Configure Java app to use IBM MQ Cloud with TLS

in Distributed Architecture on Java, Mq
Configure Java app to use IBM MQ Cloud with TLS

How to configure Java env to use IBM MQ Cloud and TLS.

IBM MQ Cloud is the IBM implementation of messaging queue mechanism, available as a service in the cloud. In this page, the configuration for its usage and integration with TLS, in the client perspective, will be covered.

The main goal here is to cover the configuration of IBM Cloud MQ and the certification burden, so that Java clients can connect and use for dev purposes. This article do not cover Java client’s implementation.

IBM MQ and Java Developer Perspective

IBM MQ is the IBM implementation of messaging queue mechanism. It is widely adopted in brazilian companies, and very often it is required to use it in order to transfer messages between different types of applications.

For the Java developer point of view, a IBM MQ environment is required to perform tests before go to production. However, depending on the company that you are, perhaps you may have to create this test environment by yourself.

One alternative is to download and install IBM MQ locally. But, in this case, one must have admin privileges (there is no such thing as ‘portable MQ’).

Other alternative is to use IBM MQ as a service, in the cloud. This is a more simple approach in terms of pre-requirements - and that is the one we’ll cover in this page.

IBM offers 10.000 msg/mo free of charge - ideal for development purposes.

Create an IBM Cloud account

Go to http://cloud.ibm.com/ and proceed with the account creation. You’ll get an IBMid, required for authentication.

Creating a MQ Service

  • In the hamburguer menu, select ‘Dashboard’ and then, click on ‘Create Resource’
  • Search for ‘MQ’ in the search bar. Click on the ‘MQ’ returned option (not RabbitMQ or ActiveMQ - just “MQ”)
  • In the service configuration screen
    • Keep the plan as ‘Lite’ (to not be charged and for dev purposes)
    • Change the service name to a more descriptive one (like ‘MQ-TEST’)
    • Click ‘Create’ in order to create your MQ service

Create Admin user for MQ Service

  • In the Hamburguer menu, click on ‘Resource List’
  • In ‘Services and Software’ section, click on MQ-TEST service, previously created. You are now in the MQ Service screen
  • Select the tab ‘User Credentials’
  • Click ‘Add’ and create an admin user

Create a Queue Manager in the MQ Service

  • In the MQ Service screen, Click ‘Create’ button
  • Inform settings as required and click ‘Create’ again to create your Queue Manager

Get Queue Manager details

In the Queue Service screen, click on the queue manager name in the datagrid, and then clck on the ‘Administration’ tab. Now you can see Queue Manager required data for external connection, for instance:

Hostname - qmanager-123e.qm.us-south.mq.appdomain.cloud
Port - 32354
Queue Channel - CLOUD.ADMIN.SVRCONN
Activate User Identification - Yes
Compatibility Mode for user identification -No (important)

The next step is to get an API Key.

Get Queue Manager API Key

  • In the queue manager screen, go to the ‘Administration’ tab
  • Select ‘MQ Explorer’
  • Click on the ‘Rconfigure IBM Cloud API Key’.
  • Copy and save this key for later. It will be used, along with admin username, to perform authentication

And that’s it. The next step is to create a TLS certificate.

Create a Certificate for secure auth

IBM Cloud requires certificate to accept requests.

The idea is to create an local certificate and upload it into IBM Cloud environment. This certificate will be later used by Java client app to perform authentication.

Create local keystore file and convert it into pem file

keytool -genkey -keyalg RSA -v -keystore mykeystore.jks -alias mykeystore

keytool -importkeystore -srckeystore mykeystore.jks \
   -destkeystore mykeystore.p12 \
   -srcstoretype jks \
   -deststoretype pkcs12

openssl pkcs12 -nodes -in mykeystore.p12 -out mykeystore.pem

(based on: Converting a Java Keystore Into PEM Format

Create truststore file (based on the keystore)

keytool -export -alias mykeystore -keystore mykeystore.jks -rfc -file myTrustStore.cert

keytool -import -file myTrustStore.cert -alias myTrustStore -keystore myTrustStore.jks

keytool -importkeystore -srckeystore myTrustStore.jks \
   -destkeystore myTrustStore.p12 \
   -srcstoretype jks \
   -deststoretype pkcs12

openssl pkcs12 -nodes -in myTrustStore.p12 -out myTrustStore.pem

Upload the keystore file into IBM Cloud Queue Manager

  • Go to the Queme Manager screen
  • Go to the ‘Keystore’ tab
  • Click ‘Import Certificate’
  • Select your previously created PEM keystore file

Configure your app to connect to IBM MQ

  • Use MQ libraries to create your client. Important informations to collect:
    • MQ: [inform]
    • queue manager: [inform]
    • host: [inform]
    • port: [inform]
    • channel name: CLOUD.ADMIN.SVRCONN
    • queue: [inform]
    • admin username/API key: [inform]
  • Add the following JVM parameters to use the created certificates:
-Djavax.net.ssl.keyStore=/path/to/mykeystore.jks
-Djavax.net.ssl.keyStorePassword=mykeystore
-Djavax.net.ssl.trustStore=/path/to/myTrustStore.jks
-Djavax.net.ssl.trustStorePassword=mykeystore

References