IBM Support

MS81: IBM MQ Internet Pass-Thru

Download


Abstract

IBM MQ Internet Pass-Thru is an IBM MQ base product extension that can be used to implement messaging solutions between remote sites across the internet.

Download Description

Please note:
IBM MQ Internet Pass-Thru (MQIPT) is now an optional component of IBM MQ.  The latest versions of MQIPT can be found on  FixCentral. The MQIPT SupportPac (MS81) reached end of support on 30th September 2020.  New fix packs and JRE updates for the MQIPT SupportPac are available only to customers with an IBM MQ 8.0 extended support agreement on Solaris.

IBM MQ Internet Pass-Thru (MQIPT) makes the passage of IBM MQ channel protocols into and out of a firewall simpler and more manageable, by tunnelling the protocols inside HTTP or by acting as a proxy.

MQIPT runs on the platforms indicated in the hardware and software requirements below. It uses the Java runtime Environment (JRE) supplied.


Possible Uses
Used as a proxy, MQIPT is placed in the De-Militarized Zone (DMZ) on an Internet firewall and relays IBM MQ protocol flows from an IBM MQ client or queue manager on the external Internet, to a destination queue manager inside the firewall. This enables inbound IBM MQ communication through the firewall from an address that is in the secure DMZ. This is likely to be more acceptable to firewall administrators than an arbitrary external Internet address.

Placing a pair of MQIPT servers in the path of an IBM MQ channel connection enables HTTP wrappers to be added to the protocol flow. This enables the IBM MQ connection to pass inbound through an HTTP application firewall, or outbound through an HTTP proxy. A pair of MQIPT servers can also be used to encrypt all data flows, using SSL or TLS.

MQIPT can also act as a concentrator of IBM MQ connections, which simplifies firewall configuration when multiple IBM MQ clients or queue managers require access through an Internet firewall.

MQIPT can be configured to act as a SOCKS client or SOCKS server, for making outbound connections.

These modes of operation of MQIPT give greater flexibility to the connection of IBM MQ channels through a variety of firewall and network topologies and facilitate many application models - particularly in the B2B environment.

MQIPT does not require any changes to IBM MQ application code, and only a minor modification to the hostname/port setting in MQ channel definitions.

Skill Level Required
This SupportPac should be installed by an IBM MQ system administrator or network administrator. Configuration and implementation of this SupportPac requires a basic understanding of TCP/IP networking and a knowledge of Internet firewall administration.

New in this Release

  • Security fixes and JRE update to Java 8.0.7.20 for Solaris.

For information about new features and changes in MQIPT 9.1.4 and higher, see What's new and changed in the IBM MQ Documentation.

Security Notice
Anon and NULL algorithms are no longer enabled by default from version 9.1.4 and in the latest JRE update for MQIPT 2.1. This affects the following CipherSuites in MQIPT:
SSL_ECDH_anon_WITH_AES_128_CBC_SHA
SSL_ECDH_anon_WITH_AES_256_CBC_SHA
SSL_ECDH_anon_WITH_NULL_SHA
SSL_ECDH_ECDSA_WITH_NULL_SHA
SSL_ECDH_RSA_WITH_NULL_SHA
SSL_ECDHE_ECDSA_WITH_NULL_SHA
SSL_ECDHE_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_SHA256

3DES ciphers are no longer considered secure and are disabled by default from MQIPT 2.1.0.4.

To improve security, DES40_CBC ciphers are no longer enabled by default in the JRE update to 7.0.10.35, and any later JRE updates. This affects the following CipherSuites in MQIPT:
  SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5
  SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA

If you are aware of the potential hazards but still have a need to use one of these CipherSuites, you can add support for it by removing the corresponding algorithm from the list of disabled algorithms (jdk.tls.disabledAlgorithms) in the java.security file, found in mqipt_path/java/jre/lib/security/, where mqipt_path is the location where MQIPT is installed.

Details
Owner: Gwydion Tudur, IBM MQ Development, IBM United Kingdom Laboratories
Category: 3
Original Release: 11th Jul 2000
MS81 SupportPac Last Updated: 8th Nov 2022
Current MS81 SupportPac Version: 2.1.0.6
MQIPT JRE Last Updated: 16th Jan 2023
To obtain the installation files for MS81 MQIPT 2.1.0.6 for Solaris, and the latest JRE update for MQIPT 2.1.0.6 under an extended support agreement, contact IBM support.

Latest MQIPT fix list can be found here.
»Note that the version number shown in the right pane is the version of the IBM MQ product that this SupportPac applies to.  The date is the last web page refresh.

To view the complete portfolio of IBM MQ SupportPacs, visit SupportPacs for IBM MQ and other project areas.

Prerequisites

Please see full hardware and software prerequisites for the MQIPT SupportPac in the ms81.txt file below.

