd \mqipt\bin mqipt ..(.. indicates that the MQIPT configuration file, mqipt.conf, is in the parent directory.) The following message indicates successful completion:5639-L92 (C) Copyright IBM Corp. 2000, 2017 All Rights Reserved MQCPI001 IBM MQ Internet Pass-Thru Version 2.1.0.3 starting MQCPI011 The path C:\mqiptHome\logs will be used to store the log files MQCPI006 Route 1416 has started and will forward messages to : MQCPI034 ....server1.company2.com(1414) MQCPI035 ....using MQ protocols MQCPI037 ....SSL Server side enabled with properties : MQCPI031 ......CipherSuites <null> MQCPI032 ......keyring file C:\mqipt\ssl\sslSample.pfx MQCPI047 ......CA keyring file <null> MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*, STREET=*,L=*,ST=*,PC=*,C=*,DNQ=* MQCPI033 ......client authentication set to false MQCPI078 Route 1416 ready for connection requests- At a command prompt on the IBM MQ client, enter the following commands:
- Set the MQSERVER environment variable:
SET MQSERVER=MQIPT.CONN.CHANNEL/tcp/10.9.1.2(1415)- Put a message:
amqsputc MQIPT.LOCAL.QUEUE MQIPT.QM1 Hello worldPress Enter twice after typing the message string.- Get the message:
amqsgetc MQIPT.LOCAL.QUEUE MQIPT.QM1The message, "Hello world" is returned.