Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.

com/

Yuvaraj's Blog on IBM ESB

Technical Blog to share or discuss on WebSphere

Message Broker, IBM Integration Bus or WebSphere MQ
and other ESB

Integration Node Administration

Security – V9 vs V10

Am writing this blog to provide an overview of working of Integration

Node’s Administrative Security in v9 & v10. This blog does not cover
detailed steps for implementing administrative security for integration
node.

Integration Node’s Administrative

Security in IIB v9

As MQ was a required component of IIB run-time in IIB v9, most of

the security was implemented using MQ, as I have tried to illustrate in
the below figure

1 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

To enable / disable administrative security for Integration Node in IIB

v9, the command to be used is

mqsichangebroker <Integration Node> -s active / inactive

Integration Node’s Administrative

Security in IIB v10

IBM Integration Bus v10, introduced flexibility in security by

providing option for using either File or MQ to implement Integration
Node security. Also accordingly it has introduced new commands
mqsichangeauthmode / mqsireportauthmode & mqsichangefileauth
/ mqsireportfileauth for the file-based authorization.

Administrative Security using MQ-Based

Authorization

Have tried to illustrate both MQ-based and File-based authorization in

IIB v10. The below figure illustrates for MQ-based authorization, if
Integration Node is associated with a queue manager

2 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

To enable MQ-based administrative security for the Integration Node

in IIB v10, the command to be used is

mqsichangeauthmode <Integration Node> -s active -m mq

For MQ-based authorization, access level is controlled using the

Authorization queues – 1 for Integration Node
(SYSTEM.BROKER.AUTH) & 1 for each Integration Server
(SYSTEM.BROKER.AUTH.<IntegrationServer Access granted /
revoked for system level users / groups using the mq command
setmqaut command

Administrative Security using File-Based

Authorization

The below figure illustrates file-based authorization in IIB v10, that can
be used irrespective of whether Integration Node is associated to a
queue manager or not.

3 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

To enable File-based administrative security for the Integration Node

in IIB v10, the command to be used is

mqsichangeauthmode <Integration Node> -s active -m file

For file based security, access level is maintained using the file
Permissions, located in the path

<MQSI_WORKPATH>/registry/<IntNode>/CurrentVersion/Security
/node/<IntNode>/

Below image provides the snapshot of the Permissions file to indicate

how file based authorization is maintained by Integration Node

Access is granted / revoked for system level users, who are specified as
Roles, using the command mqsichangefileauth

mqsichangefileauth <IntegrationNode> -r <role> -p <permissions>

Kindly refer to the article in IBM developerworks for more

information on file-based authorization

h p://www.ibm.com/developerworks/websphere/library/techarticles
/1603_gedupuri-trs/1603_gedupuri.html (h p://www.ibm.com
/developerworks/websphere/library/techarticles/1603_gedupuri-
trs/1603_gedupuri.html)

For any corrections / suggestions / query please do drop a note to

[email protected] (or) [email protected]

MARCH 25, 2016 YUVARAJ LEAVE A

COMMENT

Using Shared Libraries in IIB v10

IBM Integration Bus v10 has introduced many new features. One of
the important feature, from my point of view, is the introduction of
Shared Library concept.

We all know that WebSphere Message Broker v8 provided new ways

of organizing resources in toolkit by introducing

Application container, as per the info-center, is a container for all

4 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

the resources that are required to create a solution.

Provides run-time isolation –> resources inside the application
are not visible to other resources
Used when updates to one group of deployed resources should
not affect another group of deployed resources
Library container, for organizing resources for re-usability. Can be
referenced by applications or services or integration projects.
WMB v8 introduced Static library

The behavior of the library container introduced in WMB 8 and used

in IIB v9, as per info-center are provided below

Drawback of Library used in WMB 8 / IIB 9: Owing to Application /

Service’s run time isolation behavior, we solution developers faced
major challenges on deciding whether to organize our solution using
Applications / Services or using Integration Projects.When solutions
were organized using Applications / Services and the reusable
artifact(s), like Common Error Handling framework / logging
framework, organized using libraries, each application / services
carried copy of library within themselves. As a result, any changes
made to these reusable artifact always resulted in need to re-deploy
all applications / services.

