Connecting to a secured IBM MQ queue manager
You can configure a connection to a secured local or remote IBM® MQ queue manager, by setting properties on an MQ node or in an MQEndpoint policy.
Before you begin
- Read the topic Configuring connections to IBM MQ.
- Ensure that the required queue manager has been created on the IBM MQ server.
- Ensure that the user ID that is running the integration node has the necessary permissions to access the queue manager.
About this task
When you configure an MQ connection from an MQ node to an IBM MQ queue manager, you can optionally configure the connection to use a security identity for authentication, SSL for confidentiality, or both. The security identity, which passes user name and password security credentials to the queue manager, can be used on connections to local or remote queue managers. For connections to remote queue managers, you can choose whether to use the SSL protocol to provide confidentiality on the client connection. IBM App Connect Enterprise supports a subset of the SSL functionality that is supported by IBM MQ.
You can use the Security identity property on the MQ node or MQEndpoint policy to pass a user name and password to the queue manager, by specifying a security identity that contains those credentials. The identity is defined using the mqsisetdbparms command.
You can specify that the SSL protocol is to be used when a client connection is made to a remote queue manager, by selecting the Use SSL property on the MQ node or MQEndpoint policy. You can use SSL for client connections that are configured using either the MQ client connection properties or a client channel definition table (CCDT). If you specify SSL on the client connection, you must also specify the location of the SSL key repository. The SSL key repository is created by using the IBM MQ GSKit, and it holds the required private and public certificates appropriate to the chosen certificate policy for the queue manager. The SSL key repository password stash file key repository file name.sth, which is created using IBM MQ GSKit, must be located in same folder as the key repository.
You can use the SSL certificate label property in the
MQEndpoint policy to specify the label of the certificate to be used when establishing the SSL
client connection to the queue manager. If no value is supplied, the certificate with the MQ default
label of ibmwebspheremquser_id
is used, where
user_id is the user identifier of the integration server. When multiple MQ SSL
certificates are used by the same integration server, the MQ SVRCONN channel must be configured with
a SHARECNV value of either 0
or 1
, to ensure that the correct
certificate is used for the channel.
- MQInput
- MQOutput
- MQGet
- MQReply
Procedure
Follow these steps to complete the configuration of the integration server:
Follow these steps to complete the required connection configuration in the MQ node or MQEndpoint policy:
What to do next
The MQInput node
attempts to connect to the queue manager when the flow is deployed
and started. The MQOutput, MQGet, and MQReply nodes attempt to connect
when the first message is sent or received. If any connection problems
occur, see the IBM MQ product documentation
for information about any mqrc
return code values
that are reported in the IBM App Connect Enterprise BIP
messages.
If you later decide that you want to control connection properties by using an MQEndpoint policy, you can attach a policy to the message flow node. Property values that are set on the MQ Connection tab are ignored when a policy is attached to the message flow node.