From version 9.1.4, MQIPT is available on the Linux, AIX and Windows platforms that IBM MQ supports, as described in System Requirements for IBM MQ 9.1.

[{"PRLabel":"MS81 System Requirements (prior to MQ 9.1.4)","PRLang":"US English","PRSize":"2468 B","PRPlat":{"label":"Other","code":"PF059"},"PRURL":"https://public.dhe.ibm.com/ibmdl/export/pub/software/integration/support/supportpacs/ms81_2.1_system_requirements.txt"},{"PRLabel":"MQ 9.3.x System Requirements (IPT integrated at 9.1.4)","PRLang":"English","PRSize":"0 B","PRPlat":{"label":"Other","code":"PF059"},"PRURL":"https://www.ibm.com/support/pages/system-requirements-ibm-mq-93"}]

Installation Instructions

For installation instructions for MQIPT 9.3.x, see Installing and uninstalling IBM MQ Internet Pass-Thru in IBM Documentation for IBM MQ 9.3.

For installation instructions for MQIPT Supportpac 2.1, see Installing, uninstalling, and migrating MQIPT in IBM Documentation for IBM MQ 9.0.

To install the MQIPT 2.1 SupportPac on a Windows platform, follow these steps:
• Download file ms81_x86_nt_4.zip to a temporary directory (for example C:\temp).
• Create a new directory where you want MQIPT to be installed (for example C:\MQIPT).
• Move the downloaded ms81_x86_nt_4.zip to the new MQIPT installation directory.
• Decompress using InfoZip Unzip. If you use other unzip programs, ensure you specify the option to re-create stored directories.
• It is recommended to make the MQIPT installation directory read-only by revoking write permissions from all users.
• To create MQIPT icons on the Start menu, run the following command from an Administrator command prompt:
C:\MQIPT\bin\mqiptIcons -install installation_name

To install the MQIPT 2.1 SupportPac on a UNIX or Linux platform you must log on as the root user, then perform the following steps:
• Download the tar file to a temporary directory (for example /tmp).
• Create a new directory where you want MQIPT to be installed (for example /opt/mqipt).
• Move the downloaded tar file to the new MQIPT installation directory, for example:
mv /tmp/ms81_x86_linux_2.tar /opt/mqipt
• Unpack the tar file, for example:
cd /opt/mqipt
tar xf ms81_x86_linux_2.tar
• To increase security, set the file permissions for your installed files so that they are read-only. For example:
chmod -R /opt/mqipt/* a-w
Note: If you do not run the tar command as root, you are likely to get "permission denied" errors.

For more information about installation and migration from the previous release, refer to the Readme file that is provided with MQIPT and documentation.

JRE update installation instructions:
To provide the latest Java security fixes, IBM periodically releases an updated JRE for use with MQIPT. Updated JREs for the MQIPT 2.1 SupportPac may be downloaded through the Download package link, in the Security Update JRE for MS81 section. To install a new JRE for MQIPT, follow the instructions here. The MQIPT version number is not affected by installing a new MQIPT JRE. To determine which MQIPT JRE is currently installed, use the mqiptVersion -v command. To obtain the MS81 SupportPac installation files and the latest JRE update for MQIPT 2.1.0.6 for Solaris, contact IBM support.

Download Package

Note that the installation method has changed from the previous release. Refer to the Installation Instructions section for more information. Please note that you should run as the root user to install MQIPT on UNIX and Linux platforms.
To obtain the installation files for MQIPT 2.1.0.6, and the latest JRE update for MQIPT 2.1.0.6, contact IBM support.

Off
[{"DNLabel":"MQ Internet Pass-Thru 9.3.x (supersedes MS81)","DNDate":"23 Jun 2022","DNLang":"English","DNSize":"207 MB","DNPlat":{"label":"Platform Independent","code":"PF025"},"DNURL":"https://ibm.biz/mq93ipt","DNURL_FTP":"","DDURL":null}]

Technical Support

Category 3 IBM WebSphere MQ (MQSeries) SupportPacs are supplied under the standard terms and conditions provided by the International Program License Agreement (IPLA) and thus carry program defect service.

Please read the licence files that accompany the SupportPac to ensure you understand the conditions under which the SupportPac is provided.

If you encounter what you believe to be a defect with the SupportPac you can request Program Services by reporting the problem through the same defect reporting channel you employ for the IBM WebSphere MQ or MQSeries server product(s) on which you are using the SupportPac.

End of Support for this MS81 SupportPac is 30th September 2020.

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008RLAAY","label":"Retired-\u003EComponents and Features-\u003ESupportPacs"}],"ARM Case Number":"","Platform":[{"code":"PF027","label":"Solaris"}],"Version":"8.0.0"}]

Document Information

Modified date:
28 September 2023

UID

swg24006386