Introduction

This article shows you how to configure Secure Sockets Layer (SSL) connections from an IBM® WebSphere® MQ File Transfer Edition (WMQFTE) agent. It also explains the WMQFTE commands and the WMQFTE Plug-in for MQ Explorer, and how to connect over TCP/IP to three separate WebSphere MQ queue managers representing an Agent queue manager, a Command queue manager, and a Coordination queue manager. The article shows you how to create test certificates and configure a queue manager to create a secure server connection channel (SVRCONN) with MQ FTE. The article does not cover the SSL inter-queue manager connections between the three queue managers.

The scenario has been developed using WMQFTE V7.0.2 with WebSphere MQ V7.0.1 on Microsoft® Windows®. You should have enough experience with WebSphere MQ to configure a three queue manager network with WMQFTE without SSL as a starting point. While this configuration is not described in the article, you can easily adapt the scenario to a single queue manager configuration by substituting any reference to the Command, Coordination, and Agent queue managers with your single queue manager providing the function of all three queue manager types in one. Screenshots of both the graphical IBM Key Management tool / MQ Explorer, and command-line examples, are provided where appropriate.

Interaction between queue managers and WMQFTE components

SSL configuration for WMQFTE is performed through configuration properties within one or more of the three types of property files found in your WMQFTE configuration directory hierarchy: agent.properties, command.properties, and coordination.properties. The SSL configuration for any scenario within WMQFTE depends on the underlying queue managers to which you are connecting. In many cases, you may have a scenario where your agents need to connect only to their Agent queue manager via SSL, while other more complex scenarios may require, for example, SSL connections to the Coordination queue manager. An understanding of the queue manager iterations between each of the WMQFTE commands, the WMQFTE Plug-in for MQ Explorer, and the Agents is required to configure your WMQFTE topology to suit your business needs.

There are some common misunderstanding regarding these WMQFTE to queue manager interactions. For example, some users believe that the command fteListAgents requires a connection to the Command queue manager to perform its operation. But the function of this command is to retrieve agent information within your WMQFTE network, and as the Agent information as a whole is stored on the Coordination queue manager, this command only needs to connect to the Coordination queue manager. Therefore if this command is required to connect over an SSL connection, the coordination.properties file SSL configuration is required. Other commands though, such as fteCreateTransfer, do directly connect to the Command queue manager. Table 1 below shows the queue manager connection between the a number of WMQFTE commands, the MQ Explorer WMQFTE Plug-in, and agents. For more information on this topic, see Which WebSphere MQ FTE commands connect to which queue manager in the WMQFTE information center.

In each case where a queue manager type is referenced, you must configure SSL in the corresponding WMQFTE properties file to enable that type of WMQFTE entity to connect to its queue manager. As an example from the table above, the MQ Explorer WMQFTE Plug-in requires iteration with both the Coordination queue manager and the Command queue manager to operate, because the plug-in submits commands to the Command queue manager (creating transfers), and requests information from the Coordination queue manager (transfer progress). If both Coordination queue manager and Command queue manager need to be configured with SSL enabled connections, then both the commands.properties and coordination.properties files require WMQFTE SSL configuration information in them to allow operation of the plug-in.

Of course you can just enable SSL on all of your queue managers and put the SSL configuration information in all of your WMQFTE properties files, if SSL is required throughout your topology. For simplicity's sake, the example scenario will be configured in this manner.

WMQFTE SSL example

As mentioned earlier, this example shows you how to configure SSL for the three queue managers -- AgentQmgr, CommandQmgr, and CoordinationQmgr -- and the WMQFTE agent AGENT1, using self signed certificates.

