Wednesday, 23 January 2013

SSL in MQ


Secure Sockets Layer (SSL) concepts
SSL is a protocol that provides privacy and integrity between two communicating applications using TCP/IP.
The data going back and forth between client and server is encrypted using a symmetric algorithm such as DES or RC4. A public-key algorithm—usually RSA—is used for the exchange of the encryption keys and for digital signatures. The algorithm uses the public key in the server’s digital certificate. With the server’s digital certificate, the client can also verify the server’s identity. Versions 1 and 2 of the SSL protocol provide only server authentication. Version 3 adds client authentication, using both client and server digital certificates.

Secure Sockets Layer (SSL) protocol enables two parties to communicate with privacy and data integrity. The Secure Sockets Layer (SSL) provides an industry standard protocol for transmitting data in a secure manner over an insecure network. SSL defines methods for authentication, data encryption, and message integrity for a reliable transport protocol, usually TCP/IP. SSL uses both asymmetric and symmetric cryptography techniques. Refer to the following web site for a complete description of the SSL protocol: http://wp.netscape.com/eng/ssl3/. An SSL connection is initiated by the caller application, which becomes the SSL client. The responder application becomes the SSL server. Every new SSL session begins with an SSL handshake, as defined by the SSL protocol.
MQ v7 Security, page 19 [29/175].
In any SSL communication path, we must make sure that each side of the communication channel:
  • has a personal certificate, and
  • possesses the signing certificate that corresponds to its peer's personal certificate.
A digital certificate serves two purposes: it establishes the owner’s identity, and it makes the owner’s public key available. A digital certificate is issued by a trusted authority—a certificate authority (CA), and it is issued only for a limited time. When its expiration date passes, the digital certificate must be replaced.

Encryption is only one tool that can be used in security, and usually it’s not the encryption that’s the weak point. There’s not much point in encrypting traffic when there’s no authentication of the client or server.
SSL handshake
SSL handshake
CipherSpec, SSLCIPH and TRIPLE_DES_SHA_US
The CipherSpec identifies the combination of encryption algorithm and hash function used by an SSL or TLS connection.
CipherSpec name = TRIPLE_DES_SHA_US ; Hash Algorithm = SHA ; Encryption Algorithm = 3DES ; Encryption bits = 168 ;
Glossary
  • CA = certificate authority
  • CRL = certificate revocation list
  • Cryptographic strength : messages and certificates make use of cryptographic hashes to verify integrity. The two hash types currently in use are MD5 and SHA1 algorithm.
  • Keyring = the set of files that hold the certificates and keys used for SSL. The QMgr uses a CMS key database. Things that are based on Java use a Java KeyStore or JKS keyring. The type used by a particular client app depends on the platform the app was written in. The good news is that you can use GSKit to convert one to the other as needed.
  • SSL = Secure Socket Layer
The SSL key repository
We use the general term key repository to describe the store for digital certificates and their associated private keys.
The location of the key repository depends on the platform you are using.
On Windows and UNIX systems the key repository is a key database file. The name of the key database file must have a file extension of .kdb. For example, on UNIX, the default key database file for queue manager QM1 is /var/mqm/qmgrs/QM1/ssl/key.kdb. If MQ is installed in the default location, the equivalent path on Windows is C:\Program Files\IBM\WebSphere MQ\Qmgrs\QM1\ssl\key.kdb.
On Windows and UNIX systems each key database file has an associated password stash file. This file holds encrypted passwords that allow programs to access the key database. The password stash file must be in the same directory and have the same file stem as the key database, and must end with the suffix .sth, for example /var/mqm/qmgrs/QM1/ssl/key.sth

Amunt! Top Amunt!
MQ Clients and SSL
Specifying that an MQI channel uses SSL
For an MQI channel to use SSL, the value of the SSLCipherSpec attribute of the client-connection channel must be the name of a CipherSpec that is supported by WebSphere MQ on the client platform.
You can define a client-connection channel with a value for this attribute in the following ways :
  • When a WebSphere MQ client application issues an MQCONNX call.
  • Using a client channel definition table.
    One or more entries in a client channel definition table can specify the name of a CipherSpec. For example, if you create an entry by using the DEFINE CHANNEL MQSC command, you can use the SSLCIPH parameter on the command to specify the name of a CipherSpec.

