WebSphere MQ Connection Shared Resource

Copyright © Cloud Software Group, Inc. All Rights Reserved

Chapter 3 WebSphere MQ Palette : WebSphere MQ Connection Shared Resource

WebSphere MQ Connection Shared Resource

The connection resource contains all the parameters necessary to connect to a queue manager. It supports these modes:

•

Local  A local connection uses the C language libraries and JNI to locate and connect to queue managers on the local machine.

−

Local connections are not eligible for XA transactions.

−

Local connections require a WebSphere MQ server installation on the local machine.

−

Local connections use the credentials for the logged on user.

•

Remote  A remote connection uses TCP/IP to connect to the listening port on any queue manager on the network or the local machine.

−

Remote connections support XA transactions.

−

Remote connections support the use of specific user credentials.

−

Remote connections support secure transports (TLS/SSL).

•

Client Connection Table  This type of connection uses a Client Channel Definition Table (CCDT) exported by the queue manager upon saving a client channel definition. This is the only supported method to connect to a multi-instance queue manager.

−

Client connection table connections support XA transactions. However, note that transactions are not guaranteed to survive reconnections to the backup server in a failover situation.

−

Client connection table connections support the use of specific user credentials.

−

Client connection table connections support secure transports (TLS/SSL).

See the IBM documentation for a description of CCDTs and how they are to be used.

Configuration Tab

Table 3 lists and describes the fields in the Configuration tab.

Table 3 Fields in the Configuration Tab: WMQ Connection Resource

Field

Global Variable

Description

Name

N

The name of the Region Resource.

Default: WebSphere MQ Connection

Description

N

Description of the resource.

Binding

N

Local, Remote, or Client Connection Table. See WebSphere MQ Connection Shared Resource for more information.

Client Connection Table URL

Y

When using a Client Connection Table, enter the URL of the CCDT file that was exported by the server to which you are trying to connect.

This file must be located in the queue manager home directory in the @ipcc/AMQCLCHL.TAB file. You can either reference this file from this location, or copy it to a location where it is accessible to the running BusinessWorks instance.

This URL supports the HTTP, FTP and FILE protocols.

Hostname

Y

For remote connections, provide the name of the machine hosting the queue manager.

Default: localhost

This field is only available for remote bindings.

Port

Y

For remote connections, provide the TCP port number on which the queue manager is listening.

Default: 1414

Range: 1-65535

This field is only available for remote bindings.

User Name

Y

For secure remote connections, the user name which will be used to create the connection. If a user name is not provided, the credentials of the current security context is used.

Password

Y

For remote connections, the password associated with the specified user name.

Queue Manager Name

Y

For Local and CCT connections, the name of the queue manager to connect to. If not specified, the default queue manager is selected.

Server Channel Name

Y

For remote connections, the server channel to connect to. Queue managers can use multiple server channels if required, for example to support TLS and plain connections.

TLS Enabled

Y

When selected, the TLS tab is enabled. This option enables the use of Transport Layer Security for the connection resource. Relevant parameters are configured in the TLS Tab. This option is only enabled for remote connections.

Header Compression

N

Select the check box to use RLE header compression. For compression features to work the server connection channel to which the plug-in connects must be configured to support compression.

Note: This feature is not relevant and not used for locally bound connections.

Message Compression

N

Select the level of message body compression desired.

See the IBM WebSphere MQ documentation for more information about the compression algorithms used. For compression features to work the server connection channel to which the plug-in connects must be configured to support compression.

Note: That this feature is not relevant and not used for locally bound connections.

Pooling Tab

Table 4 lists and describes the fields in the Pooling tab.

Table 4 Fields in the Pooling Tab: WMQ Connection Resource

Field

Global Variable

Description

Pooling Enabled

N

When this check box is selected, pooling is active for this connection.

When sizing the pool, note that if an activity attempts to acquire a connection and the pool is full, that is, all connections are in use and the pool cannot make any more connections, the activity fails. So it is better to allocate a few more connections than your application requires.

Note that as of version 7.6 of this plug-in, the pool no longer uses the WebSphere MQ MqSimpleConnectionManager. The pool now uses its own pool of hot standby connections. This improves latency for normally low latency activities, such as the Put activity.

If pooling is not active, a new non-pooled connection is acquired and released for each activity.

Max Connections

Y

Determines the maximum number of connections allowed in the pool. When this limit is reached, subsequent started activities will fail with a max connection error code, unless some connections are available before starting.

Maximum Unused

Y

Determines the maximum number of idle connections allowed in the pool. When the number of unused connections reaches this number, the idle connections are disconnected and closed, freeing resources on the server. Amounts over the Max Connections value are ignored.

Timeout

Y

The length of time an inactive connection is kept in the pool. A connection that has remained unused for this number of milliseconds are closed and removed from the pool, freeing resources on the server.

TLS Tab

The TLS tab contains the parameters required to make a secure connection to the queue manager using the Transport Layer Security protocol. Before TLS can be used, the queue manager and server channel used by clients must be configured. For more information, see Creating Secure Connections to the Queue Manager.

Note that the TLS tab is enabled only if the Binding type is Remote or Client Connection Table, and the TLS Enabled check box is selected in the Configuration tab.

