| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ Series Client on Windows 2000 with SSL |
« View previous topic :: View next topic » |
| Author |
Message
|
| Steve Martin |
 Posted: Mon Aug 04, 2003 8:06 am Post subject: MQ Series Client on Windows 2000 with SSL |
 |
|
Novice
Joined: 01 Aug 2003
Posts: 13
|
I need to develop a program (running on Windows 2000) that accepts an MQ message, loads data from a COM application and sends a reply message via MQ. All communication with the Queue Manager must be done via SSL.
I have identified the program "runmqtmc" that can launch my program when a message comes in. However, this is not a service. I have seen reference to MA7K which allows this to run as a service on 2000. The instructions say that this supports MQ 5.2 but SSL was not introduced until 5.3. Does this software work with SSL?
I am intending to write the handler program in VB 6 or VB.Net. It appears that I have 5 options:
- VB6 with DLL calls using includes
- VB6 with ActiveX component
- VB.Net with DLL calls using includes? (are there translations?)
- VB.Net with ActiveX component
- VB.Net with MA7P
How stable is MA7P? The reason I ask is that the doc does not seem to match the classes.
Which of these environments will allow me to establish the SSL connections?
Do any of these environments have significant problems?
Any sample code for connecting to via SSL in Visual Basic? I am in the process of looking at the Java code in the SSL.Zip file.
Thanks
Steve Martin |
|
| Back to top |
|
 |
| Steve Martin |
| Posted: Tue Aug 12, 2003 10:22 am Post subject: Websphere MQ in Windows 2000 with SSL - update |
|
|
Novice
Joined: 01 Aug 2003
Posts: 13
|
To summarize my learnings
Working with MQ over SSL is relatively easy. No (or almost no) application code changes need to be done to use it.
0. Install the Websphere MQ Client version 5.3
1. Generate a client private key/public key pair. (.p12 extension and will be password protected)
2. Get a server public key file. (In our case it had a .arm extension.)
MQ stores its information in a keystore. These must have a .sto extension. This is pointed to by the MQSSLKEYR environment variable.
3. Set the
| Code: |
| MQSSLKEYR=c:\MQ\keystore |
(the real file will be called c:\MQ\keystore.sto. The file and folder can be changed to match your environment)
4. Create the certificate store file with default entries
5. Add the private key to the certificate store
| Code: |
| amqmcert -a -p <private file> -z <password> |
6. Add the public key to the certificate store
| Code: |
| amqmcert -a -s <public key file> |
The key repository has one key designated as the one that will be passed to the server for client authentication. This must be a private key and is probably the one loaded at step 5.
7. Find the ID of this loaded key
A list of keys will be displayed with assigned numbers. The private key should have a * next to it.
8. Designate it as the client's credentials
| Code: |
| amqmcert -d <private key number> |
It is critical that this keystore file be secured. Per my understanding, it is stored in an internal format but private key data is being stored. (It may even be possible to just copy the file to a new machine and have it work. I have not tried this out.) Per MQ docs the file location must be secured based on file system privileges.
A this point it is necessary to desigate the channels to be used for communication with the server. These are binary files and must be created by tools on the/a server. (I have not done this part but the channels must be defined and their definitions loaded to a .tab file. The first time I received one of these files the Queue Manager name was not included in the channel definition. Just something to watch out for.)
The remainder assumes you have the channel table file.
9. Place the channel table file into the MQ folder (in this example this is C:\MQ)
Now tell MQ where to find the channel definition table. There are two environment variables MQCHLLIB and MQCHLTAB
- MQCHLLIB is the folder where the table is stored
- MQCHLTAB is the name of the file within the folder
In my case I named it C:\MQ\channels.tab
10. Set Channel table environment variables
-
-
| Code: |
| MQCHLTAB=channels.tab |
When connecting, just use the Queue Manager name as normal.
There are some additional capabilities for working with failover which I don't completely understand at this point.
By using the above procedure, I was able to code a test application in VB6 using the ActiveX component as well as VB.Net using the ActiveX component. But, since all of the configuration is external to the application it should be relatively simple to change an existing program to use SSL channels.
I still have a few questions from the initial post that I am still researching:
1. How best to prepare a service on Windows 2000 in SSL environment
- runmqtmc - Does this support Client 5.3 with SSL?
- Homegrown monitor in VB.Net (or other environment)
2. How viable is MA7P for doing development. Do we know yet when it will be included in a service release?
Thanks to everyone who posted articles in other areas. They were very helpful in figuring out these procedures. |
|
| Back to top |
|
|
| mrlinux |
| Posted: Tue Aug 12, 2003 11:01 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
You can use the srvany.exe to convert rumqtmc to a service.
I would create a batch file which:
1) runmqtmc ---Whatever parms
2) sleep 10 minutes
3) goto step 1
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
