This post provides instructions for configuring the Forum Sentry XML Security Gateway to securely connect to an IBM MQ instance using SSL.
The procedures outlined below utilize Forum Sentry v7.3 and IBM MQ v7.0 (though the steps to configure MQ v6.0 should be similar). This guide also assumes the reader is familiar with IBM MQ administration.
Configuring IBM MQ 7 for SSL
==============================
-
Use the IBM Key Management tool to create a self signed keypair, or import an existing SSL server keypair, using the label: "ibmwebspehermq(queue manager name in lowercase)". For example if your queue manager was "QM_TestMQ7_Server27" then your label would be "ibmwebspheremqqm_testmq7_server27". Note that the queue manager name has to be lower case.
-
Import any root CA/intermediary certificates necessary for client cert validation into the MQ keystore.
-
Save the keystore file under the ssl directory for the QM (On Windows: C:\Program Files\IBM\WebSphere MQ\qmgrs\QM_TestMQ7_Server27l\ssl\) as key.kdb in CMS format and then stash the password (File menu -> Stash password).
-
Within MQ Explorer, on your running Queue Manager, verify that the SSL key repository points to the key file (right click the QM, select properties, select SSL). Note that the extension is left off.
-
Under the Advanced/Channel folder on the QM, create a new Server-connection channel (Example name: S_TestMQ7_Server27).
-
Edit the SSL section of the newly created server connection channel's properties. Select the SSL CipherSpec you want to use. This must match the setting you use in Forum Sentry. The 'Authentication of parties initiation connection' is optional and can be set to 'required' if you plan to present client authentication certificates from Forum Sentry.
-
Apply the changes.
Note: It may be necessary to restart the QM, but only do this after you've configure Forum Sentry following the steps below and are unable to connect/retrieve messages.
Configuring Forum Sentry
==============================
-
Import any root CA/intermediary certificates necessary to verify the certificate installed on the IBM MQ instance. Note: If using a self signed certificate on MQ, then export the cert from the IBM Key Management tool and import this cert into Sentry as the root (CA) cert.
-
Create a Signer Group containing the root CA and intermediary certificates necessary to verify your MQ server's SSL certificate.
-
Create an SSL Initiation policy associating the Signer Group created in the previous step. Note: Enable the "Ignore Server Hostname Verification" option if the certificate is not issued for the correct hostname for the MQ server.
-
Create a new MQ Listener or Remote policy, enable SSL and associate the SSL Initiation policy created in the previous step. Note: Use the same SSL CipherSpec that the MQ channel is using.
-
Configure the remainder of the MQ Listener / Remote policy settings according to your environment.
The MQ Listener / Remote policy on Forum Sentry should now be able to communicate with the MQ instance using SSL. If there are problems, the first troubleshooting step should be to restart the QM.
0 Comments