1. Creating a client-side truststore to be used for the agent, the WMQFTE commands, and the MQ Explorer Plug-in.
2. Creating queue manager certificate stores
3. Creating queue manager self-signed certificates
4. Adding certificates to the client-side truststore
5. Configuring the WMQFTE properties files
6. Configuring the queue managers
7. Creating and configuring the client-side keystore to be used for client authentication (optional)
8. Testing the configuration

All steps except for Step 7 are required to configure the basic SSL connections. Do Step 7 only if you want to configure client authentication. To reduce complexity and simplify debugging, you should not use client authentication initially. After you have a basic SSL connection configured and working as expected, you can add client authentication. You will test whether these four WMQFTE entities can connect to their respective queue managers:

• WMQFTE Plug-in for MQ Explorer
• Test agent AGENT1
• WMQFTE commands fteCreateTransfer and fteListAgents

Creating a client-side truststore

The truststore holds the certificate of a signing certificate authority (CA) for a queue manager you trust. What this means in terms of WMQFTE is that when a connection is made to a queue manager, it sends its certificate to WMQFTE as part of the initial SSL handshake. The Java Secure Socket Extension (JSSE), which handles all SSL communication, looks in the truststore to validate the certificate that it has just received. If it cannot validate the certificate, the connection is terminated. To create a truststore, use the IBM Key Management tool, which is part of WebSphere MQ V7. You can also use the keytool program packaged with the WMQFTE Java installation.

• In the start bar, select Programs => IBM WebSphere MQ => IBM Key Management.
• When IBM Key Management starts, click New and set the values shown in Figure 1 below:
• Key database type: JKS
• File name: truststore.jks
• Location: C:\WMQFTE_SSL\
• Click OK to continue.
• You will be prompted to enter a password of your choice. The password is required to open the truststore only if you wish to add certificates to it. The JSSE does not require a password if it is only being used as a truststore. For this example, enter a password.
• Click OK to continue. You should now have a truststore to which you can import certificates of trusted CAs.

On the command line, you can enter runmqckm for Windows or gsk7cmd for Unix to achieve the same outcome, as shown in Listing 1:

 
runmqckm -keydb -create -db C:\WMQFTE_SSL\truststore.jks -pw password 
-type jks

Creating queue manager certificate stores

In a non-client authentication scenario, the queue manager certificate store acts in the same way as any keystore, in that it holds the client's personal certificates. When configuring the additional client authentication, the queue manager certificate store acts as a truststore as well as a keystore. Since you are using self-signed certificates for this scenario, our personal certificate and CA are one and the same thing, so by implication our queue manager certificate stores can act as both keystore and truststore.

In the three queue manager scenario, you need to create a queue manager certificate store for each of the queue managers. As with the previous step, you can use the IBM Key Management tool to create a certificate store:

• Open the IBM Key Management tool.
• Click New and set the following values, as shown in Figure 2 below.
• Key database type: CMS
• File name: key.kdb
• Location: C:\Program Files\IBM\WebSphere MQ\Qmgrs\AgentQmgr\ssl\
• Click OK to continue.
• You will be prompted to enter a password of your choice. Do so, and select Stash the password to a file.
• Click OK to continue. You should now have your first of three queue manager certificate stores.
• Repeat the steps for CommandQmgr and CoordinationQmgr to create all three queue manager certificate stores

On the command-line, you can enter runmqckm for Windows or gsk7cmd for Unix to achieve the same outcome, as shown in Listing 2:

 
runmqckm -keydb -create -db C:\Progra~1\IBM\Websph~1\qmgrs\AgentQmgr\ssl\key.kdb 
-pw password -type cms -expire 365 -stash

Creating queue manager self-signed certificates

Create three self-signed certificates, one for each queue manager. To save additional complication, create each self-signed certificate in the queue manager certificate store to which the certificate relates. Again, you can use the IBM Key Management tool:

• Open the IBM Key Management tool.
• Click Open to open the AgentQmgr certificate store.
• Click Create=>New Self-Signed Certificate and set the following values, as shown in Figure 3:
• Key label: ibmwebspheremqagentqmgr
• Common Name: <Owner name or machine name> (choose an appropriate value)
• Click OK to continue.
• You now should have a personal certificate listed as * ibmwebspheremqagentqmgr. Click Extract certificate to extract the self-signed certificate to a file to import it into the WMQFTE client-side truststore later. Set the following values, as shown in Figure 4 below:
• Data type: Binary DER data
• Certificate file name: AgentQmgr.der
• Location: C:\WMQFTE_SSL\
• Click OK to continue. You should now have your first of three self-signed certificates.
• Repeat the steps for CommandQmgr and CoordinationQmgr to create all three self-signed certificates.

