I'm trying to configure an MQ client connection (using amqsgetc for the moment).
I need to use SSL to get access using channel authentication records.
It works perfectly when using a CHLTAB, but I can't find a way to do the same using mqclient.ini file.
I think I have looked all over the documentation, but do not see an option to specify the cipher spec I need, neither in the ini file itself, nor in an environment variable.
AMQERR01.log keeps telling me my client did not specify the cipher spec.
Below is the mqclient.ini I use. (the file works fine when I'm using a non-SSL channel)
CHANNELS:
DefRecon=YES
ServerConnectionParms=LAURENT_PC450_SSL/TCP/localhost(1414)
SSL:
SSLKeyRepository=C:\ProgramData\IBM\MQ\qmgrs\LAURENT_PC450\ssl\clientkey
CertificateLabel=ibmwebspheremqlaurent
SSLCipherSpec=ssl_rsa_with_3des_ede_cbc_sha
The mqclient.ini can specify the equivalent of the MQSERVER environment variable or the MQCHLLIB/MQCHLTAB environment variables.
When providing the client connection details via MQSERVER environment variable or mqclient.ini equivalent you can not specify encryption details.
To specify encryption details you can use one of the follow:
Specify this programmatically using MQCONNX in the MQCD provided by ClientConnOffset and ClientConnPtr in MQCNO.
A pre-connect exit can also override or provide the details above by modifying the MQCD if present or providing a MQCD.
If a MQCD is not found then a MQ Channel Table pointed to by the MQCHLLIB/MQCHLTAB environment variables or the mqclient.ini equivalent of this.
Related
Following instructions provided in https://developer.ibm.com/tutorials/mq-jms-application-development-with-spring-boot/, I developed a sample Spring boot web application in order to be able to send and receive messages over IBM MQ using JMS template.
In case of a MQ server not on local host, I updated the application.properties file with:
ibm.mq.conn-name=<my-server-host-name>(<my-server-port>)
Unfortunately this is not the appropriate property as the application is searching for a queue manager on localhost.
I did not find in the documentation anything about the property to use for that. And yes, I gave a try to ibm.mq.host and ibm.mq.port.
For IBM config you need to provide the following properties:
Yml extension:
ibm:
mq:
queueManager: {queueManagerName}
channel: {channelName}
connName: localhost(1415)
user: {UserName}
property extension:
ibm.mq.queueManager={queueManagerName}
ibm.mq.channel={channelName}
ibm.mq.connName=localhost(1415)
ibm.mq.user={userName}
connName you can find in the Listener directory:
In my case IP address is equal: localhost
Port is equal: 1415
channelName you can find in Channels directory.
As per https://github.com/ibm-messaging/mq-jms-spring the default connection properties for mq-jms-spring-boot-starter are
The default attributes are
ibm.mq.queueManager=QM1
ibm.mq.channel=DEV.ADMIN.SVRCONN
ibm.mq.connName=localhost(1414)
ibm.mq.user=admin
ibm.mq.password=passw0rd
You will most likely need to set connName, user and password. The default port is 1414, but if you are running MQ in the cloud then you will need to look up in you cloud what port to use. You will get the port from the same place you look up the server url.
You may also need to supply TLS parameters - https://github.com/ibm-messaging/mq-jms-spring#tls-related-options
You can find sample code here - https://github.com/ibm-messaging/mq-dev-patterns/tree/master/Spring-JMS The 101 sample ( https://github.com/ibm-messaging/mq-dev-patterns/tree/master/Spring-JMS/src/main/java/com/ibm/mq/samples/jms/spring/level101 ) has very little code, so a good test of whether the connection parameters are right.
I'm using winhttp in order to establish https connection on port 443 with my remote. However, the server running this service also contains more services on the same https port (443), so it uses SNI in order to resolve the requested session.
However, the server doesn't expect to get the hostname as SNI, since it uses single URL for all services. instead, the SNI address is chosen not according to the URL but according to some other string notation (i.e. service_api or service_web_if ...)
In my client connection flow, I set the URL in method WinHttpConnect which also set the SNI accordingly, and the actual SSL/TLS handshake is made when calling WinHttpSentRequest.
I wonder how can I change the SNI value from the default URL value after calling WinHttpConnect.
So far, while investigating possible solutions, I've learned about HTTP_SERVICE_CONFIG_SSL_SNI_KEY structure which is set by method HttpSetServiceConfiguration along with the matching certificate for this SNI, but this seems to be related to the server side configuration. Besides that, I haven't found any references for such action unfortunately.