    SSLCIPH(string) CipherSpec used on the channel. The maximum length is 32 characters. This parameter is valid on all channel types. The SSLCIPH values must specify the same CipherSpec on both ends of the channel. Accepted values : NULL_MD5, NULL_SHA, RC4_MD5_EXPORT, RC4_MD5_US, RC4_SHA_US, RC2_MD5_EXPORT, DES_SHA_EXPORT, RC4_56_SHA_EXPORT1024, DES_SHA_EXPORT1024, TRIPLE_DES_SHA_US, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, AES_SHA_US, TLS_RSA_WITH_DES_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, FIPS_WITH_DES_CBC_SHA, FIPS_WITH_3DES_EDE_CBC_SHA.
  • Using Active Directory on Windows.
MQ v7 Clients, page 96 [106/159]; MQ v7 MQSC, page 203 [213/629].
Renegotiating the secret key
During an SSL handshake a ’secret key’ is generated to encrypt data between the SSL client and SSL server. The key can be renegotiated periodically to minimize the amount of encrypted data that can be decrypted if the secret key is discovered. By default, clients do not renegotiate the SSL secret key. You can make a client renegotiate the key by using the KeyResetCount field in the MQSCO structure on an MQCONNX call or by using the environment variable MQSSLRESET. Both these variables can be set to an integer in the range 0 through 999 999 999, representing the number of unencrypted bytes sent and received within an SSL conversation before the SSL secret key is renegotiated. Specifying a value of 0 for MQSSLRESET or for KeyResetCount indicates that SSL secret keys are never renegotiated.

Amunt! Top Amunt!
SSL setup how-to
What do we need to setup a SSL-secured client connection to a queue manager ?
T. Rob's checklist(s)
Implementing SSL with self-signed certificates requires the administrator to:
  • Create a key database for the client and generate the corresponding certificate.
  • Create a key database for the server and generate the corresponding certificate.
  • Extract public keys from each of the certificates.
  • Import the public key of the client into the server's key database.
  • Import the public key of the server into the client's key database.
  • Enable SSLCIPH and set SSLCAUTH(REQUIRED) on the channels between the client and server.
The setup tasks to implement SSL using CA issued certificates are:
  • Create a key database for the client and generate a certificate signing request (CSR).
  • Create a key database for the server and generate a CSR.
  • Submit the CSRs to the CA for authentication and obtain the signed results.
  • Import the CA root certificate, if it does not already exist in the trust store of the client or the server.
  • Receive the client certificate into the client's key database.
  • Receive the server certificate into the server's key database.
  • Enable SSLCIPH and set SSLCAUTH(REQUIRED) on the channels between the client and server.
  • Set SSLPEER on the server to a string that matches the client certificate.
  • Remove all other CA signers from the trust store.
Notice that the server does not need to have the client's key in its trust store (and vice versa) because the CA is trusted. The use of SSLPEER is what determines whether a given certificate is accepted or rejected.
Sam's steps
From 4140 RedPaper chapter 2.
  • I. On the client machine in a selected directory do this:
    • 1. Create keydb.
    • 2. Create the certificate request and send it to CA to sign
    • 3. Receive the signed certificate
    • 4. Add the CA certificate (assumed you have CA cert)
  • II. On the QMgr machine(Server) do this (on Unix directory: "/var/mqm/qmgrs/QMgrName/ssl):
    • 1. Create keydb.
    • 2. Create the certificate request and send it to CA to sign
    • 3. Receive the signed certificate
    • 4. Add the CA certificate (assumed you have CA cert)
  • III. Alter qmgr on Qmgrserver for key repository
    alter qmgr SSLKEYR('/var/mqm/qmgrs/QMgrName/ssl/keydb')
  • IV. Create the SVRCONN/ CLNTCONN channels and export the CHLTAB onto the Client Machine. For SSL to implement, the client should use CHLTAB to connect to QMgr and not the SVRCONN channel. Need to install the gskit also.
  • V. On both SVRCONN/CLNTCONN, you need to select same Cipherspec.
Keep in mind that the GSK utility allows you to create self-signed certs - a great place to start testing, OR to manage SSL on your intra-net.
This is, the iKeyMan toold or "IBM Key Management" icon inside the Websphere MQ folder.

