| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| TLS1.2 for C client applications on Linux |
« View previous topic :: View next topic » |
| Author |
Message
|
| czaszek |
 Posted: Sun Mar 03, 2019 10:49 am Post subject: TLS1.2 for C client applications on Linux |
 |
|
Apprentice
Joined: 30 May 2006
Posts: 36
Location: Poland
|
hi All
Due to Azure migration we are enforced (by our security department) to migrate our old C clients (running of Linux) to migrate to TLS1.2 secured MQ channels. Does anyone know whether there is any way we can make them to connect via TLS1.2?
We use MQI (MQCONN, MQCONNX) to connect to a queue manager, sample connection code sniplet:
| Code: |
MQCNO connOps = {MQCNO_DEFAULT};
MQCD clientConn = {MQCD_CLIENT_CONN_DEFAULT};
strcat(clientConn.ChannelName, getQueueManagerChannel().c_str());
strcat(clientConn.ConnectionName, getQueueManagerHost().c_str());
strcat(clientConn.ConnectionName, "(");
strcat(clientConn.ConnectionName, StringUtils::toString(getQueueManagerPort()).c_str());
strcat(clientConn.ConnectionName, ")");
strncpy(connOps.StrucId, MQCNO_STRUC_ID, 4);
connOps.Version = MQCNO_VERSION_4;
connOps.Options = MQCNO_NONE;
connOps.ClientConnPtr = &clientConn;
strcpy((char*)connOps.ConnTag, (const char*)MQCT_NONE);
log->debug("%s: using MQCONNX", METHOD_NAME);
MQCONNX("", &connOps, &locConn, &reason, &reason);
|
Many thanks in advance for help
Best Regards
czaszek |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Sun Mar 03, 2019 12:29 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Have you tried testing this? What were the results?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| hughson |
| Posted: Sun Mar 03, 2019 2:10 pm Post subject: Re: TLS1.2 for C client applications on Linux |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
May I suggest that the easiest, and most expedient way to do this would be to use a CCDT. Now that you are in the realm of TLS, you will need to update your choice of cipherspec/suite from time to time. Creating a CCDT means that you can make that change administratively without having to rebuild your application.
So, on a machine that is running at least IBM MQ V8, set the environment variables MQCHLLIB and MQCHLTAB to point to a file location that is where you want to create your CCDT, e.g.
| Code: |
export MQCHLLIB=/usr/me/ccdt
export MQCHLTAB=AZURE.TAB |
Then using this comand:-
to put the runmqsc tool into CCDT editting mode, create your CLNTCONN channel, e.g.:-
| Code: |
| DEFINE CHANNEL(TO.AZURE) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('azure.machine.com(1515)') SSLCIPH(TLS_RSA_WITH_AES_256-CBC_SHA256) QMNAME(' ') |
Then delete the part of your code that builds up the channel so that the MQ client code will instead look it up in the CCDT, e.g.:-
| Code: |
MQCNO connOps = {MQCNO_DEFAULT};
strncpy(connOps.StrucId, MQCNO_STRUC_ID, 4);
connOps.Version = MQCNO_VERSION_4;
connOps.Options = MQCNO_NONE;
strcpy((char*)connOps.ConnTag, (const char*)MQCT_NONE);
log->debug("%s: using MQCONNX", METHOD_NAME);
MQCONNX("", &connOps, &locConn, &reason, &reason); |
I have left your code using MQCONNX because there is some suggestion that you need it since you are using a version 4 MQCNO and are working with ConnTag, so perhaps we're not seeing all the code here. If you literally are not using anything on the MQCNO, are were only using MQCONNX for the channel configuration, then you could go further to use MQCONN instead.
I chose to make your QMNAME in the CCDT blank because your MQCONNX call uses a blank QMName as the first parameter. This is following good practice, so no need to change it.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| czaszek |
| Posted: Sun Mar 03, 2019 10:22 pm Post subject: |
|
|
Apprentice
Joined: 30 May 2006
Posts: 36
Location: Poland
|
hi Morag
Thank your for your replay.
How to load ssl certificates necessary to establish communication?
(Especially if bidirectional (client authentication) is required)
Many thanks in advance
Best Regards
czaszek |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Mar 04, 2019 1:37 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