On the command-line, you can enter runmqckm for Windows or gsk7cmd for Unix to achieve the same outcome, as shown in Listing 3:

 
runmqckm -cert -create -db C:\Progra~1\IBM\Websph~1\qmgrs\AgentQmgr\ssl\key.kdb 
-pw password -label ibmwebspheremqagentqmgr -dn CN=FTEUser -size 1024 
-x509version 3 -expire 365

runmqckm -cert -extract -db C:\Progra~1\IBM\Websph~1\qmgrs\AgentQmgr\ssl\key.kdb 
-pw password -label ibmwebspheremqagentqmgr -target C:\WMQFTE_SSL\AgentQmgr.der 
-format binary

Adding certificates to the client-side truststore

Now that you have extracted the three self-signed certificates (AgentQmgr.der, CommandQmgr.der, and CoordinationQmgr.der), you need to add them to the WMQFTE client-side truststore. Whilst client authentication is not set, the self-signed certificate you add to the trust store will be acting like CAs. Again you can do this with the IBM Key Management tool.

• Open the IBM Key Management tool.
• Click Open and open the WMQFTE Client truststore C:\WMQFTE_SSL\truststore.jks. When prompted, type the password you entered previously.
• Select the drop-down box under the label Key database content.
• Select Signer Certificates.
• Click Add. You will be prompted for the location of the certificate you wish to add. This certificate will either be the queue managers certificate if you are using self-signed certificates for testing, or the certificate of the CA that issued your queue managers certificate. This example uses the self signed certificates. Enter the following data, as shown in Figure 5 below:
• Data type: Binary DER data
• Certificate file name: AgentQmgr.der
• Location: C:\WMQFTE_SSL\
• Click OK. You will be prompted for a label. Enter ibmwebspheremqagentqmgr.
• Click OK to add the certificate.
• Repeat the steps for CommandQmgr and CoordinationQmgr to add all three queue manager signed certificates.

On the command-line, you can enter runmqckm for Windows or gsk7cmd for Unix to achieve the same outcome, as shown in Listing 4:

 
runmqckm -cert -add -db C:\WMQFTE_SSL\truststore.jks -pw password -type jks 
-label ibmwebspheremqagentqmgr -file C:\WMQFTE_SSL\AgentQmgr.der -format binary 
-trust enable

Configuring the WMQFTE properties files

As you will be validating the WMQFTE SSL configuration using a selection of the available WMQFTE entities, referring back to Table 1, you can see that all three queue manager types will be directly connected to by these entities. Therefore you must add SSL configuration information to all three properties files:

• agent.properties file
• coordination.properties file
• command.properties file

For any of the WMQFTE entities to pick up changes to these properties files, they must be restarted. However at this state you have not completed the basic configuration so startup is likely to fail with SSL configuration issues.

Configuring the agent.properties file

The agent.properties file is located in the root of your agent data directory and is used for configuring all aspects of the agent's behaviour. To enable SSL in this scenario, add or modify the following values:

• agentQMgrChannel=SYSTEM.SSL.SVRCONN
• agentSslCipherSpec=RC4_MD5_EXPORT
• agentSslTrustStore=C:\\WMQFTE_SSL\\truststore.jks
• agentSslTrustStorePassword=Password you chose above in Creating a client-side truststore.

For the agent properties file, you can use RC4_MD5_EXPORT as the SSL Cipher Suite, but you can use any supported value as long as it matches what you selected on the corresponding Server Connection channel on your Agent queue manager.

