Other security considerations

MQIPT has several additional functions that help a designer build a secure solution.

  • If there are many clients in an internal network all trying to make outgoing connections, they can all go through an MQIPT located inside the firewall. The firewall administrator then has to grant external access only to the MQIPT computer.
  • MQIPT can connect only to queue managers for which it has been explicitly configured in its configuration file, unless MQIPT is acting as a SOCKS proxy or is using a security exit.
  • MQIPT verifies that the messages it receives and transmits are valid, and conform to the IBM MQ protocol. This helps prevent MQIPT being used for security attacks outside the IBM MQ protocol. If MQIPT is acting as an SSL/TLS proxy, when all IBM MQ data and protocols have been encrypted, MQIPT can only guarantee the initial SSL/TLS handshake. In this situation, use the Java Security Manager.
  • MQIPT allows channel exits to run their own end-to-end security protocols.
  • We can restrict the total number of incoming connections by setting the MaxConnectionThreads property. This helps protect a vulnerable internal queue manager from denial of service attacks.


Configuration file

We must protect the MQIPT configuration file, mqipt.conf, from being read by unauthorized users because it might contain sensitive information, such as the AccessPW password that controls remote administrative access to MQIPT. Protect all passwords specified in the configuration file by following the procedure in Encrypting stored passwords. Also, ensure that mqipt.conf is protected against unauthorized modification. Set the operating system file permissions for mqipt.conf such that only the user account that runs MQIPT can read or update the file.


Command port

The MQIPT command ports accept administrative commands issued over the network to a remote instance of MQIPT by the mqiptAdmin command.

From Version 9.2.0, MQIPT can be configured with one command port that is unsecured and one command port that is secured with TLS. Connections to the unsecured command port are not encrypted.Note: Data sent over the network to the unsecured command port, including the MQIPT access password, can be visible to other users on the network.

We must consider whether we need to enable a command port, and assess the risks of allowing remote administration of MQIPT, before enabling either the unsecured or TLS command port. From Version 9.2.0, the mqiptAdmin command can administer local instances of MQIPT that are running under the same user as the mqiptAdmin command without using a command port. Therefore you might not need to enable a command port to administer local instances of MQIPT.

If the unsecured or TLS command port is enabled, we must prevent unauthorized access to the command port. For example, we should consider these points when securing access to the command port:

  • Use a firewall to restrict the set of computers that can connect to the MQIPT command port.
  • Enable authentication on the command ports by using the AccessPW and RemoteCommandAuthentication properties. For more information about enabling command port authentication, see Command port authentication.
  • Consider disabling remote shutdown with the RemoteShutdown property.
  • Consider using the CommandPortListenerAddress and SSLCommandPortListenerAddress properties to configure the command ports to listen on a specific network interface.

For more information on using the mqiptAdmin command to administer MQIPT, see Administer MQIPT by using the command line.

Parent topic: Configure IBM MQ Internet Pass-Thru