In that regards, organizing the resources as Integration Projects was

be er and very much appealing.

But IIB v10 has addressed this concern / problem by introducing

Shared Libraries. Now the Applications / Services do not take copy
of the Shared Library within themselves. As the Shared Libraries are
deployed directly at the Integration Server level.

Advantages of Shared Libraries

1. Shared Libraries can be added to the BAR file independently of

referencing Applications / Services
2. Deployment of updated Shared Library results in the changes
immediately picked up by all referencing applications / services at
run-time. Hence no need to redeploy all referencing applications /
services
3. Enables using / referencing to multiple XML or DFDL schema files
that declare the same elements and types, by having them stored in
separate Shared Libraries

Reference: h p://www.ibm.com/support/knowledgecenter
/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bc23067_.htm?lang=en
(h p://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0
/com.ibm.etools.mft.doc/bc23067_.htm?lang=en)

5 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

Shared Library vs Static Library from Toolkit to Run-time

In the New Library window, specify the name for the library and
selecting the library type as “Shared Library”, click Finish

Below Images shows the Shared and Static libraries in the toolkit

6 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

Referencing to Shared Library / Static library from Application is

shown below

When adding to the BAR file, Shared Libraries are displayed in the
BAR Editor separately and have to be selected explicitly for adding
to the bar file. This is not the case with Static Library as they are
added automatically when application referencing them is added
to BAR file.

7 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

After deployment, you could notice the difference between Shared

& Static library. Static library copy will be present within the
application container, where as the Shared Library is outside the
application container and directly under the Integration Server.

Hope this blog provides insight into Shared Library feature of IIB 10.

For any corrections / suggestions / query please do drop a note to

[email protected] (or) [email protected].

MARCH 17, 2016 YUVARAJ IBM INTEGRATION

BUS, IIB, IIB 10, IIB V10 3 COMMENTS

Authentication Feature of MQ 8 –
Part 1

IBM MQ v8 has introduced the feature of Authentication for the first

time. So far in all the earlier versions, MQ was only providing

8 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

Authorization using the underling OS. In this blog, will try to cover
how MQ is providing Authentication feature.

Authentication mechanism is provided for Local Connection as well as

Client Connection. That is, now as a administrator we do have the
option of authenticating applications connecting in Binding as well
Client mode. And we also have the option of implementing this
authentication using underlying OS account or LDAP.

This blog is divided into 2 parts – First part will focus on

implementing Authentication using OS while the Second part will
focus on using LDAP

To provide authentication, changes introduced in MQ comprises of

following

2 new types of MQ AUTHINFO Objects introduced –> IDPW OS

and IDPW LDAP
2 System objects, 1 each for OS and LDAP authentication, is created
as part of Queue Manager
Queue Manager by default configured to use OS based
Authentication
CONNAUTH(SYSTEM.DEFAULT.AUTHINFO.IDPWOS)
New property “Connection Authentication (CONNAUTH)” added
to Queue Manager properties
Feature introduced in Channel Authentication Records to override
the Authentication behavior that is specified at Queue Manager
level using AUTHINFO object

But, before proceeding to cover about the authentication mechanism

introduced in MQ v8, lets take a step back to understand how MQ
handled authorization prior to MQ 8. Remember there was no
authentication in MQ prior to v8.

For Binding mode

9 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

1. Application running under user account “User1”, makes API call to

the queue manager
2. To check the access level for the user “User1”, queue manager’s
OAM retrieves user properties from the OS
3. Based on the properties of the user, queue manager’s OAM verifies
the authority with the ACL

For Client Mode

1. Application running under user account “User1” on MQ Client

machine, makes API call to the remote queue manager on MQ
Server machine
2. The Channel Authentication records on the Queue Manager allows
remote access / blocks the access based on the rules configured for
the server connection channel used by application. When allowed,
the Channel Authentication record applied also dynamically sets
the MCAUSER (user account) to be used by queue manager for
authorization
3. To check the access level for the MCAUSER value, queue
manager’s OAM retrieves user properties from the OS
4. Based on the properties of the user, queue manager’s OAM verifies
the authority with the ACL

Now, lets look at the authentication & authorization mechanism in

MQ v8. To enable connection authentication for the QM in MQ 8, new
a ribute CONNAUTH (Connection Authentication) has been added
to queue manager. This a ribute points to a name of the AUTHINFO
object of types IDPWOS or IDPWLDAP that specifies the
authentication requirements.

