Configuring TCP/IP server nodes to use SSL

Configure a TCP/IP configuration to use SSL to secure connectivity to and from the TCPIP server nodes.

You can create or modify TCP/IP server connections that use SSL, by creating or modifying a policy. You can specify:
  • The type of protocol.
  • The allowed cipher suites.
  • A key alias.
  • Whether a connecting client should provide authentication information.
By default, SSL is not enabled for any policies.

About this task

Follow these steps to configure the TCPIP nodes to use SSL:

  1. Changing a TCP/IP server configuration to use SSL
  2. Creating a TCP/IP server configuration that uses SSL

Changing a TCP/IP server configuration to use SSL

About this task

Use the Policy editor to change an existing TCPIP Server policy.

Procedure

  1. Set the SSL protocol property to TLS.
  2. Leave the Cipher suites property blank so that all available cipher suites can be used.
  3. Deploy the policy project that contains your TCPIP Server policy to the integration server where you will deploy your associated message flow.

Creating a TCP/IP server configuration that uses SSL

About this task

Use the Policy editor to create a TCPIP Server policy (see Creating policies with the IBM App Connect Enterprise Toolkit).

Procedure

  1. Set the Port number property to an appropriate value.
  2. Set the SSL protocol property to TLS.
  3. Set the Cipher suites property to a list of allowed cipher suites, such as SSL_RSA_WITH_RC4_128_MD5;SSL_RSA_WITH_3DES_EDE_CBC_SHA.
  4. Set the SSL client authentication property to require to indicate that connecting clients must authenticate.
  5. Deploy the policy project that contains your TCPIP Server policy to the integration server where you will deploy your associated message flow.

Using an SSL key alias

About this task

A key alias identifies the key that is to be used for the SSL connection, if the keystore for your integration server contains more than one key. Specify the SSL key alias property on the TCPIP Server policy. The default value "" or none, means that an SSL key alias is not used. Any other string identifies the alias.

Note: If the keystore contains more than one key, and no key alias is defined, the Java™ virtual machine arbitrarily chooses a key at run time.

Procedure

  1. Create a TCPIP Server policy (see Creating policies with the IBM App Connect Enterprise Toolkit).
  2. Set the Port number property to the port number to use to make connections.
  3. Set the SSL protocol property to TLS.
  4. Specify a list of cipher suites to use (such as SSL_RSA_WITH_RC4_128_MD5;SSL_RSA_WITH_3DES_EDE_CBC_SHA).
  5. Set the SSL client authentication property to require to indicate that connecting clients must authenticate.
  6. Set the SSL key alias property to identify the key to be used.
  7. Deploy the policy project that contains your TCPIP Server policy to the integration server where you will deploy your associated message flow.

Testing your configuration

About this task

To test your configuration, connect an SSL-enabled client, such as another program, or a web browser, to the server port. Connection error messages, such as handshake failures, or untrusted keys, indicate that you must change the configuration.

Client identity

About this task

If SSL client authentication is requested or required, and the client successfully authenticates, the distinguished name is present as an identity source token in the properties parser, in the tree propagated from the Open terminal at connection time. This applies only to the TCPIPServerInput node.
  • The IdentitySourceToken field is set to the distinguished name from the client certificate.
  • The IdentitySourceType field is set to the string username.
  • The IdentitySourceIssuedBy field is set to the issuer of the certificate presented by the client.
If SSL client authentication is requested, and the client does not provide the required credentials, the fields are set to blank.