+

Search Tips | Advanced Search

Scenario: Using a certificate exit to authenticate an SSL/TLS server

In this scenario, we can authenticate an SSL/TLS connection by using a certificate exit.


Before you begin


About this task

This scenario performs the same function as the Authenticating an SSL/TLS server scenario, with the addition of a certificate exit.

By changing the value of the SSLExitData property, the SSL/TLS connection between the two MQIPT servers can be allowed or rejected.

Figure 1. SSL/TLS server network diagram

This diagram shows the connection from the IBM MQ client (called client1.company1.com on port 1415) through two instances of MQIPT to the IBM MQ server (called server1.company2.com on port 1414).


Procedure

To use a certificate exit to authenticate an SSL/TLS server, complete the following steps:

  1. On MQIPT1:
    1. Open a command prompt and enter the following commands: 
      C:
cd \mqipt\exits
javac -classpath C:\mqipt\lib\com.ibm.mq.ipt.jar;. SampleCertificateExit.java
    2. Edit mqipt.conf and add a route definition: 
      [route]
ListenerPort=1415
Destination=9.100.6.7
DestinationPort=1416
SSLClient=true
SSLClientKeyRing=C:\mqipt\ssl\sslSample.pfx
SSLClientKeyRingPW=C:\mqipt\ssl\sslSample.pwd
SSLClientExit=true
SSLExitName=SampleCertificateExit
SSLExitPath=C:\mqipt\exits
SSLExitData=allow
    3. Open a command prompt and start MQIPT: 
      C:\mqipt\bin\mqipt C:\mqiptHome
      where C:\mqiptHome indicates the location of the MQIPT configuration file, mqipt.conf.The following message indicates successful completion: 
      5639-L92 (C) Copyright IBM Corp. 2000, 2017 All Rights Reserved
MQCPI001 IBM MQ Internet Pass-Thru Version 2.1.0.3 starting
MQCPI011 The path C:\mqiptHome\logs will be used to store the log files
MQCPI006 Route 1415 has started and will forward messages to :
MQCPI034 ....9.100.6.7(1416)
MQCPI035 ....using MQ protocols
MQCPI036 ....SSL Client side enabled with properties :
MQCPI031 ......CipherSuites <null>
MQCPI032 ......keyring file C:\ssl\mqipt\sslSample.pfx
MQCPI047 ......CA keyring file <null>
MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
	                                           STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI129 ......using certificate exit C:\mqipt\exits\SampleCertificateExit
MQCPI131 ......and certificate exit data 'allow'
MQCPI078 Route 1415 ready for connection requests
  2. On MQIPT2:
    1. Edit mqipt.conf and add a route definition: 
      [route]
ListenerPort=1416
Destination=Server1.company2.com
DestinationPort=1414
SSLServer=true
SSLServerKeyRing=C:\mqipt\ssl\sslSample.pfx
SSLServerKeyRingPW=C:\mqipt\ssl\sslSample.pwd
    2. Open a command prompt and start MQIPT: 
      C:
cd \mqipt\bin
mqipt ..
      (.. indicates that the MQIPT configuration file, mqipt.conf, is in the parent directory.) The following message indicates successful completion: 
      5639-L92 (C) Copyright IBM Corp. 2000, 2017 All Rights Reserved
MQCPI001 IBM MQ Internet Pass-Thru Version 2.1.0.3 starting
MQCPI011 The path C:\mqiptHome\logs will be used to store the log files
MQCPI006 Route 1416 has started and will forward messages to :
MQCPI034 ....server1.company2.com(1414)
MQCPI035 ....using MQ protocols
MQCPI037 ....SSL Server side enabled with properties :
MQCPI031 ......CipherSuites <null>
MQCPI032 ......keyring file C:\mqipt\ssl\sslSample.pfx
MQCPI047 ......CA keyring file <null>
MQCPI038 ......peer certificate uses UID=*,CN=*,T=*,OU=*,DC=*,O=*,
	                                           STREET=*,L=*,ST=*,PC=*,C=*,DNQ=*
MQCPI033 ......client authentication set to false
MQCPI078 Route 1416 ready for connection requests
  3. At a command prompt on the IBM MQ client, enter the following commands:
    1. Set the MQSERVER environment variable: 
      SET MQSERVER=MQIPT.CONN.CHANNEL/tcp/10.9.1.2(1415)
    2. Put a message: 
      amqsputc MQIPT.LOCAL.QUEUE MQIPT.QM1
Hello world
      Press Enter twice after typing the message string.
    3. Get the message: 
      amqsgetc MQIPT.LOCAL.QUEUE MQIPT.QM1
      The message, "Hello world" is returned.