10 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

How the ADOPTCTX property of AUTHINFO influences the Queue

Manager OAM authorization is illustrated in below table –

Remember, Authorization is an existing functionality that is performed

by QM’s OAM. With the introduction of Authentication layer before
Authorization, the ADOPTCTX a ribute of authentication determines
the user id that is be passed onto the Authorization layer, as indicated
by the above table.

From the authorization perspective, change introduced in MQ v8

comprises of User-based authorization in Linux / Unix environment.
In the earlier versions, authorization was controlled at the group level
only in Linux / Unix environment. To enable user-based authorization
in Linux / Unix platform, additional a ribute “-oa group | user” has
been added to the crtmqm command. Default value for the -oa
a ribute is group.

crtmqm -oa user NEBULAQM

Note: In case, you do not want to use the Authentication feature of MQ

8 and want to disable it, run the following script command (empty
space between single quotes)

ALTER QMGR CONNAUTH(‘ ‘)

REFRESH SECURITY

Authentication using OS

11 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

1. (Client Mode Connection) Application App1 running on Client

machine, running under User2 account, makes Connection request
to the remote queue manager on MQ Server machine (in client
mode) by passing user id as User1 and its password.
2. (Binding Mode Connection) Application App2 running under
User3 account, makes Connection request to the queue manager in
binding mode by passing user id as User1 and its password.
3. (Only for Client connection) The Channel Authentication records
on the Queue Manager allows remote access / blocks the access
based on the rules configured for the server connection channel
used by application. When allowed, the Channel Authentication
record applied also dynamically sets the MCAUSER to User3 for
use by queue manager for authorization. Also we do have the
option of overriding the Connection Authentication properties of
the queue manager
4. Queue Manager authenticates the application connection request
by passing the User1 & its password with the corresponding OS
account. Once authenticated successfully, it retrieves the User3
account property from the OS for authorization purpose by OAM
[Assumption: ADOPTCTX is set to NO in the AUTHINFO object]
5. Based on the properties of the user, queue manager’s OAM verifies
the authority with the ACL

Se ing up Queue Manager NEBULAQM for OS based

Authentication

Note: Ensure User1 & User3 account is setup on the MQ Server

machine. Provide the User1 credential details to the applications to be
used for connecting to queue manager

Create NEBULAQM queue manager and start the queue manager. In

the script window (runmqsc NEBULAQM) of the queue manager
execute the following scripts

DEFINE AUTHINFO(USER.IDPWOS) AUTHTYPE(IDPWOS)

CHCKLOCL(OPTIONAL) CHCKCLNT(REQUIRED)
ADOPTCTX(NO)

12 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

ALTER QMGR CONNAUTH(USER.IDPWOS)

REFRESH SECURITY

SET CHLAUTH(‘*’) TYPE(USERMAP) CLNTUSER(‘User2’)

USERSRC(MAP) MCAUSER(‘User3’) CHCKCLNT(REQUIRED)
ACTION(ADD)

Hope this blog provides insight into authentication mechanism. Will

be following up this with LDAP based authentication shortly.

For any corrections / suggestions / query please do drop a note to

[email protected] (or) [email protected].

MARCH 12, 2016 YUVARAJ LEAVE A

COMMENT

Pub/Sub in IBM Integration Busv10

– Using built-in MQTT Server

As I had stated in my previous post, from IBM Integration Bus v10

MQ has been made optional. Those who have worked with earlier
version of IIB / WMB might wonder

“What about the pub/sub feature of Integration Node / Broker?”

That’s because, till previous version, i.e. IBM Integration Bus v9,
Integration Node was using the MQ’s publish/subscribe engine for all
its pub/sub activities, like Event Monitoring etc.