Configuring the coordination.properties file

The coordination.properties file is located under the Coordination queue manager directory under the root data directory. To enable SSL in this scenario, add or modify the following values:

• coordinationQMgrChannel=SYSTEM.SSL.SVRCONN
• coordinationSslCipherSpec=DES_SHA_EXPORT
• coordinationSslTrustStore=C:\\WMQFTE_SSL\\truststore.jks
• coordinationSslTrustStorePassword=Password you chose above in Creating a client-side truststore.

For the coordination properties file, you can use DES_SHA_EXPORT as the SSL Cipher Suite, and as with the agent.properties file, you can use any supported value as long as it matches what you selected on the corresponding Server Connection channel on your Coordination queue manager.

Configuring the command.properties file

The command.properties file is located under the Coordination queue manager directory under the root data directory. To enable SSL in this scenario, add or modify the following values:

• connectionQMgrChannel=SYSTEM.SSL.SVRCONN
• connectionSslCipherSpec=TRIPLE_DES_SHA_US
• connectionSslTrustStore=C:\\WMQFTE_SSL\\truststore.jks
• connectionSslTrustStorePassword=Password you chose above in Creating a client-side truststore.

For the command properties file, you can use TRIPLE_DES_SHA_US as the SSL Cipher Suite, and as with the previous properties files, you can use any supported value as long as it matches what you selected on the corresponding Server Connection channel on your Command queue manager.

Configuring the queue managers

Queue manager configuration in this example is minimal. It uses a new Server Connection channel on each of the three queue managers named SYTEM.SSL.SVRCONN, which you can create either through MQ Explorer or runmqsc:

C:\WMQFTE_SSL>runmqsc AgentQmgr
5724-H72 (C) Copyright IBM Corp. 1994, 2009.  ALL RIGHTS RESERVED.
Starting MQSC for queue manager AgentQmgr.

DEFINE CHANNEL(SYSTEM.SSL.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(RC4_MD5_EXPORT) 
SSLCAUTH(OPTIONAL)
    2 : DEFINE CHANNEL(SYSTEM.SSL.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(RC4_MD5_EXPORT)
SSLCAUTH(OPTIONAL)
AMQ8014: WebSphere MQ channel created.
DISPLAY CHANNEL(SYSTEM.SSL.SVRCONN)
    3 : DISPLAY CHANNEL(SYSTEM.SSL.SVRCONN)
AMQ8414: Display Channel details.
CHANNEL(SYSTEM.SSL.SVRCONN)             CHLTYPE(SVRCONN)
ALTDATE(2009-11-19)                     ALTTIME(13.01.25)
COMPHDR(NONE)                           COMPMSG(NONE)
DESCR( )                                HBINT(300)
KAINT(AUTO)                             MAXINST(999999999)
MAXINSTC(999999999)                     MAXMSGL(4194304)
MCAUSER( )                              MONCHL(QMGR)
RCVDATA( )                              RCVEXIT( )
SCYDATA( )                              SCYEXIT( )
SENDDATA( )                             SENDEXIT( )
SHARECNV(10)                            SSLCAUTH(OPTIONAL)
SSLCIPH(RC4_MD5_EXPORT)                 SSLPEER( )
TRPTYPE(TCP)

Repeat for CommandQmgr using SSLCIPH(TRIPLE_DES_SHA_US) and for CoordinationQmgr using SSLCIPH(DES_SHA_EXPORT). You should now have one SSL -enabled Server Connection channel on each of your queue managers.

Creating and configuring the client-side keystore (optional)

Complete this section only if you want client authentication when a connection is made to a queue manager. If client authentication has not been specified on the channel, you do not need to complete this section:

• Defining client keystore
• Setting the keystore and password in the properties files
• Altering queue manager channels to require CA

Defining client keystore

This scenario uses self-signed certificates, and in that sense you can just use the existing truststore as a keystore for client authentication also, as the certificate acts as both the personal certificate and the CA. The password that was not required to be set before will now need to be passed to the JSSE in order for it to access your personal certificate, which is why it was specified earlier.

