During my multiple training sessions on MQ / IIB, have been asked by my candidates on how to enable remote connection to a queue manager. Hence this blog detailing the steps for remote QM connection.
Please note this blog entry will focus on steps to enable remote connection to queue manager in non-production environments (esp. development / test) and is not suitable for production or secured environments. This is due to the fact that security aspects / details required are not covered in this blog.
In MQ v7.1, Channel Authentication record feature was introduced that could be used to allow / block inbound connections from clients / remote queue manager on specific / certain MQI Channels. This feature can be used to provide identity mapping for the connections from applications / remote queue manager’s using various techniques like Asserted User Identity, Origination IP Address, Certificate’s DN, Remote QMGR Name. The resulting identity is set as the MCAUser for the connection,which is then used by queue manager for authorization purpose.
Control has been provided at the QMGR level to specify whether to use this Channel Authentication Record functionality or not. For this purpose CHLAUTH property has been added to the QMGR – CHLAUTH (ENABLED / DISABLED)
To enable remote connections, we could either disable this function or use this feature. For simplicity purpose, this blog focuses connecting to remote queue manager with this feature disabled, as illustrated below
To disable the channel authentication feature on Queue Manager, say QM1, execute the following command in script window of QM1. To get to the script mode of a queue manager, use the command runmqsc, e.g. runmqsc QM1
Note: This step is applicable for Queue Managers from v7.1 onwards only. For QM on earlier version, this step can be omitted.
ALTER QMGR CHLAUTH(DISABLED)
Once this has been disabled, you need to create following objects in QM1 for remote connectivity (applies to QM on any version)
- Listener Object to specify the port at which the Queue Manager will be listening for connections
- Server Connection Channel, using which Application can connect to the Queue Manager
You can use the following steps to create the objects in script window of the Queue Manager
1. For creating TCP Listener in QM1 to listen on port 1616 and starting it use the below command
DEFINE LISTENER() TRPTYPE(TCP) PORT() CONTROL(QMGR)
DEFINE LISTENER(TCP.LISTENER) TRPTYPE(TCP) PORT(1616) CONTROL(QMGR)
2. Creating Server Connection Channel
DEFINE CHANNEL(<CHL NAME>) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER()
DEFINE CHANNEL(APP.SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER(‘mqm’)
In the above command, the MCAUSER attribute of the channel specifies, the user id that is to be used by queue manager for authorization the application connecting using this channel. For illustration purpose and to avoid authorization issues, user id ‘mqm’ is set in this attribute
- Since mqm is MQ administrative user, normally one should not specify this or any other administrative user id as value to this attribute. If specified, it should be non-administrative user id.
- The user id specified is existing in the OS where queue manager is running and has requisite access to perform activities its supposed to do. This can be granted using setmqaut command, in case of non-administrative user id has been specified in MCAUSER attribute
Now that queue manager has been enabled, you can use MQ Explorer from remote machine to connect to this queue manager specifying this channel name and the connection details. Steps have been illustrated below
- From the MQ Explorer, right click on the Queue Managers folder and select “Add Remote Queue Manager” option
- Specify the name of the Queue Manager and selecting the option “Connect Directly”, click Next
- Specify the connection details of the remote queue manager, using the port and the channel name we had created earlier and click on finish
Stay tuned for Part-2 of this blog, that will cover enabling remote connection using Channel Authentication Records and connecting using non-administrative user id.