External Integrations to IBM MQ

IBM® MQ-based integration is supported by IBM to integrate Sterling Order Management System with any external third-party system.

About this task

Important: If you are using the containerized developer toolkit, this process is fully automated. You can use the Java™ Client tool to test the IBM Sterling Order Management System MQ queues over SSL For more information, see Using Java Client tool to test MQ queues over SSL.

Access to MQ server within Sterling Order Management System environment is configured by using Mutual Authentication. MQ server is secured with Digicert Signed CA certificate and Client Authentication. Client Authentication is a process by which users or clients can securely access any services from a server by exchanging digital certificates.

To connect to MQ server by using any client for any external integration to MQ, you must configure the client with an SSL/TLS client certificate that is generated by using the Self Service along with trusting the Digicert Root.

Note: Use MQ client versions 9.2.1(CD) or 9.0.x (LTS) to avoid issues of SSL handshake with SNI in MQ client versions 9.1.x and 9.2.0. You must use the 9.2.1 or later versions of the MQ client, or must use the 9.0.x version.

Watch a video to learn how you can connect to the Sterling Order Management System queue manager.

Procedure

  1. Download the DigiCert High Assurance EV Root CA PEM certificate from DigiCert Trusted Root Authority Certificates. Open the link by using the Google Chrome or Internet Explorer browser.
  2. Add the downloaded PEM certificate to the truststore of the application to be connected to MQ Server. 
    keytool -import -noprompt -alias ibmwebspheremq_om_qmgr -file <path to the pem certificate> 
-keystore  <path of trustore>\truststore.jks -storepass <password of your choice>
  3. Obtain the client certificate for MQ from Self Service. For more information, see Generating inbound certificates.
  4. Install this certificate to personal certificate store for MQ client. Add the p12 to keystore by using the following command: 
    keytool -importkeystore -srckeystore cert-bundle-binary.p12 -srcstoretype pkcs12 -destkeystore 
<path to the keystore>\keystore.jks
  5. Add both truststore and keystore to the application trying to connect to MQ.

What to do next

Use the following information to complete the connection:
  • Cipher: MQ server runs with ANY_TLS1.2_OR_HIGHER. The ciphers that are included in ANY_TLS1.2_OR_HIGHER are:
    • ECDHE_RSA_AES_128_GCM_SHA256
    • ECDHE_RSA_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_256_GCM_SHA384
    • ECDHE_ECDSA_AES_128_GCM_SHA256
    • ECDHE_ECDSA_AES_256_GCM_SHA384
    • TLS_AES_128_GCM_SHA256
    • TLS_AES_256_GCM_SHA384
    • TLS_CHACHA20_POLY1305_SHA256
    • TLS_AES_128_CCM_SHA256

    You can use any cipher from this list to connect to MQ. For the cipher chosen, find the equivalent cipher suite for your Java from TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS.

    For example, if the client software supports ECDHE_RSA_AES_128_GCM_SHA256, then the compatible cipher for IBM JRE is SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and for Oracle JRE is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

  • Queue Manager name: OM_QMGR
  • CHANNEL: SYSTEM.TLS.SVRCONN
  • Hostname: <tenant_code>-<env>-<envno>-mq.oms.supply-chain.ibm.com For example, if tenant code is betap, then host is betap-dev-1-mq.oms.supply-chain.ibm.com
  • Port: 15443

    Additional arguments

    With the MQ client version 9.2.1(CD version) and later, use the following JVM argument for Java-based clients or tools: 
    -Dcom.ibm.mq.cfg.SSL.outboundSNI=Hostname
    If the third-party client or tool is C or .NET(Unmanaged), pass OutboundSNI=HOSTNAME in the SSL stanza of the mqclient.ini file. This attribute can be read by C, unmanaged .NET, IBM MQ classes for Java, and IBM MQ classes for Java, and IBM MQ classes for JMS clients only.
    Note: If you are using the Oracle JDK pass, use the following JVM argument.
    -Dcom.ibm.mq.cfg.useIBMCipherMappings=false