Configure Java app to use IBM MQ Cloud with TLS
How to configure Java env to use IBM MQ Cloud and TLS.
IBM MQ Cloud is the IBM implementation of messaging queue mechanism, available as a service in the cloud. In this page, the configuration for its usage and integration with TLS, in the client perspective, will be covered.
- IBM MQ and Java Developer Perspective
- Create an IBM Cloud account
- Creating a MQ Service
- Create Admin user for MQ Service
- Create a Queue Manager in the MQ Service
- Get Queue Manager details
- Get Queue Manager API Key
- Create a Certificate for secure auth
- Configure your app to connect to IBM MQ
- References
The main goal here is to cover the configuration of IBM Cloud MQ and the certification burden, so that Java clients can connect and use for dev purposes. This article do not cover Java client’s implementation.
IBM MQ and Java Developer Perspective
IBM MQ is the IBM implementation of messaging queue mechanism. It is widely adopted in brazilian companies, and very often it is required to use it in order to transfer messages between different types of applications.
For the Java developer point of view, a IBM MQ environment is required to perform tests before go to production. However, depending on the company that you are, perhaps you may have to create this test environment by yourself.
One alternative is to download and install IBM MQ locally. But, in this case, one must have admin privileges (there is no such thing as ‘portable MQ’).
Other alternative is to use IBM MQ as a service, in the cloud. This is a more simple approach in terms of pre-requirements - and that is the one we’ll cover in this page.
IBM offers 10.000 msg/mo free of charge - ideal for development purposes.
Create an IBM Cloud account
Go to http://cloud.ibm.com/
and proceed with the account creation. You’ll get an IBMid, required for authentication.
Creating a MQ Service
- In the hamburguer menu, select ‘Dashboard’ and then, click on ‘Create Resource’
- Search for ‘MQ’ in the search bar. Click on the ‘MQ’ returned option (not RabbitMQ or ActiveMQ - just “MQ”)
- In the service configuration screen
- Keep the plan as ‘Lite’ (to not be charged and for dev purposes)
- Change the service name to a more descriptive one (like ‘MQ-TEST’)
- Click ‘Create’ in order to create your MQ service
Create Admin user for MQ Service
- In the Hamburguer menu, click on ‘Resource List’
- In ‘Services and Software’ section, click on MQ-TEST service, previously created. You are now in the MQ Service screen
- Select the tab ‘User Credentials’
- Click ‘Add’ and create an admin user
Create a Queue Manager in the MQ Service
- In the MQ Service screen, Click ‘Create’ button
- Inform settings as required and click ‘Create’ again to create your Queue Manager
Get Queue Manager details
In the Queue Service screen, click on the queue manager name in the datagrid, and then clck on the ‘Administration’ tab. Now you can see Queue Manager required data for external connection, for instance:
Hostname - qmanager-123e.qm.us-south.mq.appdomain.cloud
Port - 32354
Queue Channel - CLOUD.ADMIN.SVRCONN
Activate User Identification - Yes
Compatibility Mode for user identification -No (important)
The next step is to get an API Key.
Get Queue Manager API Key
- In the queue manager screen, go to the ‘Administration’ tab
- Select ‘MQ Explorer’
- Click on the ‘Rconfigure IBM Cloud API Key’.
- Copy and save this key for later. It will be used, along with admin username, to perform authentication
And that’s it. The next step is to create a TLS certificate.
Create a Certificate for secure auth
IBM Cloud requires certificate to accept requests.
The idea is to create an local certificate and upload it into IBM Cloud environment. This certificate will be later used by Java client app to perform authentication.
Create local keystore file and convert it into pem file
keytool -genkey -keyalg RSA -v -keystore mykeystore.jks -alias mykeystore
keytool -importkeystore -srckeystore mykeystore.jks \
-destkeystore mykeystore.p12 \
-srcstoretype jks \
-deststoretype pkcs12
openssl pkcs12 -nodes -in mykeystore.p12 -out mykeystore.pem
(based on: Converting a Java Keystore Into PEM Format
Create truststore file (based on the keystore)
keytool -export -alias mykeystore -keystore mykeystore.jks -rfc -file myTrustStore.cert
keytool -import -file myTrustStore.cert -alias myTrustStore -keystore myTrustStore.jks
keytool -importkeystore -srckeystore myTrustStore.jks \
-destkeystore myTrustStore.p12 \
-srcstoretype jks \
-deststoretype pkcs12
openssl pkcs12 -nodes -in myTrustStore.p12 -out myTrustStore.pem
Upload the keystore file into IBM Cloud Queue Manager
- Go to the Queme Manager screen
- Go to the ‘Keystore’ tab
- Click ‘Import Certificate’
- Select your previously created PEM keystore file
Configure your app to connect to IBM MQ
- Use MQ libraries to create your client. Important informations to collect:
- MQ: [inform]
- queue manager: [inform]
- host: [inform]
- port: [inform]
- channel name: CLOUD.ADMIN.SVRCONN
- queue: [inform]
- admin username/API key: [inform]
- Add the following JVM parameters to use the created certificates:
-Djavax.net.ssl.keyStore=/path/to/mykeystore.jks
-Djavax.net.ssl.keyStorePassword=mykeystore
-Djavax.net.ssl.trustStore=/path/to/myTrustStore.jks
-Djavax.net.ssl.trustStorePassword=mykeystore
References
- Converting a Java Keystore Into PEM Format
- TLS/SSL troubleshooting information
- TLS CipherSpecs and CipherSuites in IBM MQ classes for Java
- TLS/SSL troubleshooting information
- Enabling TLS in IBM MQ classes for Java
- TLS CipherSpecs and CipherSuites in IBM MQ classes for Java
- Why is TLS connection to MQ failing with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2400’ (‘MQRC_UNSUPPORTED_CIPHER_SUITE’)” exception?
- TLS CipherSpecs and CipherSuites in IBM MQ classes for Java
- What TLS cipherspecs/ciphersuites are supported when connecting from Oracle Java (non-IBM JRE) to MQ queue manager?
- JMSCMQ0001: IBM MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2400’ (‘MQRC_UNSUPPORTED_CIPHER_SUITE’)
- TLS CipherSpecs and CipherSuites in IBM MQ classes for JMS
- IBM MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2035’ (‘MQRC_NOT_AUTHORIZED’)
- Spring Boot: Connecting to IBM MQ over JMS using non-IBM JRE
- IBM MQ queue properties
- IBM MQ get message with french symbols
- JMS message types and conversion
- The MQRFH2 header and JMS
- JMS TextMessage and RFH2
- Creating destinations in a JMS application
- Adding message headers
- Why RFH2 header is put before the message instead of in the header?
- WSO2: Remove MQRFH2 header from outgoing IBM MQ message
- How to remove header data from JMS Message from Visual Basic