Now with the change in the architecture from v10, Integration Node
now comes with built-in MQTT broker thus allowing to use MQTT
lightweight publish/subscribe messaging protocol. You could also
choose to configure Integration Node to either use an external MQTT
server or MQ’s queue manager as pub/sub broker as an alternative to
default built-in MQTT server.

The built-in MQTT server is enabled by default for the Integration

Node with the default port as 11883. The MQTTServer gets started
automatically along with the Integration Node and also can be shared
/ used across multiple Integration Nodes.

To view the status of the MQTT server of an Integration Node you

could use the following command

mqsireportproperties -b pubsub -o MQTTServer -n enabled

To view the port of the MQTT server of an Integration Node you could

13 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

use the following command

mqsireportproperties -b pubsub -o MQTTServer -n port

Am going to focus on Event Monitoring, esp. Business Events on this

blog to illustrate using built-in MQTT server in IIB v10 integration
node SNABRK10.

The IIB Events can be broadly classified as shown below

(h ps://blogonibmesb.files.wordpress.com/2015/10/iibevents.jpg)
IBM Integration Bus Events Classification

Of the above 3 classification, if MQ is not installed, Integration node

will publish both Operational & Admin events to the built-in MQTT
broker by default. Business Events publication to built-in MQTT server
is not enabled by default and hence has to be enabled using the
following command

mqsichangeproperties SNABRK10 -b pubsub -o

BusinessEvents/MQTT -n enabled -v true

To illustrate how to change the port of built-in MQTT server we will

configure the Integration Node SNABRK10 to use the port 12885. To
change the port use the following command

mqsichangeproperties SNABRK10 -b pubsub -o MQTTServer -nport

-v 12885

Please note, message flow should be configured for emi ing monitoring events
(business events), which is not in the scope of this blog.

Assuming that the solution / message flow with monitoring enabled is

deployed and activated, the message flow will publish the business
events now to the built-in MQTT Server on port 12885 on the topic
specified below

14 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

IBM/IntegrationBus/<IntNode>/Monitoring/<IntServer>
/<MsgFlowName>/

To subscribe to these business events, we could then develop message

flow using the built-in MQTT nodes MQTTSubcribe node, the
configuration of which is shown below

(h ps://blogonibmesb.files.wordpress.com/2015/10/mq subscribe.jpg)
IBM Integration Bus v10 – Using MQTTSubscribe

Hope this provides overview about using built-in MQTT server of

Integration Node in IIB v10. Please let me know your comments or any
queries that will help me in refining my blogs and focus on areas of
your concerns.

Looking forward to your feedbacks !!!

OCTOBER 14, 2015 YUVARAJ IBM INTEGRATION

BUS, IIB, MESSAGE BROKER LEAVE A COMMENT

Installing IBM Integration Bus v10

on Linux

From IIB v10, IBM has removed the dependency of Integration Node /
Broker on WebSphere MQ, by making it as optional product.
Considering the operational dependency that Integration Node /
Broker had on MQ in all its earlier version, I would say this is major
architectural change for IIB. By doing so, what has happened is the

15 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

reduction of number of components required to be installed.

In IIB v9, the number of components that were to be installed

comprised of

IBM WebSphere MQ
IBM Integration Toolkit
IBM Integration Bus (Runtime Component)
IBM Integration Explorer
IE02 – ODBC Extender (not required for Windows though)

With IIB v10, the number of components to be installed has reduced

to only 2, thus simplifying the entire process of installation

IBM Integration Toolkit

IBM Integration Bus (Runtime Component)

Now the installation package of IIB v10 comprises of single exe on

windows. And on linux, there are no more installation to be performed
but only extraction of the installation package. As part of installation,
IE02 (ODBC Extender) also gets installed.

Also on linux, we have now have the option of Single User

Installation (to be used only by one user) or as Shared Installation.
Options has also been provided to covert the Single User installation to
the Shared Installation at later stage too, if need be.

In this blog, I will be illustrating the steps for performing shared

installation on Linux. Have used CentOS v7 for this illustration

Step 1: Login to the Linux server as root. Create a new directory

IBM in the /opt folder.