Or use OpenSSL to create a full Root CA and Intermediate CA chain.
Details
The steps we shall follow are :
  1. Set up a non-SSL WebSphere MQ client.
  2. Verify the non-SSL client connectivity.
  3. Set up a one-way SSL channel connection.
    One-way means that only the queue manager (in SSL terms, the server) presents a certificate, which the client authenticates.
  4. Convert the SSL connection to two-way, that is, mutual authentication between the client and queue manager.
Let's go ahead :
  1. Setting up a non-SSL WebSphere MQ client
    SET GESTOR=SSLQM @echo Create queue manager (%GESTOR%). crtmqm -u SSLQM.DLQ %GESTOR% @echo Start queue manager amqmdain qmgr start %GESTOR% @echo Create listener @echo DEFINE LISTENER('LISTENER.TCP') TRPTYPE(TCP) PORT(33333) CONTROL(QMGR) | runmqsc %GESTOR% @echo def ql(SSLQM.DLQ) | runmqsc %GESTOR% @echo def ql(Q1) | runmqsc %GESTOR% @echo def chl(SSL.CLIENTS) chltype(SVRCONN) | runmqsc %GESTOR% @echo START LISTENER('LISTENER.TCP') | runmqsc %GESTOR%

  2. Verify the non-SSL client connectivity
    • 2.1.- Using WebSphere MQ server
      set MQSERVER=SSL.CLIENTS/TCP/192.168.1.64(33333) amqsputc Q1 SSLQM amqsgetc Q1 SSLQM
    • 2.2.- Using channel tables
      • a. Create a client connection channel on the queue manager machine (this creates the channel table).
      • b. Transfer the channel table file to the client machine.
      • c. Set up the appropriate environment variables on the client machine.
      • d. Test the WebSphere MQ client with channel tables.
      The sequence is :
      1. (a) enter set mqchl to verify we do not have the channel table environment variables set
      2. (a) def chl(SSL.CLIENTS) chltype(CLNTCONN) conname('192.168.1.64(33333)') replace | runmqsc SSLQM
      3. (a) as a result, you see a file called AMQCLCHL.TAB in your queue manager's @ipcc directory
      4. (b) copy FTP binary the AMQCLCHL.TAB file to the client machine, let's say the directory C:\MQCLIENT\
      5. (c) set up the environment variables :
        • set mqchllib=C:\MQCLIENT
        • set mqchltab=AMQCLCHL.TAB
        • set mqserver=
      6. (d) amqsputc Q1 SSLQM
      7. (d) amqsgetc Q1 SSLQM

  3. Set up a one-way SSL channel connection - SSL server authentication With SSL server authentication, the queue manager must have a certificate, which it presents to the client, so that the client knows it is connecting to the right server. This is what happens when you shop online and your URL starts with https:. The browser asks for a certificate, so you know you are giving your credit card details to the right company, but the server (the online shop) does not ask for a certificate from you.
    There are a number of ways to obtain a certificate for your queue manager:
    • You can create self-signed certificates.
    • You can have an in-house certification authority.
    • You can request a certificate from a certification authority.
    In this example, we create self-signed certificates. The steps to implement SSL server authentication are:
    • a. Create a key repository for the queue manager.
    • b. Create a self-signed certificate for the queue manager.
    • c. Add the certification authority certificate to the client. (The client needs this to decode the queue manager's certificate.)
    • d. Test the SSL server authentication.
    The sequence is :
    1. (a) On the queue manager machine, open a Windows command prompt and enter strmqikm. This starts the IBM Key Management (iKeyman) GUI.
    2. (a) Create a key repository for the queue manager :
      Select Key Database File -> New.
      Select "Key database type" := "CMS" ; "File Name" := "key.kdb" ; "Location" := "<MQdir>\Qmgrs\SSLQM\ssl" ;
      Select a password for this key repository.
      The password is encrypted and saved into file key.sth.
    3. (b) click "New Self-Signed Certificate" (bottom-right corner)
    4. (b) fill in the certificate attributes (Key Label must be ibmwebspheremq followed by the queue manager name in lowercase) Now the queue manager has a certificate. The queue manager presents this certificate to the WebSphere MQ client when the client connects. To validate the queue manager's certificate, the client needs the certification authority (CA) certificate.
    5. (c) to extract the CA certificate, click Extract Certificate (bottom-right corner), and enter filename (sslqm.arm) and directory. This creates a file called sslqm.arm in C:\<MQDir>\Qmgrs\SSLQM\ssl\. You now must transfer the CA Certificate file to the client's key repository.
    6. (c) Create c:\MQCLIENT\ if it does not exist, and copy (or FTP ASCII) the CA certificate file (sslqm.arm).
    7. (c) on the client machine, run strmqikm
    8. (c) create a key repository for the client :
      select Key Database File -> New
      Select "Key database type" := "CMS" ; "File Name" := "key.kdb" ; "Location" := "C:\MQCLIENT" ;
      Select a password for this key repository.
      Click Add (top-right corner)
      Select "Certificate file name" := "sslqm.arm" ; "Location" := "C:\MQCLIENT\" ;
      We created a certificate store for the MQ client in C:\MQCLIENT, but we have not told the client where to find it. To do this, set the MQSSLKEYR environment variable
      set mqsslkeyr=C:\MQCLIENT\key
    9. (d) Change the client connection and server connection channel definitions for SSL :
      echo alter chl(SSL.CLIENTS) chltype(svrconn) sslciph(triple_des_sha_us) sslcauth(optional) | runmqsc SSLQM

