MQ Connectivity security

You must authorize Eclipse Amlen to connect to IBM® MQ queue managers before a connection can be made. You can secure connections between Eclipse Amlen and IBM MQ with SSL.

When Eclipse Amlen connects to IBM MQ, Eclipse Amlen must have the appropriate authorities to do so. Granting this authority requires creating a user ID on the system the IBM MQ queue managers are running on. This user ID is the authority under which Eclipse Amlen runs on the queue manager system. The user ID must be authorized to access the following IBM MQ components:
  • The queue managers that are used by Eclipse Amlen
  • The topics and queues that are used by Eclipse Amlen
As this user ID has unrestricted access to these components, for extra security you might consider having a different user ID for each queue manager connection. A different user ID for each queue manager connection ensures that all the IBM MQ components can be accessed only by the appropriate queue manager connection.

For step by step instructions on how to grant this authority, see Configuring the IBM MQ server connection channel.

You can secure the connection between Eclipse Amlen and IBM MQ by using SSL. Securing the connection requires the creation of two key repositories in IBM MQ. One key repository is used by the IBM MQ queue manager that Eclipse Amlen connects to. The other key repository is uploaded to Eclipse Amlen and is used by the queue manager connection. The necessary client and server certificates are stored in the repository and are used when Eclipse Amlen connects to IBM MQ.

This method of securing the connection is the same method as for securing a connection between a IBM MQ server and client. IBM MQ is the server, and Eclipse Amlen is the client.

For step by step instructions on setting up an SSL connection between Eclipse Amlen and IBM MQ, see Configuring the IBM MQ server connection channel.

MQ Connectivity security planning

Before you implement an MQ Connectivity solution you must address a number of security considerations:
  • You must consider whether you want to secure your connection with server certificates. The server certificates are used by IBM MQ to authenticate IBM MQ to Eclipse Amlen.
  • You must consider whether you want to use client certificates. The client certificates are used to authenticate Eclipse Amlen to IBM MQ.
  • You must consider whether you want to use self-signed server certificates or CA server certificates. Self-signed certificates are useful to get started quickly in a test environment. CA certificates are more secure for a production environment. The type of certificate that you choose determines how you set up your connection between IBM MQ and Eclipse Amlen.

For step by step instructions on setting up an SSL connection between Eclipse Amlen and IBM MQ, see Configuring the IBM MQ server connection channel.