(h ps://blogonibmesb.files.wordpress.com/2015/10/image11.jpg)
IBM Integration Bus v10 Linux Installation – Creating IBM folder in
/opt

Place the IIB v10 Linux installation archive into /opt/IBM folder as
shown

(h ps://blogonibmesb.files.wordpress.com/2015/10/image2.jpg)
IIB v10 Linux Installation – Place installation file in /opt/IBM

16 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

directory

Extract the installation package using tar command. Use –exclude

option to omit IBM Toolkit installation,i.e. only to install IBM
Integration Bus runtime component

tar -xzf 10.0.0.0-IIB-LINUX64-DEVELOPER.tar.gz –exclude

iib-10.0.0.0/tools

(h ps://blogonibmesb.files.wordpress.com/2015/10/image3.jpg)
IBM Integration Bus v10 Linux Installation – Extract the package using
tar command into /opt/IBM

For shared installation, group mqbrkrs and /var/mqsi folder needs

to be created. Run the following command to accept the license as
well create the requisite folders and groups

./iib make registry global accept license silently

(h ps://blogonibmesb.files.wordpress.com/2015/10/image4.jpg)
IBM Integration Bus v10 Linux Installation – Creating shared
Installation

The above step creates the group mqbrkrs, if not existing, and the
/var/mqsi folder. Verify the same as shown below

17 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

(h ps://blogonibmesb.files.wordpress.com/2015/10/image5.jpg)
IBM Integration Bus v10 Linux Installation – Verifying group mqbrkrs
& /var/mqsi creation

(h ps://blogonibmesb.files.wordpress.com/2015/10/image6.jpg)
IBM Integration Bus v10 Linux Installation – Verifying /var/mqsi
creation

To verify the installation, navigate to /opt/IBM/iib-10.n.n.n and

run the following command

18 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

(h ps://blogonibmesb.files.wordpress.com/2015/10/image8.jpg)
IBM Integration Bus v10 Linux Installation – Verifying Installation –
Part 1

(h ps://blogonibmesb.files.wordpress.com/2015/10/image9.jpg)
IBM Integration Bus v10 Linux Installation – Verifying Installation –
Part 2

This completes the installation of IIB v10 on Linux. Next steps would
be to create IIB user account and configure the user profile for running
IIB commands. This could be done by editing the .bash_profile file of
the user and adding the following statement to it.

. /opt/IBM/iib-10.0.0.0/server/bin/mqsiprofile

OCTOBER 10, 2015 YUVARAJ IBM INTEGRATION

BUS, IIB 1 COMMENT

IBM Integration Bus: Enabling

ODBC Connectivity for Integration

19 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

Node on Linux – Illustrated for

Oracle Database

This blog covers the steps required for configuring ODBC connectivity
to remote database for Integration node running on Linux Server, in
IBM Integration Bus v9. The steps are illustrated using Oracle XE
Database.

Pre-requisites (Out-of-scope of this blog)

1. IBM Integration Bus Runtime Component installed on the Linux

machine
2. Integration Node to be used is created
3. Database installed and configured on remote machine

Step 1: Configuring odbc.ini File For ODBC

Connectivity in IBM Integration Bus
Runtime Server (Linux)

1. Create a new directory, say /odbc, to place the ODBC related ini
files and configuring them to our requirement.

(h ps://blogonibmesb.files.wordpress.com/2015/07/image1.jpg)
User Defined ODBC directory

Copy the odbc.ini & odbcinst.ini sample files supplied with IIB
Runtime component, located in <IIB_Install_dir>/ODBC
/unixodbc/ directory, to the /odbc directory we had created for the
purpose. Each broker service user ID on the system can therefore
use its own DSN definitions.

(h ps://blogonibmesb.files.wordpress.com/2015/07/image2.jpg)

20 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

Sample ODBC Files provided with IIB

(h ps://blogonibmesb.files.wordpress.com/2015/07/image3.jpg)
Copying Sample ODBC files provided with IIB to the user defined
/odbc directory

Change the ownership of the /odbc/odbc.ini file to mqbrkrs group

and also its permissions to 664

(h ps://blogonibmesb.files.wordpress.com/2015/07/image4.jpg)
Changing the ownership of /odbc/odbc.ini file to mqbrkrs group and
se ing permission level to 664

Change the ownership of /odbc/odbcinst.ini file to mqm user and

mqbrkrs group and retain its permission as per the sample file
provided with IIB.