      The change to the client connection channel updates the channel table (file AMQCLCHL.TAB) in your queue manager's @ipcc directory. Copy the channel table (or FTP binary) to the client directory (C:\MQCLIENT) in the client machine.
    10. (d) Verify connection works :
      set mq mqchllib=C:\MQCLIENT mqchltab=AMQCLCHL.TAB mqsslkeyr=C:\MQCLIENT\key amqsputc Q1 SSLQM amqsgetc Q1 SSLQM
      If the programs run successfully, it means that the client channel works with SSL.

  4. Convert the SSL connection to two-way SSL client authentication means that the client has a certificate assigned, which it presents to the server when the channel starts. To set up client authentication, we need to perform the following steps:
    • a. Create a self-signed certificate for the client.
    • b. Add the certification authority certificate to the queue manager.
    • c. Change the server connection channel to request client authentication.
    • d. Re-test.
    The sequence is :
    1. (a) to create a self-signed certificate for the client, on the client machine, run strmqikm
      This is the same as creating a self-signed certificate for the queue manager. The only difference is that we run it from the client machine.
    2. (a) click the Open icon (or select Key Database File -> Open).
    3. (a) provide the following values : "Key database type" := "CMS" ; "File Name" := "key.kdb" ; "Location" := "C:\MQCLIENT" ; enter the password.
    4. (a) viewing Personal Certificates, click New Self-Signed Certificate (bottom-right corner).
    5. (a) fill in the certificate attributes, as "Key Label" := "ibmwebspheremq" followed by the lowercase user ID.
      In our case: ibmwebspheremqemir
      Now the MQ client has a certificate, which it presents to the queue manager when the client connects. To validate the client's certificate, the queue manager needs the certification authority (CA) certificate.
    6. (b) click Extract Certificate (bottom-right corner).
      Provide "File Name" := <user ID>.arm, in our case: emir.arm; "Location" := "C:\MQCLIENT\" ;
      Now, you must transfer the CA Certificate file to the queue manager's key repository.
    7. (b) copy (or FTP ASCII) the CA certificate file (.arm) from the client's C:\MQCLIENT directory to the queue manager's ssl directory. This is <MQdir>\Qmgrs\SSLQM\ssl.
    8. (b) on the queue manager machine, run strmqikm
    9. (b) click the Open icon (or select Key Database File -> Open).
      Open the key.kdb file in <MQdir>\Qmgrs\SSLQM\ssl. Switch to viewing Signer Certificates. Click Add (top-right corner).
      Select "Certificate file name" := <user ID>.arm; "Location" := <MQdir>\Qmgrs\SSLQM\ssl\ ;
      Enter a label for the certificate, as the client's user ID ("emir").
    10. (c) to enable client authentication, the server connection channel must specify SSLCAUTH(REQUIRED).
      echo alter chl(SSL.CLIENTS) chltype(svrconn) sslcauth(required) | runmqsc SSLQM
    11. (d) run
      set mq mqchllib=C:\MQCLIENT mqchltab=AMQCLCHL.TAB mqsslkeyr=C:\MQCLIENT\key amqsputc Q1 SSLQM amqsgetc Q1 SSLQM
      If amqsputc fails with MQCONN ended with reason code 2393 or MQCONN ended with reason code 2059, stop and start the queue manager.