Setting the keystore and password in the properties files

agent.property file updates:

• agentSslKeyStore=C:\\WMQFTE_SSL\\truststore.jks
• agentSslKeyStorePassword=Password you chose in Creating a client side truststore

coordination.property file updates:

• coordinationSslKeyStore=C:\\WMQFTE_SSL\\truststore.jks
• coordinationSslKeyStorePassword=Password you chose in Creating a client side truststore

command.property file updates:

• connectionSslKeyStore=C:\\WMQFTE_SSL\\truststore.jks
• connectionSslKeyStorePassword=Password you chose in Creating a client side truststore

Altering queue manager channels to require CA

As with the original queue manager configuration, use MQ Explorer (Figure 7) or runmqsc (Listing 6) to alter the server connection channels that you created earlier on all three queue managers:

C:\WMQFTE_SSL>runmqsc AgentQmgr
5724-H72 (C) Copyright IBM Corp. 1994, 2009.  ALL RIGHTS RESERVED.
Starting MQSC for queue manager AgentQmgr.

ALTER CHANNEL(SYSTEM.SSL.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(REQUIRED)
     1 : ALTER CHANNEL(SYSTEM.SSL.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(REQUIRED)
AMQ8016: WebSphere MQ channel changed.
DISPLAY CHANNEL(SYSTEM.SSL.SVRCONN)
     2 : DISPLAY CHANNEL(SYSTEM.SSL.SVRCONN)
AMQ8414: Display Channel details.
   CHANNEL(SYSTEM.SSL.SVRCONN)             CHLTYPE(SVRCONN)
   ALTDATE(2009-11-19)                     ALTTIME(14.02.49)
   COMPHDR(NONE)                           COMPMSG(NONE)
   DESCR( )                                HBINT(300)
   KAINT(AUTO)                             MAXINST(999999999)
   MAXINSTC(999999999)                     MAXMSGL(4194304)
   MCAUSER( )                              MONCHL(QMGR)
   RCVDATA( )                              RCVEXIT( )
   SCYDATA( )                              SCYEXIT( )
   SENDDATA( )                             SENDEXIT( )
   SHARECNV(10)                            SSLCAUTH(REQUIRED)
   SSLCIPH(RC4_MD5_EXPORT)                 SSLPEER( )
   TRPTYPE(TCP)

Testing the configuration

At this point, you should have your three queue managers with an SSL-enabled server connection channel on each, all with their own certificate stores holding a self-signed certificate. Optionally, you may have also enabled CA. WMQFTE should be configured to allow connections to these new SSL-enabled channels. Starting MQ Explorer with the WMQFTE Plug-in, your SSL configured agent AGENT1, or any of the WMQFTE commands, will now connect to their respective queue managers via that SSL enabled channel, as shown in Table 1. Connection of WMQFTE entities to queue manager types. Try executing each of the following entities:

• fteStartAgent AGENT1 -- Check output0.log for successful initialization and connection of your agent.
• fteListAgent -- Stdout should show Agent AGENT1 on your WMQFTE network.
• fteFteCreateTransfer -sa AGENT1 -da AGENT1 -df C:\MyDestinationFile -w C:\MySourceFile -- Should report that the file transfer has successfully completed, and the destination file should exist.
• Connecting to the CoordinationQmgr via WMQFTE Plug-in for MQ Explorer -- the WMQFTE node in the MQ Explorer GUI should connect to CoordinationQmgr.

If everything went smoothly, you should see no difference in behaviour compared to running without SSL.