(h ps://blogonibmesb.files.wordpress.com/2015/07/image5.jpg)
Changing the ownership of /odbc/odbcinst.ini file to mqm user &
mqbrkrs group

Login to the IIB Admin user account, say iibadmin, and configure
the user’s profile file to set the ODBC related environment variables
– ODBCINI & ODBCSYSINI

export ODBCINI = <path>/odbc.ini

export ODBCSYSINI = <path of odbcinst.ini file>

21 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

(h ps://blogonibmesb.files.wordpress.com/2015/07/image7.jpg)
Se ing the ODBC environment variables in the IIB administrator
profile file .profile (or) .bash_profile in the user’s home directory

Edit the odbc.ini file, in /odbc folder to edit the last stanza of it to
specify the required driver details and adding the required DSN
entry for the Oracle XE database

(h ps://blogonibmesb.files.wordpress.com/2015/07/image9.jpg)
Adding ODBC DSN entry for Oracle database in the ODBC.ini

Create a new DSN Entry NEBULADB in the /odbc/odbc.ini file to

the Oracle XE database specifying the connection details as shown

22 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

(h ps://blogonibmesb.files.wordpress.com/2015/07/image10.jpg)
DSN entry added to /odbc/odbc.ini specifying Oracle database
connection details

Step 2: Configuring Integration Node for

ODBC Connectivity

Login to the IIB Server using the IIB administrator user id, say
iibadmin, and start the Integration Node, if not running already
Associate the ODBC DSN to the Integration node using the
mqsisetdbparms command as shown below and enter the db2
password when prompted.
mqsisetdbparms <Integration Node> -n <DSN Name> -u <DB user>

e.g: To associate our DSN IIBDB_ODBC to the TRNGBRK Integration

Node using the user id db2admin, use the following command. Enter the
password for the db2admin user when prompted mqsisetdbparms
TRNGBRK -n NEBULADB -u nebula

(h ps://blogonibmesb.files.wordpress.com/2015/07/image11.jpg)
Associating ODBC DSN to Integration Node

23 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

To verify the Integration Node connectivity to the DB2 database

using the associated DSN, use the command mqsicvp as shown
below

mqsicvp <Integration Node Name> -n <DSN Name>

e.g: To test connectivity to DB2 database using NEBULADB DSN from

TRNGBRK integration node, use the following command

mqsicvp TRNGBRK -n NEBULADB

(h ps://blogonibmesb.files.wordpress.com/2015/07/image12.jpg)
Verifying Integration Node’s connectivity to database usingspecified
DSN

JULY 26, 2015 YUVARAJ IBM INTEGRATION BUS,

INTEGRATION NODE, MESSAGE BROKER, ODBC CONNECTIVITY
1 COMMENT

Enabling Remote Connection to

Queue Manager on v7.5 – Part 1

During my multiple training sessions on MQ / IIB, have been asked by

my candidates on how to enable remote connection to a queue
manager. Hence this blog detailing the steps for remote QM
connection.

Please note this blog entry will focus on steps to enable remote
connection to queue manager in non-production environments (esp.
development / test) and is not suitable for production or secured
environments. This is due to the fact that security aspects / details
required are not covered in this blog.

In MQ v7.1, Channel Authentication record feature was introduced

that could be used to allow / block inbound connections from clients /
remote queue manager on specific / certain MQI Channels. This
feature can be used to provide identity mapping for the connections

24 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

from applications / remote queue manager’s using various techniques

like Asserted User Identity, Origination IP Address, Certificate’s DN,
Remote QMGR Name. The resulting identity is set as the MCAUser for
the connection,which is then used by queue manager for authorization
purpose.

Control has been provided at the QMGR level to specify whether to

use this Channel Authentication Record functionality or not. For this
purpose CHLAUTH property has been added to the QMGR –
CHLAUTH (ENABLED / DISABLED)

To enable remote connections, we could either disable this function or

use this feature. For simplicity purpose, this blog focuses connecting to
remote queue manager with this feature disabled, as illustrated below

To disable the channel authentication feature on Queue Manager, say

QM1, execute the following command in script window of QM1. To
get to the script mode of a queue manager, use the command runmqsc,
e.g. runmqsc QM1

Note: This step is applicable for Queue Managers from v7.1 onwards only. For
QM on earlier version, this step can be omi ed.

