Accessing a secure WebSphere Service Registry and Repository repository

To access a secure WebSphere® Service Registry and Repository repository, edit the parameters in the .conf.yaml configuration file for the integration node, or integration server.

About this task

You must connect over HTTPS, not HTTP, which is specified in the endpointAddress property of the WSSRConnectorProvider entry in the ConnectorProviders section of the node.conf.yaml or server.conf.yaml configuration file. The configuration must specify the domain qualified hostname and port of your WebSphere Service Registry and Repository server and you must define the WebSphere Service Registry and Repository server logon credentials and HTTPS SSL certificates.

For more information about the endpointAddress configuration parameter, see Configuration parameters for the WebSphere Service Registry and Repository nodes.

To access a secure WebSphere Service Registry and Repository from a managed server, enter the following sequence of commands. Any properties that you set for an integration node, in the node.conf.yaml file, are inherited by the integration servers that it owns. However, you can change the owned integration server properties by modifying them in the appropriate server.conf.yaml file. For an independent integration server, edit the server.conf.yaml configuration file to set the properties that would be set by the following commands. For more information about configuring integration servers, see Configuring an integration server by modifying the server.conf.yaml file.

Procedure

  1. Ensure that the integration node is running. If it is not, use the mqsistart command to start it.
  2. Edit the .conf.yaml file to configure the integration node or integration server to use HTTPS to communicate with the WebSphere Service Registry and Repository server.
    WSRRConnectorProvider:
            
               # endpointAddress                            # The location or endpoint of the WSRR server.

    The default value for all versions of WebSphere Service Registry and Repository is https://fill.in.your.host.here:9080/WSRRCoreSDO/services/WSRRCoreSDOPort

    For more information about the specific levels of WebSphere Service Registry and Repository that are supported by IBM App Connect Enterprise, see IBM App Connect Enterprise system requirements web page.

  3. Configure the integration node keystore to contain your WebSphere Service Registry and Repository server certificate keys; for a discussion of digital certificates, see Digital certificates. Obtain these certificate keys from the installation of the WebSphere Application Server that hosts your WebSphere Service Registry and Repository server. The integration node uses a single keystore. Therefore, if your integration node also implements WS-Security, HTTPS, or SSL-secured IBM MQ, you might need to merge the provided keys into an existing keystore file. Display the current configuration parameters of the integration node by using the following command:
    mqsireportproperties INODE -o BrokerRegistry -r
    The parameters in this example represent the following values:
    The -o parameter specifies the name of the object (in this case, BrokerRegistry)
    The -r parameter specifies that all property values of the object are displayed, including the child values, if appropriate.

    If your WebSphere Service Registry and Repository server uses mutual SSL authentication, configure the integration node keystore to contain a private key. Then, set the brokerKeystoreFile configuration parameters for the integration node, by using one of the following options.

    • Use the mqsichangeproperties command to change configuration parameters for the integration node.
      mqsichangeproperties INODE -o BrokerRegistry 
      -n brokerKeystoreFile -v C:\WSRR\SSL\ClientKeyFile.jks
      The parameters in this example represent the following values:
      The -o parameter specifies the name of the object (in this case, BrokerRegistry).
      The -n parameter specifies the names of the properties to be changed (in this case, brokerKeystoreFile).  
      The -v parameter specifies the values of properties that are defined by the -n parameter (in this case, C:\WSRR\SSL\ClientKeyFile.jks).
    • Edit the .conf.yaml file to change configuration parameters for the integration node.
      BrokerRegistry:
                 brokerKeystoreType: 'JKS'                        # Trust store type
                 brokerKeystoreFile: 'C:\devel\ACE11\WSRR\comics1.fyre.ibm.com.serverKeyFile.jks'      # Location of the broker key store
               # Location of the broker trust key store
  4. Configure the integration node truststore to contain signer certificates for your WebSphere Service Registry and Repository server. As stated for the keystore, the integration node uses a single truststore. Therefore, you might need to merge certificates into an existing truststore file. The integration node truststore is configured by using the mqsichangeproperties command. To change the brokerTruststoreFile configuration parameters for the integration node, use the following command:
    mqsichangeproperties INODE -o BrokerRegistry 
    -n brokerTruststoreFile -v C:\WSRR\SSL\ClientTrustFile.jks
    The parameters in this example represent the following values:
    The -o parameter specifies the name of the object (in this case, BrokerRegistry).
    The -n parameter specifies the names of the properties to be changed (in this case, brokerTruststoreFile).  
    The -v parameter specifies the values of properties that are defined by the -n parameter (in this case, C:\WSRR\SSL\ClientTrustFile.jks).
  5. Stop the integration node by using the mqsistop command.
    You must stop the integration node to complete the following step.
  6. If you are using the secure credentials vault to store the WebSphere Service Registry and Repository server credentials, complete the following steps:

    Create a vault key for the specified server by running the mqsivault command:

    mqsivault INODE --create --vault-key 12345678 
    The parameters in this example represent the following values:
    The --create parameter creates a vault for the specified server.  
    The --vault-key parameter specifies the vault key to be used for creating the vault. (in this case, 12345678).

