Skip to main contentMerative SPM on Kubernetes

MQ on AKS

Merative Social Program Management (SPM) supports only IBM MQ LTS on a VM , when running on AKS. The following steps outline how to do this. In this runbook we will outline the steps to create:

Note: The MQ version for this runbook verification is 9.1.0 LTS.

For the runbook, two standalone VMs were used as MQ nodes.

Queue manager names

For runbook configuration, the following naming conversion was used throughout the MQ setup: NamingConvention_AppName. This must be unique, but ensure you change the commands used on this page accordingly.

Queue Name:

  • minikube_curam

Channel Name: This value should be all capitals

CHL_NamingConvention_AppName

  • CHL_MINIKUBE_CURAM

Listeners Name: This value should be all capitals

LS_NamingConvention_AppName

  • LS_MINIKUBE_CURAM

MQ stages

On both MQ nodes run the following command as root:

su - mqm # Changing user into mqm
export PATH=/opt/mqm/inst1/bin:$PATH

Important!

Run the export PATH command on both MQ nodes, this command will be used in further commands in the runbook.

Shared storage

Create the shared storage for our nodes.

Note: Run the commands as root.

On the shared node run the following commands:

mkdir -p /MQHA/logs
mkdir -p /MQHA/qmgrs
mkdir -p /MQHA/scratch
useradd mqha -s /sbin/nologin
chown -R mqha:mqha /MQHA/*

Verify that the UID and GUID match the owner ID by running the following command:

echo "/MQHA  MQ.FQDN(rw,sync,no_wdelay,fsid=0,anonuid=1001,anongid=1001)" >> /etc/exports

Start and enable both the nfs service and rpcbind service by running the following commands:

systemctl start nfs-server.service
systemctl enable nfs-server.service
systemctl start rpcbind
systemctl enable rpcbind

On MQ nodes run the following commands:

Note: Commands to be run as root.

echo "SHAREDNODEADDRESS:/MQHA  /MQHA  nfs  defaults  0 0" >> /etc/fstab
systemctl start rpcbind
systemctl enable rpcbind
mkdir -p /MQHA
chmod 1777 /MQHA #Check permissions
mount /MQHA

Create QMs

When creating the queue, start on the secondary node first then move to the primary node.

On the secondary MQ node, run the following commands:

crtmqm -ld /MQHA/logs -md /MQHA/qmgrs minikube_curam
dspmqinf -o command minikube_curam

Save the output of the dspmqinf -o command minikube_curam command, it should look like the following:

addmqinf -s QueueManager -v Name=minikube_curam -v Directory=minikube_curam -v Prefix=/var/mqm -v DataPath=/MQHA/qmgrs/minikube_curam

Wait for /MQHA/qmgrs/minikube_curam/qm.ini to appear on other node

On the primary MQ node run the following commands:

addmqinf -s QueueManager -v Name=minikube_curam -v Directory=minikube_curam -v Prefix=/var/mqm -v DataPath=/MQHA/qmgrs/minikube_curam
strmqm -x minikube_curam

On the secondary MQ node run the following command:

strmqm -x minikube_curam

Create queues

On the primary MQ node run the following commands:

runmqsc minikube_curam <<-EOS
DEFINE QLOCAL(QN.CURAMDEADMESSAGEQUEUE) CLWLUSEQ (ANY) DEFBIND (NOTFIXED)
DEFINE QLOCAL(QN.WORKFLOWERROR) BOTHRESH(5) BOQNAME(QN.CURAMDEADMESSAGEQUEUE) CLWLUSEQ (ANY) DEFBIND (NOTFIXED)
DEFINE QLOCAL(QN.WORKFLOWENACTMENT) BOTHRESH(5) BOQNAME(QN.WORKFLOWERROR) CLWLUSEQ (ANY) DEFBIND (NOTFIXED)
DEFINE QLOCAL(QN.WORKFLOWACTIVITY) BOTHRESH(5) BOQNAME(QN.WORKFLOWERROR) CLWLUSEQ (ANY) DEFBIND (NOTFIXED)
DEFINE QLOCAL(QN.DPERROR) BOTHRESH(5) BOQNAME(QN.CURAMDEADMESSAGEQUEUE) CLWLUSEQ (ANY) DEFBIND (NOTFIXED)
DEFINE QLOCAL(QN.DPENACTMENT) BOTHRESH(5) BOQNAME(QN.DPERROR) CLWLUSEQ (ANY) DEFBIND (NOTFIXED)
ALTER QMGR CHLAUTH(DISABLED)
ALTER QMGR DEADQ(QN.CURAMDEADMESSAGEQUEUE)

Create listeners

On the primary MQ node run the following commands:

runmqsc minikube_curam <<-EOS
DEFINE LISTENER (LS_MINIKUBE_CURAM) TRPTYPE (TCP) CONTROL (QMGR) PORT (1414)
START LISTENER (LS_MINIKUBE_CURAM)
EOS

Create channels

On the primary MQ node run the following command:

  • Enter your MQ node names into the following commands:

