| Author |
Message
|
| srvm |
 Posted: Wed Oct 19, 2005 10:52 am Post subject: MQIPT Configuration Question |
 |
|
Apprentice
Joined: 18 Aug 2004
Posts: 43
|
Please suggest if this is a valid/possible MQIPT configuration -
MQClient ----(no ssl) ----MQIPT -------(ssl)------QMgr
1. MQClient connects to MQIPT (local machine) w/o ssl in SSLClient Mode
2. MQIPT to QMgr is SSL Enabled (QMGR is expecting ONLY SSL connections).
QMGR is on a remote machine.
I have seen extensive examples in the MQIPT documentation, but no mention of this particular senarion. Is this a valid configuration or NOT?
If someone has sample cfg, it will be appreciated.
Thank you.
R |
|
| Back to top |
|
 |
| Tibor |
| Posted: Wed Oct 19, 2005 12:24 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
In earlier I looked for, too, but didn't find this scenario in the manual. However there is a workaround when you works with Java clients. In this case you don't need tunneling just a JRE (with JSSE).
Our Tru64 boxes connecting with SSL this way just like other v5.3 (or v6.0) MQ clients.
HTH,
Tibor |
|
| Back to top |
|
|
| EddieA |
| Posted: Wed Oct 19, 2005 1:06 pm Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
Lo and Behold. Using the "Search" button came up with this. Which is not an exact match, but close enough.
Cheers,
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0 |
|
| Back to top |
|
|
| srvm |
| Posted: Wed Oct 19, 2005 1:25 pm Post subject: |
|
|
Apprentice
Joined: 18 Aug 2004
Posts: 43
|
Tibor, Thank you. I do not know what you mean by need Jre but not tunneling. Let me repeat If I was NOT clear in the first posting. The communication between clients (local clients to MQIPT) to MQIPT is NOT encrypted. However, the MQIPT to Remote QMgr is encrypted.
I see a whole bunch of examples in manual depicting 2 MQIPT, but not a single one depicting the case I am looking for.
R |
|
| Back to top |
|
|
| Tibor |
| Posted: Wed Oct 19, 2005 6:46 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| srvm wrote: |
Tibor, Thank you. I do not know what you mean by need Jre but not tunneling. Let me repeat If I was NOT clear in the first posting. The communication between clients (local clients to MQIPT) to MQIPT is NOT encrypted. However, the MQIPT to Remote QMgr is encrypted.
I see a whole bunch of examples in manual depicting 2 MQIPT, but not a single one depicting the case I am looking for.
R |
Meaning my post was next: when your mq client connection belongs to a java application, you can "upgrade" the java mq classes to v5.3 and set SSL specific properties.
Of course you have to modify the client application, too. If you can't do it, stay on MQIPT side with SSLProxyMode configuration, recommended by Eddie.
Tibor |
|
| Back to top |
|
|
| srvm |
| Posted: Thu Oct 20, 2005 9:16 am Post subject: |
|
|
Apprentice
Joined: 18 Aug 2004
Posts: 43
|
Whole idea is NOT to touch the client (3rd party app written in C/C++). So, we let it run as-is to connect to MQIPT in non-encrypted data locally. However, MQIPT connects to Qmgr over encrypted channels. So, u r correct we want to use it as SSLProxy.
Eddie's suggestion for the specific case is to use to MQIPT.
Thank you.
R |
|
| Back to top |
|
|
| PhilBlake |
| Posted: Tue Oct 25, 2005 3:07 am Post subject: |
|
|
Acolyte
Joined: 25 Oct 2005
Posts: 64
|
Yes, this is a valid configuration 
I wrote an article for the MQ Update magazine (published sept 2003) which explained how to use MQIPT to help migrate to the new SSL support in WebSphere MQ 5.3, using this same configuration.
HTH
Phil |
|
| Back to top |
|
|
| wschutz |
| Posted: Tue Oct 25, 2005 3:11 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
If the client application uses/can use the client channel table, then you can set SSL parameters without having to change the application itself.
_________________
-wayne |
|
| Back to top |
|
|
|
|