    Define the WebSphere Service Registry and Repository type default credential-name in the node.conf.yaml configuration file by running the following command:

    mqsicredentials INODE --all-integration-servers --set-as-default --credential-type wsrr  --credential-name wsrrServerCred

    For an independent integration server, add the following lines to the server.conf.yaml configuration file.

    
    Defaults: 
      Credentials: 
        wsrr: 'wsrrServerCred'
    
  7. Set the WebSphere Service Registry and Repository server username and password by using one of the following methods:
    • Set the username and password by running the mqsisetdbparms command.
      mqsisetdbparms INODE -n DefaultWSRR::WSRR -u wasuser -p waspass
      The parameters in this example represent the following values:
      The -n parameter specifies the name of the data source (in this case, DefaultWSRR::WSRR).  
      The -u parameter specifies the user ID to be associated with this data source (in this case, wasuser).  
      The -p parameter specifies the password to be associated with this data source (in this case, waspass).
    • Create the username and password by running the mqsicredentials command:
      mqsicredentials INODE --all-integration-servers --vault-key <myvaultkey> --create --credential-type wsrr --credential-name wsrrServerCred wsrr --username <wsrr user> --password <wsrr password>
      The parameters in this example represent the following values:
      The --all-integration-servers parameter creates a vault for all servers. (use –integration-server for a specified server).  
      The --vault-key parameter specifies the vault key to be used for creating the vault.  
      The --create parameter specifies the vault key to be used for creating the vault.
      The --credential-type parameter specifies the type of credential (in this example, wsrr is used).
      The --username parameter specifies the username.
      The --password parameter specifies the password.
  8. If your WebSphere Service Registry and Repository server uses mutual SSL authentication, set the brokerKeystore username and password by using one of the following methods.
    • Set the username and password by running the mqsisetdbparms command:

      mqsisetdbparms INODE -n brokerKeystore::password -u dummy -p WebAS
      The parameters in this example represent the following values:
      The -n parameter specifies the name of the data source (in this case, brokerKeystore::password).  
      The -u parameter specifies the user ID to be associated with this data source (in this case, dummy).  
      The -p parameter specifies the password to be associated with this data source (in this case, WebAS).
    • Set the brokerKeyStore by running the mqsicredentials command:

      mqsicredentials INODE --all-integration-servers --vault-key <myvaultkey> --create --credential-type keystore --credential-name vaultpassword --password changeme
      The parameters in this example represent the following values:
      The --all-integration-servers parameter specifies that the command applies to all integration servers on the specified integration node. Alternatively, you can specify a named integration server (-integration-server IntegrationServerName).  
      The --vault-key parameter specifies the vault key that was used to create the vault.  
      The --create parameter creates credentials in the vault.
      The --credential-type parameter specifies the credential type.
      The --credential-name parameter specifies the name of the credential. In this case, vaultpassword is used. You must update the node.conf.yaml to set this name as follows.  
      BrokerRegistry:
      brokerKeystorePass: ‘vaultpassword'
      The --password parameter specifies the password to be associated with this resource.
  9. Set the brokerTrustStore username and password by using one of the following methods:
    • Set the username and password by running the mqsisetdbparms command.
      mqsisetdbparms INODE -n brokerTruststore::password -u dummy 
      -p WebAS
      The parameters in this example represent the following values:
      The -n parameter specifies the name of the data source (in this case, brokerTruststore::password).  
      The -u parameter specifies the user ID to be associated with this data source (in this case, dummy).  
      The -p parameter specifies the password to be associated with this data source (in this case, WebAS).
    • Set the brokerTrustStore by running the mqsicredentials command:
      mqsicredentials INODE --all-integration-servers --vault-key <myvaultkey> --create --credential-type truststore --credential-name vaultpassword --password changeme

      You must update the node.conf.yaml file set the specified credential name as follows.

      BrokerRegistry:
        brokerTruststorePass: 'vaultpassword'
      
      The parameters in the example represent the following values:
      The --all-integration-servers parameter specifies that the command applies to all integration servers on the specified integration node. Alternatively, you can specify a named integration server (-integration-server IntegrationServerName).  
      The --vault-key parameter specifies the vault key that was used to create the vault.  
      The --create parameter creates credentials in the vault.
      The --credential-type parameter specifies the credential type.
      The --credential-name parameter specifies the name of the credential. In this case, vaultpassword is used to match the setting of BrokerRegistry.brokerKeystorePass in the .conf.yaml configuration file.
      The --password parameter specifies the password to be associated with this resource.
  10. To use cache notification with your secure WebSphere Service Registry and Repository server, follow the instructions in Setting up cache notification.
  11. Restart the integration node by using the mqsistart command.
    If you create a vault key, you must specify the --vault-key parameter in the mqsistart command.
    mqsistart INODE --vault-key 12345678 -u userid -p password