Security for IBM MQ Internet Pass-Thru

IBM MQ Internet Pass-Thru can simplify communication through a firewall, but this has security implications.

IBM MQ Internet Pass-Thru (MQIPT) is an optional component of IBM MQ that can be used to implement messaging solutions between remote sites across the internet.

MQIPT enables two queue managers to exchange messages, or an IBM MQ client application to connect to a queue manager, over the Internet without requiring a direct TCP/IP connection. This is useful if a firewall prohibits a direct TCP/IP connection between two systems. It makes the passage of IBM MQ channel protocol flows into and out of a firewall simpler and more manageable by tunnelling the flows inside HTTP or by acting as a proxy. Using Transport Layer Security (TLS), it can also be used to encrypt and decrypt messages that are sent over the Internet.

When the IBM MQ system communicates with MQIPT, unless we are using SSL proxy mode in MQIPT, ensure that the CipherSpec used by IBM MQ matches the CipherSuite used by MQIPT:

  • When MQIPT is acting as the TLS server and IBM MQ is connecting as the TLS client, the CipherSpec used by IBM MQ must correspond to a CipherSuite that is enabled in the relevant MQIPT key ring.
  • When MQIPT is acting as the TLS client and is connecting to an IBM MQ TLS server, the MQIPT CipherSuite must match the CipherSpec defined on the receiving IBM MQ channel.

If we migrate from MQIPT to the integrated IBM MQ TLS support, transfer the digital certificates from the MQIPT key ring using either mqiptKeyman or mqiptKeycmd.

For more information, see IBM MQ Internet Pass-Thru.

Parent topic: Firewalls and Internet pass-thru