ALTER QMGR CHLAUTH(DISABLED)

(h ps://blogonibmesb.files.wordpress.com/2015/06
/qmgralter_chlauth.jpg)
Altering CHLAUTH a ribute of Queue Manager

Once this has been disabled, you need to create following objects in
QM1 for remote connectivity (applies to QM on any version)

Listener Object to specify the port at which the Queue Manager

will be listening for connections
Server Connection Channel, using which Application can connect
to the Queue Manager

You can use the following steps to create the objects in script window
of the Queue Manager

1. For creating TCP Listener in QM1 to listen on port 1616 and starting
it use the below command

Command Syntax:

25 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

DEFINE LISTENER() TRPTYPE(TCP) PORT() CONTROL(QMGR)

DEFINE LISTENER(TCP.LISTENER) TRPTYPE(TCP) PORT(1616)

CONTROL(QMGR)

START LISTENER(TCP.LISTENER)

(h ps://blogonibmesb.files.wordpress.com/2015/06/qmgrlistener.jpg)
Creation of Listener object for queue manager and starting it

2. Creating Server Connection Channel

Command Syntax:

DEFINE CHANNEL(<CHL NAME>) CHLTYPE(SVRCONN)

TRPTYPE(TCP) MCAUSER()

DEFINE CHANNEL(APP.SVRCONN) CHLTYPE(SVRCONN)

TRPTYPE(TCP) MCAUSER(‘mqm’)

In the above command, the MCAUSER a ribute of the channel specifies, the
user id that is to be used by queue manager for authorization the application
connecting using this channel. For illustration purpose and to avoid
authorization issues, user id ‘mqm’ is set in this a ribute

(h ps://blogonibmesb.files.wordpress.com/2015/06/qmgrsvrconn.jpg)
Creating Server Connection Channel on Queue Manager in MQ

Note:

Since mqm is MQ administrative user, normally one should not specify

26 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

this or any other administrative user id as value to this a ribute. If

specified, it should be non-administrative user id.
The user id specified is existing in the OS where queue manager is
running and has requisite access to perform activities its supposed to do.
This can be granted using setmqaut command, in case of
non-administrative user id has been specified in MCAUSER a ribute

Now that queue manager has been enabled, you can use MQ Explorer
from remote machine to connect to this queue manager specifying this
channel name and the connection details. Steps have been illustrated
below

From the MQ Explorer, right click on the Queue Managers folder

and select “Add Remote Queue Manager” option

(h ps://blogonibmesb.files.wordpress.com/2015/06
/mq-addingremoteqm.jpg)
MQ – Adding Remote QM from Explorer

Specify the name of the Queue Manager and selecting the option
“Connect Directly”, click Next

27 of 28 15/11/2016 1:13
Yuvaraj's Blog on IBM ESB | Technical Blog to share or discuss on W... https://blogonibmesb.wordpress.com/

(h ps://blogonibmesb.files.wordpress.com/2015/06/mq-addingqm.jpg)
MQ – Adding Remote QM from Explorer Step 2

Specify the connection details of the remote queue manager, using

the port and the channel name we had created earlier and click on
finish

(h ps://blogonibmesb.files.wordpress.com/2015/06
/mq-qmconnectiondtls.jpg)
MQ- Remote QM Connection Details from Explorer

(h ps://blogonibmesb.files.wordpress.com/2015/06/mq-qmadded.jpg)
MQ – Remote QM Added in Explorer

Stay tuned for Part-2 of this blog, that will cover enabling remote
connection using Channel Authentication Records and connecting
using non-administrative user id.

JUNE 26, 2015 YUVARAJ MQ LEAVE A

COMMENT
YUVARAJʹS BLOG ON IBM ESB
CREATE A FREE WEBSITE OR BLOG AT WORDPRESS.COM.

28 of 28 15/11/2016 1:13