The best test is a failing test

Of course, testing your connections work could just mean that you are connecting on a non-SSL channel to your queue manager, and have not performed any of the WMQFTE side configuration. A simple way to check whether SSL is configured is to deliberately mismatch your WMQFTE and queue manager channel cipher suites. With such a misconfiguration, starting your agent should result in the connection to the queue manager failing with MQRC 2397 - MQRC_JSSE_ERROR. Match the cipher suites again and the agent should start. Example output for failed connections for each of the three queue manager types is shown below:

BFGAG0115I: Relative path transfer root directory: C:\Documents and Settings\Laurence
BFGAG0058I: The agent has successfully initialized.
BFGAG0052E: The agent received MQI reason code 2397 when establishing a client transport
    mode connection to the queue manager 'AgentQmgr' on host 'localhost', port '5050' and
    using channel 'SYSTEM.SSL.SVRCONN'.  The agent cannot continue and will end.
BFGAG0061E: The agent ended abnormally

C:\Program Files\IBM\WMQFTE\bin>fteListAgents 
5655-U80, 5724-R10 Copyright IBM Corp.  2008, 2009.  ALL RIGHTS RESERVED
BFGCL0002E: A messaging problem prevented the command from completing successfully.
The WebSphere MQ completion code was 2, and the reason code was 2397.  
A connection could not be established to queue manager CoordinationQmgr, 
on host 'localhost' using port 5052 and channel SYSTEM.SSL.SVRCONN.

C:\Program Files\IBM\WMQFTE\bin>fteCreateTransfer -sa AGENT1 -da AGENT1 -df 
C:\MyDestinationFile -w C:\MySourceFile 
5655-U80, 5724-R10 Copyright IBM Corp. 2008, 2009.  ALL RIGHTS RESERVED 
com.ibm.wmqfte.api.TransportException: BFGCL0002E: A messaging problem prevented
the command from completing successfully. The WebSphere MQ completion code was 2, 
and the reason code was 2397.  A connection could not be established to queue manager 
CommandQmgr, on host 'localhost' using port 5051 and channel SYSTEM.SSL.SVRCONN.

Conclusion

This article showed you how to configure a three queue manager WMQFTE with SSL scenario, relating to agent, command, and the WMQFTE Plug-in for MQ Explorer. It also described the basic MQ configuration for your SSL-enabled WMQFTE entities to connect, and the optional client authentication.

Troubleshooting

Debugging SSL issues is tricky. When unexpected authentication failures occur, check these two places first:

• The Agents Output0.log files -- look for any information on the action that you expected to happen.
• Queue manager error logs -- look for details on failed connections.

A configuration issue is usually the root cause, so double-checking that your client and server configurations correctly match can weed out a lot of problems. When building a complex scenario, develop it in increments, checking it as you go. Creating a complex scenario with certificate revocation lists, client-side authentication, and the like from scratch in one go is likely to leave you with multiple configuration problems that are difficult to isolate and resolve.

Resources

• Getting started with WebSphere MQ File Transfer Edition
  
  
• Resource monitoring in WebSphere MQ File Transfer Edition
  
  
• Getting Started with WebSphere MQ File Transfer Edition V7 (Redbook)
  
  
• Securing WebSphere MQ File Transfer Edition V7
  
  
• Managed File Transfer for SOA using WebSphere MQ File Transfer Edition (Redbook)
  
  
• SSL configuration of the WebSphere MQ Java/JMS client
  
  
• WebSphere MQ developer resources page
  Technical resources to help you design, develop, and deploy messaging middleware with WebSphere MQ to integrate applications, Web services, and transactions on almost any platform.
  
  
• WebSphere MQ product page
  Product descriptions, product news, training information, support information, and more.
  
  
• WebSphere MQ V6 information center
  A single Web portal to all WebSphere MQ V6 documentation, with conceptual, task, and reference information on installing, configuring, and using WebSphere MQ V6.
  
  
• IBM Redbook: WebSphere MQ V6 fundamentals
  Describes the fundamental concepts and benefits of message queuing technology, and provides a technical description of the WebSphere MQ product.
  
  
• WebSphere MQ V7 information center
  A single Web portal to all WebSphere MQ V7 documentation, with conceptual, task, and reference information on installing, configuring, and using WebSphere MQ V7.
  