A more detailed list could be :

Mine (untested) :
  • MQ Server machine with MQ Server installed and a queue manager
  • MQ Client machine with MQ Client installed
  • SVRCONN channel definition
  • CLNTCONN channel definition => MQCHLTBL moved from MQ Server machine to MQ Client machine
  • create a key repository (or key database) on MQ Server machine : runmqckm
  • create and distribute the CA certificate
  • create the queue manager certificate
  • set SSLKEYR on queue manager
  • get client certificates and store them into the keystore
  • client keystore : /tmp/pkiuser.kdb
  • environment variables setup on MQ Client machine :
    • MQSSLKEYR - this variable specifies the location of the key repository that holds the user’s digital certificate, in stem format.
    aix-client# export MQCHLTAB=AMQCLCHL.TAB aix-client# export MQCHLLIB=/tmp aix-client# export MQSSLKEYR=/tmp/pkiuser

Amunt! Top Amunt!
{bestp}
Emir's "gotchas" : impresionant ! MQ SSL common mistakes and how to avoid them
  • CSQX630E Channel requires SSL
  • CSQX642E No SSL certificate for channel
  • Certificate not signed
  • CSQX686E SSL private key error
  • CSQX632I SSL certificate has no associated user ID
  • Certificate corrupted after FTP to z/OS
  • No need to restart the CHINIT
  • Key repository not found
  • Wrong type of key repository
  • CSQX631E/AMQ9631 CipherSpecs do not match
  • Corrupted certificates
  • Expired certificates
  • Duplicate certificate serial numbers
  • GSKit GUI and command line differences
  • Add or receive?
  • AMQ9660 or AMQ9657
  • Problems using makecert
  • gsk6cmd, gsk7cmd or runmqckm?
  • Problems migrating from V5.3 to V6.0 on Windows
  • Password not stashed
url.

Amunt! Top Amunt!
SSL @ T400

Amunt! Top Amunt!
Advice
  • delete all the default certificate authorities when you create a new keyring
    These cause your client or server to trust any certificate ever issued by Verisign, RSA or Thawte.
    \\MQ\Seguridad\T-Rob\SSL\Define_Keyring_and_Delete_Default_CAs.cmd

  • test DEFINITELY the reverse cases
    • adequate people can connect
    • the rest of the people can NOT connect

Amunt! Top Amunt!
MO04 - SSL wizard
java –jar wmqsslwizard.jar
Converting between gsk7cmd and gsk7capicmd is pretty easy. You just make sure that the gsk7capi command folder and library folder are both in your PATH and replace all gsk7cmd with the string gsk7capicmd in your scripts. You can then make minor changes to the command line options to include the signing algorithm or enable FIPS mode. Get the manual here.
Maybe we need to convert the commands from MO04 from gsk7cmd to gskcapicmd and specify the signature algorithm as a command line option.

Amunt! Top Amunt!
Flecos
Port sniffer to demo the encryption aspects of MQ. From SSL tutorial. T42:\\MQ\Eines\SSL_and_Sniffer, T42:\\MQ\Presentacions, T42:\\MQ\Seguridad
  • setmqaut
  • dspmqaut
  • dmpmqaut
Security, SC34-6079-01

Amunt! Top Amunt!
Points to clarify
  • are you using self-signed certificates or CA-signed certs ?
    Make sure to use one CA or self-signed certs. Discourage mixing these methods or trusting multiple CA's.
  • if one CA is chosen ...
    • carefully consider the certificate distinguished names.
    • be prepared to implement CRL functionality. Using a CA without a CRL is strongly NOT advised.
  • to sign the certificates, shall we use MD5 algorithm or SHA-1 ?
    Strongly steer to SHA-1 and away from MD-5.
  • what kind of testing are we gonna run ?

