Security for IBM MQ internet pass-thru

Internet pass-thru can simplify communication through a firewall, but this has security implications.

IBM® MQ internet pass-thru is an IBM MQ base product extension that is supplied in SupportPac MS81.

IBM MQ internet pass-thru enables two queue managers to exchange messages, or an IBM MQ client application to connect to a queue manager, over the Internet without requiring a direct TCP/IP connection. This is useful if a firewall prohibits a direct TCP/IP connection between two systems. It makes the passage of IBM MQ channel protocol flows into and out of a firewall simpler and more manageable by tunnelling the flows inside HTTP or by acting as a proxy. Using Transport Layer Security (TLS), it can also be used to encrypt and decrypt messages that are sent over the Internet.

When your IBM MQ system communicates with IPT, unless you are using SSLProxyMode in IPT, ensure that the CipherSpec used by IBM MQ matches the CipherSuite used by IPT:

When IPT is acting as the TLS server and IBM MQ is connecting as the TLS client, the CipherSpec used by IBM MQ must correspond to a CipherSuite that is enabled in the relevant IPT key ring.
When IPT is acting as the TLS client and is connecting to an IBM MQ TLS server, the IPT CipherSuite must match the CipherSpec defined on the receiving IBM MQ channel.

If you migrate from IPT to the integrated IBM MQ TLS support, transfer the digital certificates from IPT using either mqiptKeyman or mqiptKeycmd.

For more information, see IBM MQ Internet Pass-Thru (SupportPac MS81).