  
• WebSphere MQ File Transfer Edition V7.0.1 Information Center
  A single Web portal to all WebSphere WMQFTE V7.0.1 documentation, with conceptual, task, and reference information on installing, configuring, and using WebSphere WMQFTE V7.0.1.
  
  
• IBM Redbook: WebSphere MQ V7 features and enhancements
  Describes the fundamental concepts and benefits of message queuing technology, describes the new features in V7, and provides a business scenario that shows those features in action.
  
  
• WebSphere MQ V7 trial download
  A 90 day, full featured no-charge trial of WebSphere MQ V7.0
  
  
• WebSphere MQ documentation library
  WebSphere MQ product manuals.
  
  
• WebSphere MQ support page
  A searchable database of support problems and their solutions, plus downloads, fixes, problem tracking, and more.
  
  
• WebSphere MQ public newsgroup
  A non-IBM forum where you can get answers to your WebSphere MQ technical questions and share your WebSphere MQ knowledge with other users.
  
  
• WebSphere MQ SupportPacs
  Downloadable code, documentation, and performance reports for the WebSphere MQ family of products.
  
  
• developerWorks WebSphere developer resources
  Technical information and resources for developers who use WebSphere products. developerWorks WebSphere provides product downloads, how-to information, support resources, and a free technical library of more than 2000 technical articles, tutorials, best practices, IBM Redbooks, and online product manuals.
  
  
• developerWorks WebSphere application connectivity developer resources
  How-to articles, downloads, tutorials, education, product info, and other resources to help you build WebSphere application connectivity and business integration solutions.
  
  
• developerWorks WebSphere business process management developer resources
  WebSphere BPM how-to articles, downloads, tutorials, education, product info, and other resources to help you model, assemble, deploy, and manage business processes.
  
  
• Most popular WebSphere trial downloads
  No-charge trial downloads for key WebSphere products.
  
  
• WebSphere forums
  Product-specific forums where you can get answers to your technical questions and share your expertise with other WebSphere users.
  
  
• WebSphere on-demand demos
  Download, watch, and learn what WebSphere products and WebSphere-related technologies can do for your company.
  
  
• developerWorks WebSphere weekly newsletter
  The developerWorks newsletter gives you the latest articles and information only on those topics that interest you. In addition to WebSphere, you can select from Java, Linux, Open source, Rational, SOA, Web services, and other topics. Subscribe now and design your custom mailing.
  
  
• WebSphere-related books from IBM Press
  Convenient online ordering through Barnes & Noble.
  
  
• WebSphere-related events
  Conferences, trade shows, Webcasts, and other events around the world of interest to WebSphere developers.
  
  
• developerWorks blogs
  Join a conversation with developerWorks users and authors, and IBM editors and developers.
  
  
• developerWorks Webcasts
  Free technical sessions by IBM experts that can accelerate your learning curve and help you succeed in your most difficult software projects. Sessions range from one-hour Webcasts to half-day and full-day live sessions in cities worldwide.
  
  
• developerWorks podcasts
  Listen to interesting and offbeat interviews and discussions with software innovators.
  
  
• developerWorks on Twitter
  Check out recent Twitter messages and URLs.
  
  

About the authors

Rate this article

Comments

Back to top

Table of contents

• Introduction
• Interaction between queue managers and WMQFTE components
• WMQFTE SSL example
• Creating a client-side truststore
• Creating queue manager certificate stores
• Creating queue manager self-signed certificates
• Adding certificates to the client-side truststore
• Configuring the WMQFTE properties files
• Configuring the queue managers
• Creating and configuring the client-side keystore (optional)
• Testing the configuration
• Conclusion
• Troubleshooting
• Resources
• About the authors
• Comments

Next steps from IBM

• Try: WebSphere MQ File Transfer Edition
• Buy: WebSphere MQ File Transfer Edition

Dig deeper into WebSphere on developerWorks

Try IBM PureSystems. No charge.

Experience today!

---

Get started with the cloud-based trial and pattern development kit.

Special offers