Amunt! Top Amunt!
Tools
nssl - netcat-like program with transparent SSL support.
stunnel : allows you to encrypt arbitrary TCP connections inside SSL. Use it for tunnelling any traffic through SSL.
ssldump : SSLv3/TLS network protocol analyzer. Use it for sniffing and decrypting SSL traffic.
OpenSSL : command-line utility, a swiss army knife for encryption protocols. Use it for far more than just generating keys and connecting to SSL servers. Can also act as an ad hoc SSL client :
openssl s_client -connect www.example.com:443
The above lets you connect via SSL to a web server and manually type HTTP commands just like you can with non-SSL web servers using plain old netcat and telnet.
nmap : scanner able to identify SSL services (via the “–sV” scan option)
Nessus : scanner that has the capability of checking SSL services on arbitrary ports, and report weak ciphers

Amunt! Top Amunt!
Testing
An unexpected user does connect using an encrypted channel. How to know what failed ?

Amunt! Top Amunt!
Dubtes
  • Authentication information objects contain authentication information for LDAP servers that hold Certificate Revocation Lists (CRLs). When transporting SSL-encrypted data, the queue manager accesses the CRLs to authenticate certificates that it receives.
  • With that many remote sites, I expect you will use CA-signed certificates. Be sure to e a certificate revocation list in that case.
  • RACF - security exit at channel, user by queue/resource

The MCAUSER helps with authorization only. The SSL will provide authentication. Combine these and you have meaningful security.

Amunt! Top Amunt!
Links

Sunday, 6 January 2013

Setting up WebSphere MQ


In this module, you will create all of the WebSphere® MQ objects for replication between a source and target. You start by creating the queue managers, which manage communication on the WebSphere MQ messaging system.
In this tutorial, unidirectional replication uses two queue managers. One queue manager will manage queues and messages for the source database, and the other will manage queues and messages for the target database.The following figure shows the SRC_QM queue manager at the source and TGT_QM queue manager at the target. The two queue managers interact with the Q Capture and Q Apply programs, queues, and channels to rapidly move data in the form of messages. The figure shows two paths for messages: one for replicated data and communication from the source, and one that the Q Apply program uses to communicate with the Q Capture program. The source-to-target channel is depicted as larger because it carries replicated transactions, which are the bulk of the messaging traffic.
Figure 1. WebSphere MQ queue managers, queues, and channels.

Learning objectives

Each of the lessons in this module show the appropriate sections of this figure to identify the queues and channels that you are creating at each phase of the setup.After you complete the lessons in this module, you will be able to:
  • Create the source and target queue managers.
  • Start the queue managers.
  • Create the source queues.
  • Create the target queues.
  • Create the WebSphere MQ channels.
  • Start the WebSphere MQ channels and listeners.

Creating the source and target queue managers

In this lesson, you will create and start the queue managers for the source and target systems.
Queue managers manage the queues and messages. Both the source and target systems require queue managers.To create and start the queue managers, type (or copy and paste) the following commands into an operating system command window:
  1. Create the source queue manager:
    crtmqm SRC_QM
  2. Create the target queue manager:
    crtmqm TGT_QM
  3. Start the source queue manager:
    strmqm SRC_QM
  4. Start the target queue manager:
    strmqm TGT_QM 
Now that you created and started the two queue managers, you can use them to create the queues and channels.

Creating the target queues

In this lesson, you define four queues at the source system.
queue is a data structure that is used to store messages. Each queue is owned by a queue manager.
You will use the SRC_QM queue manager to define four queues:
Send queue
This queue is a remote queue definition that the Q Capture program uses to direct messages that contain replicated data to the receive queue at the target.
Transmission queue
This queue holds messages before they cross the channel.
Administration queue
This queue is used by the Q Capture program to receive communications from the Q Apply program at the target.
Restart queue
This queue stores restart information for the Q Capture program.
Message queues at the source
To create the source queues:
  1. Start an interactive session with the SRC_QM queue manager:
    runmqsc SRC_QM
    Your command window changes from an operating system prompt to a runmqsc session, as the following figure shows.
    Figure 2. runmqsc prompt at the beginning of interactive session
    runmqsc session window
  2. Create the administration queue:
    DEFINE QLOCAL ('ADMINQ') DEFPSIST(YES)
    DEFPSIST(YES) means messages that use this queue are persistent; that is, they will be logged for recovery in case of a system failure or shutdown.
  3. Create the restart queue:
    DEFINE QLOCAL ('RESTARTQ') DEFPSIST(YES)
  4. Create the transmission queue:
    DEFINE QLOCAL('TGT_QM') USAGE(XMITQ) DEFPSIST(YES)
    In this step, you name the transmission queue after the remote queue manager (TGT_QM). This practice is optional, but can help you remember the destination for messages.
  5. Create the remote queue definition that points to the receive queue at the target:
    DEFINE QREMOTE('SENDQ') RNAME('RECVQ') RQMNAME('TGT_QM') XMITQ('TGT_QM') DEFPSIST(YES)
    A remote queue definition names the destination queue (RNAME), the destination queue manager (RQMNAME) and the transmission queue that will be used (XMITQ).
Next, you will create the queues at the target.