Note: CERTLABL expects the value to be lower case ibmwebspheremq + Queue Name For this example it will be ibmwebspheremqminikube_curam

runmqsc minikube_curam <<-EOS
DEFINE CHANNEL(CHL_MINIKUBE_CURAM) CHLTYPE(SVRCONN)  TRPTYPE(TCP) MCAUSER('mqm') SSLCIPH (TLS_RSA_WITH_AES_128_CBC_SHA256)  CERTLABL ('ibmwebspheremqminikube_curam') SSLCAUTH (OPTIONAL) REPLACE
DEFINE CHANNEL(CHL_MINIKUBE_CURAM) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('Node1(1414),Node2(1414)') QMNAME(minikube_curam) SSLCIPH (TLS_RSA_WITH_AES_128_CBC_SHA256) CERTLABL ('ibmwebspheremqminikube_curam') REPLACE
EOS

Create topics

On the primary MQ node run the following command:

runmqsc minikube_curam <<-EOS
DEFINE TOPIC (CURAMCACHEINVALIDATIONTOPIC) TOPICSTR (CURAMCACHEINVALIDATIONTOPIC)
ALTER QMGR CONNAUTH('CHECK.PWD')
DEFINE AUTHINFO('CHECK.PWD') AUTHTYPE(IDPWOS) CHCKLOCL(OPTIONAL) CHCKCLNT(OPTIONAL)
EOS

Configure security

The configuration of security is in four parts

  • Setting the object type.
  • Creating the keystore and certs.
  • Updating the certs on both nodes.
  • Refreshing security settings.

Note:

The application pods must connect to MQ using a non-privileged account. The example commands use mqclient as the non-privileged account. This username must be set in the secret referenced by the global.mq.queueManager.secret.name property. See the Handling Secrets page for more information.

On the secondary MQ node run the following command:

useradd -g 0 -M mqclient && usermod -L mqclient

On the primary MQ node run the following commands:

useradd -g 0 -M mqclient && usermod -L mqclient
runmqsc minikube_curam <<-EOS
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('mqclient') AUTHADD(ALL)
SET AUTHREC OBJTYPE(QUEUE) PROFILE('QN.DPENACTMENT') PRINCIPAL('mqclient') AUTHADD(ALL)
SET AUTHREC OBJTYPE(QUEUE) PROFILE('QN.DPERROR') PRINCIPAL('mqclient') AUTHADD(ALL)
SET AUTHREC OBJTYPE(QUEUE) PROFILE('QN.WORKFLOWACTIVITY') PRINCIPAL('mqclient') AUTHADD(ALL)
SET AUTHREC OBJTYPE(QUEUE) PROFILE('QN.WORKFLOWENACTMENT') PRINCIPAL('mqclient') AUTHADD(ALL)
SET AUTHREC OBJTYPE(QUEUE) PROFILE('QN.WORKFLOWERROR') PRINCIPAL('mqclient') AUTHADD(ALL)
SET AUTHREC OBJTYPE(QUEUE) PROFILE('QN.CURAMDEADMESSAGEQUEUE') PRINCIPAL('mqclient') AUTHADD(ALL)
runmqckm -keydb -create -db /MQHA/qmgrs/minikube_curam/ssl/key.kdb -type cms -pw Passw0rd -stash
runmqakm -cert -create -db /MQHA/qmgrs/minikube_curam/ssl/key.kdb -stashed -label ibmwebspheremqminikube_curam -size 2048 -dn "CN=minikube_curam,O=IBM,C=US" -x509version 3 -expire 365 -sig_alg SHA256WithRSA
runmqakm -cert -extract -db /MQHA/qmgrs/minikube_curam/ssl/key.kdb -stashed -label ibmwebspheremqminikube_curam -target /MQHA/qmgrs/minikube_curam/ssl/key_minikube_curam.arm
runmqakm -cert -export -db /MQHA/qmgrs/minikube_curam/ssl/key.kdb -stashed -label ibmwebspheremqminikube_curam -target /MQHA/qmgrs/minikube_curam/ssl/key_minikube_curam.p12 -target_type pkcs12 -target_pw Passw0rd
openssl pkcs12 -in /MQHA/qmgrs/minikube_curam/ssl/key_minikube_curam.p12 -passin pass:Passw0rd -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > /MQHA/qmgrs/minikube_curam/ssl/tls.key
openssl pkcs12 -in /MQHA/qmgrs/minikube_curam/ssl/key_minikube_curam.p12 -passin pass:Passw0rd -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /MQHA/qmgrs/minikube_curam/ssl/tls.crt
runmqsc minikube_curam <<-EOS
ALTER QMGR CONNAUTH('CHECK.PWD')
DEFINE AUTHINFO('CHECK.PWD') AUTHTYPE(IDPWOS) CHCKLOCL(OPTIONAL) CHCKCLNT(OPTIONAL)
REFRESH SECURITY TYPE(SSL)
REFRESH SECURITY TYPE(AUTHSERV)
REFRESH SECURITY TYPE(CONNAUTH)
EOS

After these stages have been run MQ should be configured.

Clean up QMs/channels/listeners

Used these steps if you are reconfiguring MQ or cleaning up MQ.

On both MQ nodes run the following commands:

endmqm -w minikube_curam
dltmqm minikube_curam
rmvmqinf minikube_curam

On either MQ node run the following commands:

rm -rf /MQHA/qmgrs/**
rm -rf /MQHA/logs/**
rm -rf /MQHA/scratch
endmqm -w minikube_curam
dltmqm minikube_curam
rmvmqinf minikube_curam
Previous
MQ Overview and Configuration: MQ Overview
Next
MQ Overview and Configuration: MQ on OpenShift