If the JRE running the BW application is the standard Oracle Java runtime, the number of cipher suites supported is quite limited. If none of the cipher suites available to the JRE can be used to connect to the queue manager, the configuration of the queue manager cannot be relaxed to accomodate the JRE. There are three options:

•

See IBM APAR IV66840 regarding improving cipher suite selection on non-IBM JREs. This is described in more detail in Creating Secure Connections to the Queue Manager.

•

Relocate the application to a platform where the standard JRE is the IBM JRE. Those platforms are, at the moment, AIX and zLinux.

•

Relocate the application to a Linux based or Intel x86 based machine, install the IBM JRE on that machine and configure the application to be run on the IBM JRE. The user must manage this configuration as there is no way to automatically select the JRE used in a particular deployment.

The IBM JSSE implementation supports a more extensive cipher suite set than does the standard JRE.

Table 5 lists and describes the fields in the TLS tab.

Table 5 Fields in the TLS Tab: WMQ Connection Resource

Field

Global Variable

Description

Repository Type

N

Specifies the mechanism used to store the identity and trust information for the connection. Options are:

•

Keystore  The TLS certificate and trusted signer certificates are expected to be in a Java keystore file.

•

Files  The TLS certificate is expected to be in a pkcs12 file and the trusted certificates are located in a directory by themselves.

Note that if client authorization is required on the channel to which this plug-in connects, the CA which signed the certificate of the plug-in must be imported into the keystore of the server. See the Creating Secure Connections to the Queue Manager section for more information.

Keystore File

Y

If the Repository Type is Keystore, this field contains the name of a Java keystore file containing the client certificate and its signer certificate(s). If client authentication is enabled on the server-connection channel, then the CA which signed the queue manager's certificate must be imported here to create a trust relationship.

Client Identity File

Y

If the Repository Type is Files, this field that contains the name of a pkcs12-formatted certificate with the private key included. This file is secured with a password.

pkcs12-formatted certificates can be suffixed pkcs12 or p12.

Trusted Cert Dir

Y

If the Repository Type is Files, this field contains the directory where all the certificates necessary to trust the server's certificate are located. These certificates can be PEM- or DER-encoded.

Password

Y

If the Repository Type is Keystore, this field contains the password used to secure the Java keystore.

If the Repository Type is Files, this field contains the password used to secure the identity file.

Cipher Suite

Y

Contains the cipher specification which matches the one selected in the queue manager's server-channel SSL parameters.

Note: If all of the other required fields in this connection resource are correct but the cipher specification is unknown, the Test button probes for an acceptable cipher specification and reports it in the pop-up as well as printing it in the log.

Note: If a client connection table is in use for this connection, the cipher suite is encoded in the table and this value is ignored.

Enable FIPS

N

When selected, Federal Information Processing Standards (FIPS) are enabled on platforms where the Java runtime environment supports it.

For a FIPS connection to be possible, both the queue manager and the Java runtime environment in which the Plug-in runs must be configured to be FIPS capable. Consult the FIPS documentation to determine which key lengths, algorithms and ciphers are appropriate for the requirements of your installation.

Embed TLS Parameters

N

When selected, the keystore represented by the parameters on this panel is stored in the application's configuration data.

This allows the configuration to be deployed to platforms where these files do not exist. The certificates chosen must be valid for all systems to which this application is deployed. If that is not the case, do not select this option and ensure that the files specified are present on all target environments. Global variables might be used to facilitate the necessary flexibility here.

Note: If the parameters here are of the Files type and the Embed TLS Parameters check box is selected, an internally represented Java keystore will be created from the files and stored within the project's configuration data.

Field	Global Variable	Description
Name	N	The name of the Region Resource. Default: WebSphere MQ Connection
Description	N	Description of the resource.
Binding	N	Local, Remote, or Client Connection Table. See WebSphere MQ Connection Shared Resource for more information.
Client Connection Table URL	Y	When using a Client Connection Table, enter the URL of the CCDT file that was exported by the server to which you are trying to connect. This file must be located in the queue manager home directory in the @ipcc/AMQCLCHL.TAB file. You can either reference this file from this location, or copy it to a location where it is accessible to the running BusinessWorks instance. This URL supports the HTTP, FTP and FILE protocols.
Hostname	Y	For remote connections, provide the name of the machine hosting the queue manager. Default: localhost This field is only available for remote bindings.
Port	Y	For remote connections, provide the TCP port number on which the queue manager is listening. Default: 1414 Range: 1-65535 This field is only available for remote bindings.
User Name	Y	For secure remote connections, the user name which will be used to create the connection. If a user name is not provided, the credentials of the current security context is used.
Password	Y	For remote connections, the password associated with the specified user name.
Queue Manager Name	Y	For Local and CCT connections, the name of the queue manager to connect to. If not specified, the default queue manager is selected.
Server Channel Name	Y	For remote connections, the server channel to connect to. Queue managers can use multiple server channels if required, for example to support TLS and plain connections.
TLS Enabled	Y	When selected, the TLS tab is enabled. This option enables the use of Transport Layer Security for the connection resource. Relevant parameters are configured in the TLS Tab. This option is only enabled for remote connections.
Header Compression	N	Select the check box to use RLE header compression. For compression features to work the server connection channel to which the plug-in connects must be configured to support compression. Note: This feature is not relevant and not used for locally bound connections.
Message Compression	N	Select the level of message body compression desired. See the IBM WebSphere MQ documentation for more information about the compression algorithms used. For compression features to work the server connection channel to which the plug-in connects must be configured to support compression. Note: That this feature is not relevant and not used for locally bound connections.