Configuring TCP/IP server nodes to use SSL
Configure a TCP/IP configuration to use SSL to secure connectivity to and from the TCPIP server nodes.
- The type of protocol.
- The allowed cipher suites.
- A key alias.
- Whether a connecting client should provide authentication information.
Before you begin
About this task
Follow these steps to configure the TCPIP nodes to use SSL:
Changing a TCP/IP server configuration to use SSL
About this task
Use the mqsichangeproperties command to change an existing TCPIPServer configurable service.
Procedure
Creating a TCP/IP server configuration that uses SSL
About this task
Use the mqsicreateconfigurableservice command to create a TCPIPServer configurable service.
Procedure
Using an SSL key alias
About this task
A key alias identifies the key that is to be used for the SSL connection, if the keystore for your integration node or integration server contains more than one key. Use the mqsichangeproperties or mqsicreateconfigurableservice as appropriate, with the SSLKeyAlias property. The default value "" or none, means that an SSL key alias is not used. Any other string identifies the alias.
The following command creates a TCPIPServer
configurable service for making connections on port 1455. It uses
the SSL protocol TLS with the cipher suites SSL_RSA_WITH_RC4_128_MD5
and SSL_RSA_WITH_3DES_EDE_CBC_SHA. It requires the client to authenticate
itself, and uses the key alias MyKey
to identify
the key to be used.
mqsicreateconfigurableservice MYBROKER
-c TCPIPServer
-o myTCPIPServerService
-n Port,SSLProtocol,SSLCiphers,SSLClientAuth,SSLKeyAlias
-v 1455,TLS,SSL_RSA_WITH_RC4_128_MD5;SSL_RSA_WITH_3DES_EDE_CBC_SHA
,require,MyKey
The following command changes a TCPIPServer configurable service to use the first key retrieved from the keystore, with SSL protocol TLS. SSLClientAuth is disabled.
mqsichangeproperties MYBROKER
-c TCPIPClient
-o myTCPIPServerService
-n SSLProtocol
-v TLS
Testing your configuration
About this task
To test your configuration, connect an SSL-enabled client, such as another program, or a web browser, to the server port. Connection error messages, such as handshake failures, or untrusted keys, indicate that you must change the configuration.
Client identity
About this task
- The IdentitySourceToken field is set to the distinguished name from the client certificate.
- The IdentitySourceType field is set to the string username.
- The IdentitySourceIssuedBy field is set to the issuer of the certificate presented by the client.