Perhaps anybody ever used non-default SNI using winhttp API and can tell me how to do so ? is the only option to do so is doing the SSL handshake using some lower level API such as schannel, and than switching back to winhttp ?
if it's not possible, perhaps there's an option to use extended hostname with directory tree in order to get multiple sni on a single url...
I have a spring app, and I've received information to connect to ibm mq. I've got everything except user and password. When I was using docker image I had a user and password (specified using MQ_APP_PASSWORD env. variable). It's obvious that I can connect to ibmmq queue with just a username, but the question is, if I can connect without both ? does ibmmq allow for something like this ?
The MQ Advanced for Developers container images come with a default configuration which enables security. In this configuration, applications connect using the DEV.APP.SVRCONN channel. I think that you should take a look at the CHCKCLNT attribute in CONNAUTH. In the default configuration, the CHCKCLNT attribute on the channel (CHLAUTH) is set to REQUIRED if you've set a password on the container (by setting the MQ_APP_PASSWORD environment variable), or set to ASQMGR otherwise. The queue manager setting which this will fall back to, is set using CONNAUTH, on the AUTHINFO object, which is set to REQDADM by default. So, not sending a user ID and password should already work. However, if not, try adjusting the AUTHINFO object's CHCKCLNT setting. Note that this could also have a knock-on effect on the DEV.ADMIN.SVRCONN channel, which also uses this default.
You can change the MQ configuration used in a Docker image by adding an MQSC as described here. You will need to refresh security at the end of your MQSC.
PostgreSQL supports using unix sockets rather than TCP sockets. How do I configure the following block to use unix sockets.
# Configure your database
config :my_app, Sample.Repo,
adapter: Ecto.Adapters.Postgres,
database: "ecto_simple",
username: "postgres",
password: "postgres"
As of March 2018, Postgrex now supports connecting via sockets.
This can be done by supplying a socket or socket_dir option. Here's the changelog from where I picked this up and the source code where you can see an exhaustive list of all options.
From the source code:
:socket_dir - Connect to Postgres via UNIX sockets in the given directory;
The socket name is derived based on the part. This is the preferred method
for configuring sockets and it takes precedence over the hostname. If you are
connecting to a socket outside of the Postgres convention, use :socket instead;
:socket - Connect to Postgres via UNIX sockets in the given path.
This is especially useful (I suppose) if you're on AppEngine which requires you to connect through an SQL proxy through localhost (127.0.01) which works only through a proxy connection.
PostgreSQL prefers unix sockets to TCP sockets on the grounds of performance and privacy. If not already available: TCP can be enabled on the server if you follow simple documentation and have access to do so.
The avenue of client connection is set via environment variables, in particular: PGHOST. From experience drivers such as libpq expect to work that way - it would be shocking if Postgrex did not.
See: https://hexdocs.pm/postgrex/Postgrex.html
The value to supply in PGHOST varies according to the configuration of the server as seen in the file: "postgresql.conf".
It is possible that you may need to create a directory for sockets and set permissions. The following should help: http://iamvery.com/2013/06/17/postgresapp-with-unix-socket.html
To get a more precise answer you will need to mention your operating system and version; also your version of PostgreSQL.
I'm using Charles to debug HTTP requests, but it seems that Go's network stack ignores the system proxy settings (on OSX) and the requests are not logged.
How do I tell Go that the requests should use the proxy?
I just had this exact issue, and the accepted solution did NOT solve it for me. That's because my $HTTP_PROXY environment variable was not set!
I was able to solve it by setting up my environment variables as per indicated here: http://www.bonusbits.com/wiki/HowTo:Setup_Charles_Proxy_on_Mac Then once the variable was set correctly, I didn't even need to apply a custom Transport to my client. It worked with the default transport.
Perhaps because I'm using a custom shell (zsh) this didn't happen automatically. However what's interesting is that python would correct appear in Charles Proxy in the same shell while Go would not. Updating my .zshrc (or whatever shell or profile you are using's config) to export the appropriate variables worked.
You can get proxy info using ProxyFromEnvironment function. Then you create http client using transport (represented by RoundTripper interface) that has info about your proxy settings:
var PTransport http.RoundTripper = &http.Transport{Proxy: http.ProxyFromEnvironment}
client := http.Client{Transport: PTransport}
Then you just do http request using the info transport gets from passed function to Proxy struct field. Proxy info will be taken from $HTTP_PROXY environment variable.