MQ thru Internet

MQ internet pass-through = MQIPT, MS81

Can be used to implement messaging solutions between remote sites across the internet.

MQIPT is a WebSphere MQ base product extension that can be used to implement messaging solutions between remote sites across the internet. It makes the passage of WebSphere MQ channel protocols in to and out of a firewall simpler and more manageable, by tunnelling the protocols inside HTTP or by acting as a proxy. MQIPT has an Administration graphical user interface (GUI) for managing one or more MQIPT servers.

Used as a proxy, MQIPT is placed in the De-Militarized Zone (DMZ) on an Internet firewall and relays WebSphere MQ protocol flows from a WebSphere MQ client or Queue Manager on the external Internet, to a destination Queue Manager inside the firewall. This enables inbound WebSphere MQ communication through the firewall from an address which is in the secure DMZ, which is likely to be more acceptable to firewall administrators than an arbitrary external Internet address.

Placing a pair of MQIPT servers in the path of a WebSphere MQ channel connection enables HTTP wrappers to be added to the protocol flow - which enables the WebSphere MQ connection to pass inbound through an HTTP application firewall, or outbound through an HTTP proxy. A pair of MQIPT servers can also be used to encrypt all data flows, using SSL.

MQIPT can also act as a concentrator of WebSphere MQ connections, which simplifies firewall configuration when multiple WebSphere MQ clients or Queue Managers require access through an Internet firewall.

MQIPT can be configured to act as a SOCKS client or SOCKS server, for making outbound connections. The Administration GUI can also use a SOCKS proxy to connect to an MQIPT server.

MQIPT can be used with the IBM Network Dispatcher, to provide enhanced availability and load balancing across many servers.

Instalació i configuració (AIX)

Software requirements : Java JRE v 1.5

Clients MQ <<- - ->> [ MQIPT ] <<- - ->> QM1 / QM2 / QM3 mqm@lope:/home/soft/mqipt> dir -rw-r----- 1 mqm mqm 4833280 Jan 30 13:20 ms81_aix.tar Log in as root, uncompress and unpack ms81_aix.tar into a temporary directory. Run the installp command, as in this example: tar xvf ms81_aix.tar -rw-r--r-- 1 root system 4824064 Jul 24 2008 mqipt installp -d . -a mqipt root@lope:/home/soft/mqipt> installp -d . -a mqipt +-----------------------------------------------------------------------------+ Pre-installation Verification... +-----------------------------------------------------------------------------+ Verifying selections...done Verifying requisites...done Results... SUCCESSES --------- Filesets listed in this section passed pre-installation verification and will be installed. Selected Filesets ----------------- mqipt 2.0.0.1 # WebSphere MQ internet pass-t... << End of Success Section >> +-----------------------------------------------------------------------------+ BUILDDATE Verification ... +-----------------------------------------------------------------------------+ Verifying build dates...done FILESET STATISTICS ------------------ 1 Selected to be installed, of which: 1 Passed pre-installation verification ---- 1 Total to be installed +-----------------------------------------------------------------------------+ Installing Software... +-----------------------------------------------------------------------------+ installp: APPLYING software for: mqipt 2.0.0.1 . . . . . << Copyright notice for mqipt >> . . . . . . . Licensed Materials - Property of IBM 5639-L92 (C) Copyright International Business Machines Corp. 2000, 2008. All rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. . . . . . << End of copyright notice for mqipt >>. . . . Finished processing all filesets. (Total time: 2 secs). +-----------------------------------------------------------------------------+ Summaries: +-----------------------------------------------------------------------------+ Installation Summary -------------------- Name Level Part Event Result ------------------------------------------------------------------------------- mqipt 2.0.0.1 USR APPLY SUCCESS root@lope:/home/soft/mqipt>

Setting up internet pass-thru

Before starting MQIPT for the first time, copy the sample configuration file, mqiptSample.conf, to mqipt.conf, at /home/mqm/mqipt/

Starting internet pass-thru from the command line

By default, MQIPT is installed in the directory usr/opt/mqipt, with executable scripts in usr/opt/mqipt/bin. MQIPT also uses a home directory, which contains the configuration script file mqipt.conf and any files that are output by MQIPT when it is running. You can use usr/opt/mqipt as a home directory, but if you do, you must ensure that the userid under which MQIPT runs has write permissions for that directory.

To start MQIPT, enter the following command:

usr/opt/mqipt/bin/mqipt <home directory>

Running the mqipt script without any options uses the current directory as the home directory.

mqm@lope:/home/mqm/mqipt> ./engega_ipt.sh Engegar el Internet Pass Through. 5639-L92 (C) Copyright IBM Corp. 2000, 2008 All Rights Reserved MQCPI001 IBM WebSphere MQ internet pass-thru V2.0.0.1 starting MQCPI004 Reading configuration information from mqipt.conf MQCPI021 Password checking has been enabled on the command port MQCPI008 Listening for control commands on port 1881 MQCPI011 The path /home/mqm/mqipt/logs will be used to store the log files MQCPI006 Route 1417 is starting and will forward messages to : MQCPI034 ....mqipt.company1.com(1415) MQCPI035 ....using HTTP MQCPI024 ....and HTTP proxy at proxy.company1.com(8081) MQCPI078 Route 1417 ready for connection requests MQCPI006 Route 1416 is starting and will forward messages to : MQCPI034 ....mqserver.company1.com(1415) MQCPI035 ....using MQ protocols MQCPI037 ....SSL Server side enabled with properties : MQCPI031 ......cipher suites SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 MQCPI032 ......keyring file /opt/mqipt/ssl/sslSample.pfx MQCPI047 ......CA keyring file <NULL> MQCPI071 ......site certificate uses CN=* O=* OU=* L=* ST=* C=* MQCPI038 ......peer certificate uses CN=*Blake O=IBM* OU=* L=* ST=* C=* MQCPI033 ......client authentication set to true MQCPI005 Listener port specified as not active - 1416 -> mqserver.company1.com(1415) MQCPI006 Route 1415 is starting and will forward messages to : MQCPI034 ....mqipt.company2.com(1414) MQCPI035 ....using MQ protocols MQCPI036 ....SSL Client side enabled with properties : MQCPI031 ......cipher suites SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 MQCPI032 ......keyring file c:\\mqipt\\ssl\\sslSample.pfx MQCPI047 ......CA keyring file <NULL> MQCPI071 ......site certificate uses CN=* O=* OU=* L=* ST=* C=* MQCPI038 ......peer certificate uses CN=* O=IBM* OU=* L=* ST=* C=* MQCPI006 Route 1414 is starting and will forward messages to : MQCPI034 ....mqserver.company2.com(1416) MQCPI035 ....using MQ protocols MQCPI078 Route 1415 ready for connection requests MQCPI078 Route 1414 ready for connection requests

Problem determination

There are some common pitfalls to check first if you encounter a problem:

HTTP has been set to true on a route directly connected to a queue manager.
SSLClient has been set to true on a route directly connected to a queue manager that is not configured to use SSL.
The CLASSPATH has not been set up correctly.
The PATH has not been set up correctly.
The passwords stored for the key ring files are case-sensitive.

Tracing errors

MQIPT provides a detailed execution trace facility, which is controlled by the trace attribute. Trace files are written to the xxx\errors directory, where xxx is the directory containing mqipt.conf.

MQ Internet pass-thru