Creating the target queues

In this lesson, you define four queues at the target system.
You will use the TGT_QM queue manager to define four queues:
Receive queue
This queue receives messages from the Q Capture program.
Transmission queue
This queue holds the administrative messages before they cross the channel.
Administration queue
This queue is used by the Q Apply program to receive communications from the Q Capture program at the source.
Spill queue
This queue is a model queue definition. Spill queues are created dynamically to hold any transactions that arrive at the source while the target table is being loaded.

Figure 1. Message queues at the target
Four target queues
To create the target queues:
  1. Start an interactive session with the TGT_QM queue manager:
    runmqsc TGT_QM
  2. Create the receive queue:
    DEFINE QLOCAL('RECVQ') DEFPSIST(YES)
    DEFPSIST(YES) means messages that use this queue are persistent; that is, they will be logged for recovery in case of a system failure or shutdown.
  3. Create the target transmission queue:
    DEFINE QLOCAL('SRC_QM') USAGE(XMITQ) DEFPSIST(YES)
    In this step, you name the transmission queue after the remote queue manager (SRC_QM). This practice is optional, but can help you remember the destination for messages.
  4. Create the remote queue definition that points to the source administration queue:
    DEFINE QREMOTE('ADMINQ') RNAME('ADMINQ') RQMNAME('SRC_QM') XMITQ('SRC_QM') DEFPSIST(YES)
  5. Create the model queue definition for spill queues:
    DEFINE QMODEL('IBMQREP.SPILL.MODELQ') DEFSOPT(SHARED) MSGDLVSQ(FIFO) DEFTYPE(PERMDYN)
The source and target queues are ready. Next, you will create the channels to connect them.

 Creating WebSphere MQ channels

WebSphere® MQ uses channels to transmit messages between queue managers. In this lesson, you define the channels between the source and target queue managers in both directions.
Each channel has two ends: A sender channel that is defined within the originating queue manager, and a receiver channel that is defined within the destination queue manager.
Figure 1. Message channels between the source and target
Message channels from source to target and target to source
Important: To differentiate the channels for this tutorial, you need to identify two unused ports on your computer because both the source and target queue managers are on a single computer with one IP address. The default WebSphere MQ port is 1414. This tutorial uses ports 1450 and 1451, which are typically free. You can check whether the ports are available:
  • On Windows®, open the C:\WINNT\system32\drivers\etc\services file. Search for ports 1450 and 1451. If the ports are not listed, they are available to use.
  • On Linux® or UNIX®, run the command: cat /etc/services | egrep "1450|1451"
If these ports are already assigned, choose different ports and verify that they are available.
To define the channels:
  1. Define the channel objects at the source:
    1. If your runmqsc session with the TGT_QM queue manager is still active, use the END command.
    2. Determine the IP address of your computer.
      Windows: Use the ipconfig command.
      Linux or UNIX: Use the ifconfig -a command.
      Note: You can use the host name of your computer instead of the IP address (for example, localhost).
    3. Start an interactive session with the SRC_QM queue manager.
      runmqsc SRC_QM
    4. Define the sender channel from the SRC_QM queue manager to the TGT_QM queue manager. Use the TCP/IP transmission protocol.
      Important: Replace IP_address with the IP address of your computer and replace port with 1450 or the alternate port that you determined earlier.
      DEFINE CHL ('SRC_QM.TO.TGT_QM') CHLTYPE(SDR) TRPTYPE(TCP) CONNAME ('IP_address(port)') XMITQ('TGT_QM') DISCINT(0)
    5. Define a receiver channel at the SRC_QM queue manager from the TGT_QM queue manager.
      DEFINE CHL ('TGT_QM.TO.SRC_QM') CHLTYPE(RCVR) TRPTYPE(TCP)
  2. Define the channel objects at the target. Within the target queue manager, you will define a sender channel for communicating with the Q Capture program, and a receiver channel for transaction messages from the Q Capture program.
    1. If your runmqsc session with the SRC_QM queue manager is still active, use the END command to end the session.
    2. Start an interactive session with the TGT_QM queue manager.
      runmqsc TGT_QM
    3. Define a sender channel from the TGT_QM queue manager to the SRC_QM queue manager.
      Important: Replace IP_address with the IP address or host name of your computer and replace port with 1451 or the alternate port that you determined earlier.
      DEFINE CHL ('TGT_QM.TO.SRC_QM') CHLTYPE(SDR) TRPTYPE(TCP) CONNAME('IP_address(port)') XMITQ('SRC_QM') DISCINT(0)
    4. Define a receiver channel at the TGT_QM queue manager from the SRC_QM queue manager.
      DEFINE CHL ('SRC_QM.TO.TGT_QM') CHLTYPE(RCVR) TRPTYPE(TCP)
    5. Use the END command to end your runmqsc session with the TGT_QM queue manager.
At this point you created the WebSphere MQ objects that you will need to connect the source and target databases. In the next lesson, you will start the channels and the listeners.

