Pymqi - Connecting to IBM mq with SSL

I am able to connect to IBM mq through Pymqi using installed MQ client v9 on my Linux machine. There is requirement of connecting through SSL. How should I create key repository for two way TLS(mTLS)?

I have configured mutual tls between a python application using PyMQI backed with the IBM MQ toolkit for MacOS (9.1.5.0) and a queue manager running on a Raspberry Pi (9.2.0.0).

I have used self-signed certificates to make it easier to illustrate an end-to-end example of a TLS configuration with MQ. This would not normally be used in a production environment; your MQ administrator will typically provide any certificates that you might need to use which are often issued by a certificate authority. Where this is the case you can skip the certificate creation steps below.

Here are the steps I took:

Initial server and Python code setup

• Setup an IBM MQ server following this tutorial which provides the default developer configuration.

• Pulled in the the python sample code from this tutorial and put a message to DEV.QUEUE.1 without TLS configured.

General Config

• Created some working directories on my Mac client.

  mkdir tlsTest
  cd tlsTest
  mkdir client
  mkdir server
  

Queue Manager config

• Create the server keystore.

  cd server
  

  runmqakm -keydb -create -db key.kdb -pw <password> -stash
  

  ls
  

  Check to see key.crl key.kdb key.rdb key.sth.

• Check that the store is empty.

  runmqakm -cert -list -db key.kdb -stashed
  

  No certificates were found.
  

• Create the server certificate and put it in the new keystore key.kdb

  runmqakm -cert -create -db key.kdb -stashed -dn "cn=qm,o=ibm,c=uk" -label ibmwebspheremq<QMName_lowerCase> -type cms
  

• Check the certificate.

  runmqakm -cert -list -db key.kdb -stashed
  

  Certificates found
  * default, - personal, ! trusted, # secret key
  -    ibmwebspheremqqm1
  

  The '-' denotes the client's private key and personal certificate in this keystore.

• Extract the queue manager's public key.

  runmqakm -cert -extract -label ibmwebspheremq<QMName_lowerCase> -db key.kdb -stashed -file QM.cert
  

• Check to see the certificate file.

  ls
  

  QM.cert key.crl key.kdb key.rdb key.sth
  

• Inspect the certificate.

  runmqakm -cert -details -file QM.cert -stashed
  

Client Config

• Change to the client directory.

  cd ../client
  

• Create the client keystore.

  runmqakm -keydb -create -db client.kdb -pw <password> -stash
  

• Create the client certificate and put it in the new keystore client.kdb.

  runmqakm -cert -create -db client.kdb -stashed -dn "cn=pymqi,o=test,c=uk" -label ibmwebspheremq<userName_lowercase> -type cms
  

• Extract the client's public key.

  runmqakm -cert -extract -label ibmwebspheremq<userName_lowercase> -db client.kdb -stashed -file Client.cert
  

• Optionally inspect the certificate by modifying previous runmqakm -cert -list commands from the earlier server steps.

Exchange public keys

• Populate the client's keystore with the queue manager's public key.

  runmqakm -cert -add -label ibmwebspheremq<QMName_lowerCase> -db client.kdb -stashed -file ../server/QM.cert
  

• Check the certificate.

  runmqakm -cert -list -db client.kdb -stashed
  

  Certificates found
  * default, - personal, ! trusted, # secret key
  !    ibmwebspheremqqm1
  -    ibmwebspheremqapp
  

  The '!' shows that the queue manager's public key is trusted.

• Populate the queue manager's keystore with the client's public key.

  Change to the server directory.

  cd ../server
  

  runmqakm -cert -add -label ibmwebspheremq<userName_lowercase> -db key.kdb -stashed -file ../client/Client.cert
  

• Check the certificates.

  runmqakm -cert -list -db key.kdb -stashed
  

  Certificates found
  * default, - personal, ! trusted, # secret key
  !    ibmwebspheremqapp
  -    ibmwebspheremqqm1
  

Configure TLS on the Queue Manager

• Move the key.kdb and key.sth files from the tlsTest/server directory to /var/mqm/qmgrs/ssl/QM1 directory on the queue manager's file system.

• Modify the DEV.APP.SVRCONN channel to accept TLS 1.2 cipher suites.

  runmqsc QM1
  

  ALTER CHANNEL(DEV.APP.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(ANY_TLS12)
  

• Refresh the queue manager's security subsystem.

  REFRESH SECURITY(*) TYPE(SSL)
  

TLS enabled the MQ PyMQI application

• Add cipher spec and label into the Python app and include the sco options.

  cd.SSLCipherSpec = b'ANY_TLS12'
  sco = pymqi.SCO()
  #include file name but not file extension
  sco.KeyRepository = b'tlsTest/client/client'
  sco.CertificateLabel =b'ibmwebspheremqapp'
  

• Change the qmgr.connect line to add sco options.

  qmgr.connect_with_options(queue_manager, user=b'app', password=b'<your_password>', cd=cd, sco=sco)
  

• Test Python app.

Alternate configuration to use environment variables to reference label and keystore

• Change the python app to remove label and keystore.

  #sco = pymqi.SCO()
  #sco.KeyRepository = b'tlsTest/client/client'
  #sco.CertificateLabel =b'ibmwebspheremqapp'
  #qmgr.connect_with_options(queue_manager, user=b'app', password=b'<your_password>', cd=cd, sco=sco)
  qmgr.connect_with_options(queue_manager, user=b'app', password=b'<your_password>', cd=cd)
  

• Set environment variables.

  export MQSSLKEYR=tlsTest/client/client
  export MQCERTLABL=ibmwebspheremqapp
  

• Test Python app.