Enabling Remote Connection to Queue Manager on v7.5 – Part 1

During my multiple training sessions on MQ / IIB, have been asked by my candidates on how to enable remote connection to a queue manager. Hence this blog detailing the steps for remote QM connection.

Please note this blog entry will focus on steps to enable remote connection to queue manager in non-production environments (esp. development / test) and is not suitable for production or secured environments. This is due to the fact that security aspects / details required are not covered in this blog.

In MQ v7.1, Channel Authentication record feature was introduced that could be used to allow / block inbound connections from clients / remote queue manager on specific / certain MQI Channels. This feature can be used to provide identity mapping for the connections from applications / remote queue manager’s using various techniques like Asserted User Identity, Origination IP Address, Certificate’s DN, Remote QMGR Name. The resulting identity is set as the MCAUser for the connection,which is then used by queue manager for authorization purpose.

Control has been provided at the QMGR level to specify whether to use this Channel Authentication Record functionality or not. For this purpose CHLAUTH property has been added to the QMGR – CHLAUTH (ENABLED / DISABLED)

To enable remote connections, we could either disable this function or use this feature. For simplicity purpose, this blog focuses connecting to remote queue manager with this feature disabled, as illustrated below

To disable the channel authentication feature on Queue Manager, say QM1, execute the following command in script window of QM1. To get to the script mode of a queue manager, use the command runmqsc, e.g. runmqsc QM1

Note: This step is applicable for Queue Managers from v7.1 onwards only. For QM on earlier version, this step can be omitted.


ALTER QMGR CHLAUTH(DISABLED)


MQ - Alter QMGR CHLAUTH

Altering CHLAUTH attribute of Queue Manager

Once this has been disabled, you need to create following objects in QM1 for remote connectivity (applies to QM on any version)

  • Listener Object to specify the port at which the Queue Manager will be listening for connections
  • Server Connection Channel, using which Application can connect to the Queue Manager

You can use the following steps to create the objects in script window of the Queue Manager

1. For creating TCP Listener in QM1 to listen on port 1616 and starting it use the below command

Command Syntax:

DEFINE LISTENER() TRPTYPE(TCP) PORT() CONTROL(QMGR)


DEFINE LISTENER(TCP.LISTENER) TRPTYPE(TCP) PORT(1616) CONTROL(QMGR)

START LISTENER(TCP.LISTENER)


MQ - QM Listener Creation

Creation of Listener object for queue manager and starting it

2. Creating Server Connection Channel

Command Syntax:

DEFINE CHANNEL(<CHL NAME>) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER()


DEFINE CHANNEL(APP.SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER(‘mqm’)


In the above command, the MCAUSER attribute of the channel specifies, the user id that is to be used by queue manager for authorization the application connecting using this channel. For illustration purpose and to avoid authorization issues, user id ‘mqm’ is set in this attribute

MQ - Queue Manager Server Connection Channel

Creating Server Connection Channel on Queue Manager in MQ

Note:

  • Since mqm is MQ administrative user, normally one should not specify this or any other administrative user id as value to this attribute. If specified, it should be non-administrative user id.
  • The user id specified is existing in the OS where queue manager is running and has requisite access to perform activities its supposed to do. This can be granted using setmqaut command, in case of non-administrative user id has been specified in MCAUSER attribute

Now that queue manager has been enabled, you can use MQ Explorer from remote machine to connect to this queue manager specifying this channel name and the connection details. Steps have been illustrated below

  • From the MQ Explorer, right click on the Queue Managers folder and select “Add Remote Queue Manager” option
MQ-Adding Remote QM from Explorer

MQ – Adding Remote QM from Explorer

  • Specify the name of the Queue Manager and selecting the option “Connect Directly”, click Next
MQ - Adding Remote QM from Explorer Step 2

MQ – Adding Remote QM from Explorer Step 2

  • Specify the connection details of the remote queue manager, using the port and the channel name we had created earlier and click on finish
MQ- Remote QM Connection Details from Explorer

MQ- Remote QM Connection Details from Explorer

MQ - Remote QM Added in Explorer

MQ – Remote QM Added in Explorer

Stay tuned for Part-2 of this blog, that will cover enabling remote connection using Channel Authentication Records and connecting using non-administrative user id.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s