Starting WebSphere MQ channels and listeners

In this lesson, you start your two WebSphere® MQ channels at the sender ends of each channel, and start a listener at the receiving ends of each channel to monitor for incoming messages.
Prerequisite: Make sure that the SRC_QM queue manager at the source and TGT_QM queue manager at the target are running by issuing these commands:
strmqm SRC_QM
strmqm TGT_QM
To start the WebSphere MQ channels and listeners:
  1. Start the listener at the source for the receiver end of the channel from the target, by using TCP/IP protocol for queue manager SRC_QM, port 1451 (if you used a port other than 1451 in lesson 1.4, substitute the appropriate port number in the command):
    runmqlsr -t tcp -m SRC_QM -p 1451
    Tip: On Windows®, you can also use the start runmqlsr command to open a new command window for the listener so that you can continue using your current command window. You can do the same thing on Linux® and UNIX® by adding a space and ampersand (&) to the end of the command.
  2. Start an interactive session with the SRC_QM queue manager.
    runmqsc SRC_QM
  3. Start the sender channel at the source.
    start channel (SRC_QM.TO.TGT_QM)
  4. Use the END command to stop the interactive session with the source queue manager.
    end
  5. Start the listener at the target for the receiver end of the channel from the source, by using TCP/IP protocol for queue manager TGT_QM, port 1450 (if you used a port other than 1450 in lesson 1.4, substitute the appropriate port number in the command):
    runmqlsr -t tcp -m TGT_QM -p 1450
  6. Start an interactive session with the TGT_QM queue manager.
    runmqsc TGT_QM
  7. Start the sender channel at the target.
    start channel (TGT_QM.TO.SRC_QM)
  8. Use the END command to stop the interactive session with the target queue manager.
    end
You set up and started the WebSphere MQ objects for unidirectional replication using two queue managers to simulate replication between two remote database. Next, you will set up the Q replication programs.

Session Management


Enable session failover in clusters

Sometimes its necessary to synchronize the whole session between two (or more) cluster members. Especially when some important attributes are stored in the session (search,...).
WebSphere offers an option called "Session Replication" to avoid the lost of a session because of a crashed Cluster Member.

First you need to setup a replication domain for the cluster
1.1. Go to Enviroment > Replication domains > New
1.2. Type in the name of the replication domain and click OK
1.3. Save & synchronize changes

Now its possible to setup the session replication
2.1. Go to Application servers > "ClusterMember1" > Web container > Session management > Distributed environment settings
2.2 Click Memory-to-memory replication
2.3 Select your newly created replication domain and "Both client and server" as replication mode
2.4 Click OK
2.5 Save & synchronize changes

Repeat this steps (2.1 -> 2.5) for every Cluster Member.

Note:In replication Mode there are 3 types
1:server only
2: clieny only
3:client and server

Replication types are 3 types
1: single replica
2:multiple replica
3:specify