ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » TLS1.2 for C client applications on Linux

Post new topic  Reply to topic
 TLS1.2 for C client applications on Linux « View previous topic :: View next topic » 
Author Message
czaszek
PostPosted: Sun Mar 03, 2019 10:49 am    Post subject: TLS1.2 for C client applications on Linux Reply with quote

Apprentice

Joined: 30 May 2006
Posts: 36
Location: Poland

hi All

Due to Azure migration we are enforced (by our security department) to migrate our old C clients (running of Linux) to migrate to TLS1.2 secured MQ channels. Does anyone know whether there is any way we can make them to connect via TLS1.2?
We use MQI (MQCONN, MQCONNX) to connect to a queue manager, sample connection code sniplet:

Code:
MQCNO connOps = {MQCNO_DEFAULT};
               MQCD clientConn = {MQCD_CLIENT_CONN_DEFAULT};
               strcat(clientConn.ChannelName, getQueueManagerChannel().c_str());
               strcat(clientConn.ConnectionName, getQueueManagerHost().c_str());
               strcat(clientConn.ConnectionName, "(");
               strcat(clientConn.ConnectionName, StringUtils::toString(getQueueManagerPort()).c_str());
               strcat(clientConn.ConnectionName, ")");

               strncpy(connOps.StrucId, MQCNO_STRUC_ID, 4);
               connOps.Version = MQCNO_VERSION_4;
               connOps.Options = MQCNO_NONE;
               connOps.ClientConnPtr = &clientConn;
               strcpy((char*)connOps.ConnTag, (const char*)MQCT_NONE);

               log->debug("%s: using MQCONNX", METHOD_NAME);
               MQCONNX("", &connOps, &locConn, &reason, &reason);


Many thanks in advance for help
Best Regards
czaszek
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sun Mar 03, 2019 12:29 pm    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

Have you tried testing this? What were the results?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
hughson
PostPosted: Sun Mar 03, 2019 2:10 pm    Post subject: Re: TLS1.2 for C client applications on Linux Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

May I suggest that the easiest, and most expedient way to do this would be to use a CCDT. Now that you are in the realm of TLS, you will need to update your choice of cipherspec/suite from time to time. Creating a CCDT means that you can make that change administratively without having to rebuild your application.

So, on a machine that is running at least IBM MQ V8, set the environment variables MQCHLLIB and MQCHLTAB to point to a file location that is where you want to create your CCDT, e.g.

Code:
export MQCHLLIB=/usr/me/ccdt
export MQCHLTAB=AZURE.TAB


Then using this comand:-

Code:
runmqsc -n


to put the runmqsc tool into CCDT editting mode, create your CLNTCONN channel, e.g.:-

Code:
DEFINE CHANNEL(TO.AZURE) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('azure.machine.com(1515)') SSLCIPH(TLS_RSA_WITH_AES_256-CBC_SHA256) QMNAME(' ')


Then delete the part of your code that builds up the channel so that the MQ client code will instead look it up in the CCDT, e.g.:-

Code:
MQCNO connOps = {MQCNO_DEFAULT};

strncpy(connOps.StrucId, MQCNO_STRUC_ID, 4);
connOps.Version = MQCNO_VERSION_4;
connOps.Options = MQCNO_NONE;
strcpy((char*)connOps.ConnTag, (const char*)MQCT_NONE);

log->debug("%s: using MQCONNX", METHOD_NAME);
MQCONNX("", &connOps, &locConn, &reason, &reason);


I have left your code using MQCONNX because there is some suggestion that you need it since you are using a version 4 MQCNO and are working with ConnTag, so perhaps we're not seeing all the code here. If you literally are not using anything on the MQCNO, are were only using MQCONNX for the channel configuration, then you could go further to use MQCONN instead.

I chose to make your QMNAME in the CCDT blank because your MQCONNX call uses a blank QMName as the first parameter. This is following good practice, so no need to change it.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
czaszek
PostPosted: Sun Mar 03, 2019 10:22 pm    Post subject: Reply with quote

Apprentice

Joined: 30 May 2006
Posts: 36
Location: Poland

hi Morag

Thank your for your replay.
How to load ssl certificates necessary to establish communication?
(Especially if bidirectional (client authentication) is required)

Many thanks in advance
Best Regards
czaszek
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Mar 04, 2019 1:37 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

There are three scenarios linked from this page that are a good starting point for the instructions you need.

Connecting a client to a queue manager securely

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » TLS1.2 for C client applications on Linux
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.