In the Universal File Mover (UFM) How To #2 blog posting, UFM ran in “client mode” when it connected to the queue managers. In this blog posting, I will show how to implement a simple file transfer using End-To-End encryption when connecting to the queue manager in “client mode”.
UFM’s MQSend Action uses Advanced Encryption Standard (AES) to encrypt the data. The MQReceive Action can decrypt the incoming data before it is written to the target file. UFM supports the use of 128, 192 and 256-bit AES encryption/decryption.
US export restrictions limit the Java AES support to 128-bits. If the user wishes to use AES 192 or 256-bit encryption then “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6” needs to be downloaded (and installed) from Oracle’s Java web page: http://www.oracle.com/technetwork/java/javase/downloads/index.html
In this example, the following servers are used but they only have WebSphere MQ (WMQ) Client installed (no queue managers):
– aix002 is an AIX server with WMQ Client and UFM software installed
– linux002 is a Linux server with WMQ Client and UFM software installed
In this example, the following queue managers are used:
– MQA1 is a queue manager residing on a AIX (aix001) server (sender)
– MQL1 is a queue manager residing on a Linux (linux001) server (receiver)
– TEST.LINUX.QL and TEST.LINUX.QL.BK are local queues defined in queue manager MQL1 (receiver)
– TEST.LINUX.QR is a remote queue defined in queue manager MQA1 (sender)
If you do not know how to define/setup communication between 2 queue managers then follow the instructions in this blog posting:
https://www.capitalware.com/rl_blog/?p=509
Step #1: On the linux002 server, create a file in the mq directory called mql1.xml and copy the following into the file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE UFM_MQ SYSTEM "UFM_MQ.dtd">
<UFM_MQ>
<QMgrName>MQL1</QMgrName>
<QueueName>TEST.LINUX.QL</QueueName>
<Hostname>linux001</Hostname>
<ChannelName>SYSTEM.DEF.SVRCONN</ChannelName>
<Port>1414</Port>
<UserID>tester</UserID>
</UFM_MQ>
The mql1.xml (UFM_MQ XML) file describes how to connect to the remote MQL1 queue manager on server linux001. The connection will use UserID of tester. If you do not have that UserID defined on the linux001 server then use a UserID that is defined.
Step #2: On the linux002 server, in the UFM install directory, create a file called ufm_receive_test_4.xml and copy the following into the file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE UFM_Workflow SYSTEM "UFM_Workflow.dtd">
<UFM_Workflow>
<Actions>
<MQReceive run="D" keysize="128" passphrase="this is the secret">
<MQ>
<MQFile>mql1.xml</MQFile>
<BackOutQName>TEST.LINUX.QL.BK</BackOutQName>
</MQ>
<Default>
<Directory override="Y">/home/roger/UFM/</Directory>
</Default>
</MQReceive>
</Actions>
</UFM_Workflow>
When UFM is started, it will run as a daemon (run=”D”) and use a backout queue called TEST.LINUX.QL.BK just in case there is an issue with a message. For decrypting the data, UFM will use a key size of 128-bit and a PassPhrase of ‘this is the secret’. UFM will override the message’s specified directory and use the one provided. Either create /home/roger/UFM/ directory on your Linux server or use a directory that already exist on your Linux server.
Step #3: On the linux002 server, start UFM to receive the file transfers:
./ufm.sh ufm_receive_test_4.xml &
Step #4: On the aix002 server, create a file in the mq directory called mqa1.xml and copy the following into the file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE UFM_MQ SYSTEM "UFM_MQ.dtd">
<UFM_MQ>
<QMgrName>MQA1</QMgrName>
<QueueName>TEST.LINUX.QR</QueueName>
<Hostname>aix001</Hostname>
<ChannelName>SYSTEM.DEF.SVRCONN</ChannelName>
<Port>1414</Port>
<UserID>tester</UserID>
</UFM_MQ>
The mqa1.xml (UFM_MQ XML) file describes how to connect to the remote MQA1 queue manager on server aix001. The connection will use UserID of tester. If you do not have that UserID defined on the aix001 server then use a UserID that is defined.
Step #5: On the aix002 server, create a file in the data directory called test.txt and put a simple text message in the file (i.e. This is a test message.)
Step #6: On the AIX server, in the UFM install directory, create a file called ufm_send_test_4.xml and copy the following into the file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE UFM_Workflow SYSTEM "UFM_Workflow.dtd">
<UFM_Workflow>
<Actions>
<MQSend delete="N" format="N" keysize="128" passphrase="this is the secret">
<File>data/test.txt</File>
<MQ>
<MQFile>mqa1.xml</MQFile>
</MQ>
<Remote>
<Directory>/var/mqm/</Directory>
</Remote>
</MQSend>
</Actions>
</UFM_Workflow>
When UFM is started, first it will encrypt the data using a key size of 128-bit and a PassPhrase of ‘this is the secret’ then UFM will send the encrypted data.
Step #7: On the aix002 server, start UFM to send the file:
./ufm.sh ufm_send_test_4.xml
UFM will start, encrypted the data and put the encrpyted message to the specified queue then terminate.
Step #8: On the linux002 server, verify that the test file (i.e. test.txt) was put into the /home/roger/UFM/ directory or whatever directory you specified in the ufm_receive_test_4.xml file.
Step #9: Finally, we need to stop UFM daemon that is running on the linux002 server. In the UFM install directory, create a file called ufm_putquit_test_4.xml and copy the following into the file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE UFM_Workflow SYSTEM "UFM_Workflow.dtd">
<UFM_Workflow>
<Actions>
<MQPutQuit>
<MQ>
<MQFile>mql1.xml</MQFile>
</MQ>
</MQPutQuit>
</Actions>
</UFM_Workflow>
Step #10: On the linux002 server, run UFM with the MQPutQuit action:
./ufm.sh ufm_putquit_test_4.xml
This blog demonstrates how to perform End-To-End encryption using UFM at both the sender and receiver ends as MQ clients that connect to remote queue managers. You do NOT need to implement SSL or purchase SSL certificates to have secure End-To-End encryption of your data. Besides the headache of implementing SSL, SSL does absolutely nothing for messages sitting in the queue because SSL is only for encrypting data as it crosses the channel (i.e. over the air). UFM provides true End-To-End encryption of the data.
Regards,
Roger Lacroix
Capitalware Inc.
