IBM MQ server: Transport chain security
System security for a connection between service integration and a IBM MQ network is provided by the Transport Level Security (TLS) and Secure Sockets Layer (SSL) protocols.
When WebSphere® Application Server uses SSL, the administrator must create an SSL repertoire, a channel and a transport chain. The transport chain must be referenced by the IBM MQ server through the server transport chain attribute, and must also be a trusted transport for the service integration bus to which the IBM MQ server belongs. The default setting is for service integration buses to trust only the SSL transport.
wsadmin>tcs = AdminConfig.list("TransportChannelService" ).splitlines()[0]
AdminConfig.create("TCPOutboundChannel" , tcs, [["name" , "MyWMQChain.TCP"]])
wsadmin>ssl=...
wsadmin>AdminConfig.create("SSLOutboundChannel" , tcs , [["name" , "MyWMQChain.SLL"] ,
["sslConfigAlias" , "MyRepertoire"]])
wsadmin>rmq=...
wsadmin>AdminConfig.create("RMQOutboundChannel" , tcs , [["name" , "MyWMQChain.RMQ"]])
wsadmin>tcp=...
wsadmin>AdminConfig.create("Chain" , tcs , ["name" , "MyWMQChain"] , ["enable" , "true"] ,
["transportChannels", [rmg , ssl , tcp]])
This example
creates a transport chain suitable for connecting a IBM MQ
server to IBM MQ by using SSL.
The chain is called MyWMQChain, and uses an SSL repertoire called
MyRepertoire.IBM MQ uses a single cipher suite only for securing connections to a queue manager, although WebSphere Application Server SSL repertoires allow you to specify multiple cipher suites. Each cipher suite is tried sequentially until a successful connection is established, or until all the cipher suites have been tried. The most recent cipher suite that allowed a successful connection is cached on a IBM MQ server bus member basis, and is tried first on subsequent connection attempts.
When transport security is enabled, the transport chain used for connections to IBM MQ must be a permitted chain otherwise it is not possible to establish a connection to IBM MQ.