IBM Cloud Docs
Securing remote administration using IBM MQ Explorer

Securing remote administration using IBM MQ Explorer

This document covers enabling TLS for remote administration of the MQ SaaS queue manager using IBM MQ Explorer.

Prerequisites

  1. If your queue manager is version 9.2.1 revision 1 or older, first set up TLS encryption on the MQ channel. Refer Enabling TLS security for MQ channels in MQ SaaS. If you have a newer queue manager, TLS will already be enabled with the ANY_TLS12_OR_HIGHER cipher.
  2. Download the public certificates
  3. Create a JKS keystore using Windows or Linux or using Mac OSX
  4. You need access to the MQ client tools for your operating system (for example runmqakm). These are included as part of an MQ server installation on Linux and Windows, or can be installed separately part of the MQ client for Linux or Windows available from the MQ Downloads page, or the MacOS toolkit for Developers
  5. You will need IBM MQ Explorer installed in an Eclipse environment on Windows or Linux. Full installation instructions can be found at IBM MQ Explorer Installation

Tasks to perform on the system that hosts the IBM MQ Explorer

  1. Start the MQ Explorer by running strmqcfg command from a command line interface, or clicking the icon.
  2. From the MQ Explorer - Navigator, right click on Queue Managers and select Add Remote Queue Manager option.
  3. In the Queue manager name field, enter the name of the MQ SaaS queue manager you want to connect to.
  4. Ensure that Connect directly is selected. Click Next.
  5. On the Specify new connection details page:
    1. In the Host name or IP address: field, enter the Hostname of your MQ SaaS queue manager (gathered from MQ SaaS queue manager CCDT or text details downloaded earlier).
    2. In the Port number: field, enter the port number of your MQ SaaS queue manager (gathered from MQ SaaS queue manager details).
    3. In the Server-connection channel field, enter the value as CLOUD.ADMIN.SVRCONN.
    4. Click Next.
  6. On the Specify security exit details page, Click Next.
  7. On the Specify user identification details page:
    1. Select the Enable user identification checkbox.
    2. Ensure User identification compatibility mode is NOT selected.
    3. In the Userid: field, type the MQ username gathered from User permissions of the MQ SaaS Service.
    4. In the Password field, select the Prompt for password radio button.
    5. Click Next.
  8. On the Specify SSL certificate key repository details page:
    1. Select the Enable SSL key repositories checkbox.
    2. Browse and select the key repository created in the prereq steps for both Trusted Certificate Store and Personal Certificate Store.
    3. Click Next.
  9. On the Specify SSL option details page:
    1. Select the Enable SSL options checkbox.
    2. In the CipherSpec field, select the value you want, for example ANY_TLS12_OR_HIGHER from the dropdown list.
    3. Click Finish.
    4. When prompted enter the password.
  10. MQ Explorer should now connect to your queue manager for remote administration. All the operations on this queue manager will now run on a secured channel.

Next step