A couple of fixpacks ago I tested to connect to a remote queue manager sing a SSL configured server connection channel. Then things didn’t work out that well, but now a couple of refresh/fixpacks later everything wors much better.
To start with I must say that I don’t really fancy the way SSL is enabled from the WMQ Explorer point of view. The keystore parts of the configuration is ok but to connect to a queue manager using SSL you need to provide the WMQ Explorer with client channel definition table (CCDT).
For those of you not familiar with CCDT: it’s basically a binary format where an MQ server can store it’s client connections. Client connections in turn is data needed to connect to a queue manager in a client mode (includes parameters as connection, ssl etc). The CCDT file can be distributed to clients who can use it as the basis for their connection. As the CCDT file is binary there is no easy way to create it by hand. Running runmqsc on a WebSphere MQ server box will make it possible to create the CCDT but that is a bit heavy-weight in my opinion. The best aproach I’ve found so far is to use the MO72: MQSC Client for WebSphere MQ support pack by Paul Clarke.
MO72 has the follwing features (among others):
- Running mqsc on remote queue managers (inclusing WebSphere MQ security using SSL)
- Creating/altering/deleting client connections
- Can use the configuration file of the MO71 support pack
To create a CCDT from scratch using MO72 run the following command:
mqsc -n -t c:\AMQCLCHL.TAB
to add a client connection channel issue a define script:
DEFINE CHANNEL('CLIENTS.ADMIN') CHLTYPE(CLNTCONN) CONNAME('22.214.171.124(1414)') MAXMSGL(104857600) QMNAME('QM1') SSLCIPH('NULL_SHA') TRPTYPE(TCP) REPLACE
This CCDT assumes that there are a server connection channel named CLIENTS.ADMIN defined in the queue manager listening on port 1414 and host 126.96.36.199 with the rest of the properties in the client connection channel also defined in the server connection channel.
To gain access to the remote queue manager using SSL:
- The key and truststores need to be configured (Window -> Preferences -> WebSphere MQ Explorer -> SSL Client Certificate Stores)
- Add the queue manager
- Right-click on Queue Managers -> Select “Show Hide Queue Managers” -> Click Add
- Choose “Connect” and fill in the name of the queue manager, click Next
- Choose “Use client channel definition table, and browse for the CCDT file, click Finish
Mission accomplished, SSL now works as a charm.
But why was this implemented using CCDT’s? I can’t see any reason really. I would like to see something like a custom SSLSocketFactory implemented in WebSphere MQ Explorer making it possible to use multiple key and trust stores and easier configuration on top of that. An example of an custom SSLSocketFactory was published by Peter Broadhurst on the a Hursley view on WebSphere MQ blog a couple of months ago.
Perhaps I’ll send in a proposal/requirement to get this configuration more simple and understandable.