The com.ibm.mq.ipt.exit.CertificateExit class

An abstract class that must be implemented by the class that is defined with the SSLExitName property.

The class contains default implementations for running the exit and some public methods that we can optionally override, according to we requirements. The complete list of supported methods is as follows:


Methods

    public int init(IPTTrace)

    The init method is called by MQIPT when the exit is loaded by MQIPT and can be implemented to perform any initialization of the exit; for example, loading of data that is used during the validation process. The default implementation does nothing.

    public int refresh(IPTTrace)

    The refresh method is implemented to perform a refresh of any data; for example, reloading of any data for disk that is used during the validation process. This method is called when the MQIPT administrator has issued a refresh command. The default implementation does nothing.

    public void close(IPTTrace)

    The close method is implemented to perform any housekeeping when the route is about to be stopped or MQIPT is closing down. The default implementation does nothing.

    public CertificateExitResponse validate(IPTTrace)

    The validate method is called to perform validation of the peer certificate. The return object can be used to pass information back to MQIPT; for example, a return code and some text that can be added to the connection log. The default implementation returns a CertificateExitResponse with CertificateExitResponse.OK.

Supported methods for obtaining properties:

    public int getListenerPort()
    retrieves the route listener port - as defined by the ListenerPort property

    public String getDestination()
    retrieves the destination address - as defined by the Destination property

    public int getDestinationPort()
    retrieves the destination listener port address - as defined by the DestinationPort property

    public String getClientIPAddress()
    retrieves the IP address of the client making the connection request

    public int getClientPortAddress()
    retrieves the port address used by the client making the connection request

    public boolean isSSLClient()
    used to determine if the exit is being called as an SSL/TLS client or SSL/TLS server. If this returns true, the exit is on the client side of the connection, validating the certificate obtained from the server. If this returns false, the exit is on the server side of the connection, validating the certificate sent by the client. It is valid for a route to act as both an SSL/TLS server and an SSL/TLS client, decrypting and re-encrypting traffic. In this situation, although there is a single exit class, some instances of the class will be called as clients and some as servers. We can use isSSLClient to determine the situation for a given instance.

    public int getConnThreadID()
    used to retrieve the ID of the worker thread that is handling the connection request, which can be useful for debugging.

    public String getChannelName()
    retrieves the IBM MQ channel name that is used in the connection request. This is available only when the incoming request is not using SSL/TLS and MQIPT is acting as an SSL/TLS client.

    public String getQMName()
    retrieves the name of the IBM MQ queue manager used in the connection request. This is available only when the client request is not using SSL/TLS and MQIPT is acting as an SSL/TLS client.

    public boolean getTimedout()
    used by the exit to determine if the timeout has expired.

    public IPTCertificate getCertificate()
    retrieves the SSL/TLS certificate that needs to be validated.

    public String getExitData()
    retrieves the exit data, as defined by the SSLExitData property.

    public String getExitName()
    retrieves the exit name, as defined by the SSLExitName property.

Parent topic: Certificate exit