CODEWITHSUNDEEP
ibm-mqpymqi
Vishnu
Vishnu

Reputation: 33

Pymqi - Connecting to IBM mq with SSL

I am able to connect to IBM mq through Pymqi using installed MQ client v9 on my Linux machine. There is requirement of connecting through SSL. How should I create key repository for two way TLS(mTLS)?

Upvotes: 2

Views: 6545

Answers (1)

richc
richc

Reputation: 402

I have configured mutual tls between a python application using PyMQI backed with the IBM MQ toolkit for MacOS (9.1.5.0) and a queue manager running on a Raspberry Pi (9.2.0.0).

I have used self-signed certificates to make it easier to illustrate an end-to-end example of a TLS configuration with MQ. This would not normally be used in a production environment; your MQ administrator will typically provide any certificates that you might need to use which are often issued by a certificate authority. Where this is the case you can skip the certificate creation steps below.

Here are the steps I took:

Initial server and Python code setup

  • Setup an IBM MQ server following this tutorial which provides the default developer configuration.

  • Pulled in the the python sample code from this tutorial and put a message to DEV.QUEUE.1 without TLS configured.

General Config

  • Created some working directories on my Mac client. 
    mkdir tlsTest
cd tlsTest
mkdir client
mkdir server

Queue Manager config

  • Create the server keystore.

    cd server

    runmqakm -keydb -create -db key.kdb -pw <password> -stash

    ls

    Check to see key.crl key.kdb key.rdb key.sth.

  • Check that the store is empty.

    runmqakm -cert -list -db key.kdb -stashed

    No certificates were found.

  • Create the server certificate and put it in the new keystore key.kdb

    runmqakm -cert -create -db key.kdb -stashed -dn "cn=qm,o=ibm,c=uk" -label ibmwebspheremq<QMName_lowerCase> -type cms

  • Check the certificate.

    runmqakm -cert -list -db key.kdb -stashed

    Certificates found
* default, - personal, ! trusted, # secret key
-    ibmwebspheremqqm1

    The '-' denotes the client's private key and personal certificate in this keystore.

  • Extract the queue manager's public key.

    runmqakm -cert -extract -label ibmwebspheremq<QMName_lowerCase> -db key.kdb -stashed -file QM.cert

  • Check to see the certificate file.

    ls

    QM.cert key.crl key.kdb key.rdb key.sth

  • Inspect the certificate.

    runmqakm -cert -details -file QM.cert -stashed

Client Config

  • Change to the client directory. 
    cd ../client
  • Create the client keystore. 
    runmqakm -keydb -create -db client.kdb -pw <password> -stash
  • Create the client certificate and put it in the new keystore client.kdb. 
    runmqakm -cert -create -db client.kdb -stashed -dn "cn=pymqi,o=test,c=uk" -label ibmwebspheremq<userName_lowercase> -type cms
  • Extract the client's public key. 
    runmqakm -cert -extract -label ibmwebspheremq<userName_lowercase> -db client.kdb -stashed -file Client.cert
  • Optionally inspect the certificate by modifying previous runmqakm -cert -list commands from the earlier server steps.

Exchange public keys

  • Populate the client's keystore with the queue manager's public key.

    runmqakm -cert -add -label ibmwebspheremq<QMName_lowerCase> -db client.kdb -stashed -file ../server/QM.cert

  • Check the certificate.

    runmqakm -cert -list -db client.kdb -stashed

    Certificates found
* default, - personal, ! trusted, # secret key
!    ibmwebspheremqqm1
-    ibmwebspheremqapp

    The '!' shows that the queue manager's public key is trusted.

  • Populate the queue manager's keystore with the client's public key.

    Change to the server directory.

    cd ../server

    runmqakm -cert -add -label ibmwebspheremq<userName_lowercase> -db key.kdb -stashed -file ../client/Client.cert

  • Check the certificates.

    runmqakm -cert -list -db key.kdb -stashed

    Certificates found
* default, - personal, ! trusted, # secret key
!    ibmwebspheremqapp
-    ibmwebspheremqqm1

Configure TLS on the Queue Manager

  • Move the key.kdb and key.sth files from the tlsTest/server directory to /var/mqm/qmgrs/ssl/QM1 directory on the queue manager's file system.

  • Modify the DEV.APP.SVRCONN channel to accept TLS 1.2 cipher suites.

    runmqsc QM1

    ALTER CHANNEL(DEV.APP.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(ANY_TLS12)

  • Refresh the queue manager's security subsystem.

    REFRESH SECURITY(*) TYPE(SSL)

TLS enabled the MQ PyMQI application

  • Add cipher spec and label into the Python app and include the sco options.

    cd.SSLCipherSpec = b'ANY_TLS12'
sco = pymqi.SCO()
#include file name but not file extension
sco.KeyRepository = b'tlsTest/client/client'
sco.CertificateLabel =b'ibmwebspheremqapp'

  • Change the qmgr.connect line to add sco options.

    qmgr.connect_with_options(queue_manager, user=b'app', password=b'<your_password>', cd=cd, sco=sco)

  • Test Python app.

Alternate configuration to use environment variables to reference label and keystore

  • Change the python app to remove label and keystore.

    #sco = pymqi.SCO()
#sco.KeyRepository = b'tlsTest/client/client'
#sco.CertificateLabel =b'ibmwebspheremqapp'
#qmgr.connect_with_options(queue_manager, user=b'app', password=b'<your_password>', cd=cd, sco=sco)
qmgr.connect_with_options(queue_manager, user=b'app', password=b'<your_password>', cd=cd)

  • Set environment variables.

    export MQSSLKEYR=tlsTest/client/client
export MQCERTLABL=ibmwebspheremqapp

  • Test Python app.

Upvotes: 8

Related Questions