Accessing a secure WebSphere Service Registry and Repository repository
To access a secure WebSphere® Service Registry and Repository repository, edit the parameters in the .conf.yaml configuration file for the integration node, or integration server.
About this task
You must connect over HTTPS, not HTTP, which is specified in the endpointAddress property of the
WSSRConnectorProvider
entry in the ConnectorProviders
section of
the node.conf.yaml or server.conf.yaml configuration file.
The configuration must specify the domain qualified hostname and port of your WebSphere Service Registry and Repository server and you must define the WebSphere Service Registry and Repository server logon credentials and HTTPS SSL certificates.
For more information about the endpointAddress configuration parameter, see Configuration parameters for the WebSphere Service Registry and Repository nodes.
To access a secure WebSphere Service Registry and Repository from a managed server, enter the following sequence of commands. Any properties that you set for an integration node, in the node.conf.yaml file, are inherited by the integration servers that it owns. However, you can change the owned integration server properties by modifying them in the appropriate server.conf.yaml file. For an independent integration server, edit the server.conf.yaml configuration file to set the properties that would be set by the following commands. For more information about configuring integration servers, see Configuring an integration server by modifying the server.conf.yaml file.
Procedure
- Ensure that the integration node is running. If it is not, use the mqsistart command to start it.
-
Edit the .conf.yaml file to configure the integration node or integration
server to use HTTPS to communicate with the WebSphere Service Registry and Repository server.
WSRRConnectorProvider: # endpointAddress # The location or endpoint of the WSRR server.
The default value for all versions of WebSphere Service Registry and Repository is https://fill.in.your.host.here:9080/WSRRCoreSDO/services/WSRRCoreSDOPort
For more information about the specific levels of WebSphere Service Registry and Repository that are supported by IBM App Connect Enterprise, see IBM App Connect Enterprise system requirements web page.
-
Configure the integration node keystore to contain your WebSphere Service Registry and Repository server certificate keys; for a discussion of digital
certificates, see Digital certificates. Obtain
these certificate keys from the installation of the WebSphere Application Server that
hosts your WebSphere Service Registry and Repository server. The integration node uses a single
keystore. Therefore, if your integration node also implements WS-Security, HTTPS, or SSL-secured IBM MQ, you might need to merge the provided keys into an existing
keystore file. Display the current configuration parameters of the integration node by using the
following command:
The parameters in this example represent the following values:mqsireportproperties INODE -o BrokerRegistry -r
The -o parameter specifies the name of the object (in this case,BrokerRegistry
)
The -r parameter specifies that all property values of the object are displayed, including the child values, if appropriate.If your WebSphere Service Registry and Repository server uses mutual SSL authentication, configure the integration node keystore to contain a private key. Then, set the
brokerKeystoreFile
configuration parameters for the integration node, by using one of the following options.- Use the mqsichangeproperties command to change
configuration parameters for the integration
node.
The parameters in this example represent the following values:mqsichangeproperties INODE -o BrokerRegistry -n brokerKeystoreFile -v C:\WSRR\SSL\ClientKeyFile.jks
The -o parameter specifies the name of the object (in this case,BrokerRegistry
).
The -n parameter specifies the names of the properties to be changed (in this case,brokerKeystoreFile
).
The -v parameter specifies the values of properties that are defined by the -n parameter (in this case, C:\WSRR\SSL\ClientKeyFile.jks). - Edit the .conf.yaml file to change configuration parameters for the
integration
node.
BrokerRegistry: brokerKeystoreType: 'JKS' # Trust store type brokerKeystoreFile: 'C:\devel\ACE11\WSRR\comics1.fyre.ibm.com.serverKeyFile.jks' # Location of the broker key store # Location of the broker trust key store
- Use the mqsichangeproperties command to change
configuration parameters for the integration
node.
-
Configure the integration node truststore to contain signer certificates for your WebSphere Service Registry and Repository server. As stated for the keystore, the integration node uses a
single truststore. Therefore, you might need to merge certificates into an existing truststore file.
The integration node truststore is configured by using the mqsichangeproperties command. To change the brokerTruststoreFile configuration parameters for the
integration node, use the following command:
The parameters in this example represent the following values:mqsichangeproperties INODE -o BrokerRegistry -n brokerTruststoreFile -v C:\WSRR\SSL\ClientTrustFile.jks
The -o parameter specifies the name of the object (in this case,BrokerRegistry
).
The -n parameter specifies the names of the properties to be changed (in this case,brokerTruststoreFile
).
The -v parameter specifies the values of properties that are defined by the -n parameter (in this case, C:\WSRR\SSL\ClientTrustFile.jks). -
Stop the integration node by using the mqsistop
command.
You must stop the integration node to complete the following step.
-
If you are using the secure credentials vault to store the WebSphere Service Registry and Repository server credentials, complete the following steps:
Create a vault key for the specified server by running the mqsivault command:
mqsivault INODE --create --vault-key 12345678
The parameters in this example represent the following values:The--create
parameter creates a vault for the specified server.
The--vault-key
parameter specifies the vault key to be used for creating the vault. (in this case, 12345678).Define the WebSphere Service Registry and Repository type default credential-name in the node.conf.yaml configuration file by running the following command:
mqsicredentials INODE --all-integration-servers --set-as-default --credential-type wsrr --credential-name wsrrServerCred
For an independent integration server, add the following lines to the server.conf.yaml configuration file.
Defaults: Credentials: wsrr: 'wsrrServerCred'
-
Set the WebSphere Service Registry and Repository server username and password by using one of the
following methods:
- Set the username and password by running the mqsisetdbparms command.
The parameters in this example represent the following values:mqsisetdbparms INODE -n DefaultWSRR::WSRR -u wasuser -p waspass
The -n parameter specifies the name of the data source (in this case,DefaultWSRR::WSRR
).
The -u parameter specifies the user ID to be associated with this data source (in this case,wasuser
).
The -p parameter specifies the password to be associated with this data source (in this case,waspass
). - Create the username and password by running the mqsicredentials
command:
The parameters in this example represent the following values:mqsicredentials INODE --all-integration-servers --vault-key <myvaultkey> --create --credential-type wsrr --credential-name wsrrServerCred wsrr --username <wsrr user> --password <wsrr password>
The --all-integration-servers parameter creates a vault for all servers. (use –integration-server for a specified server).
The --vault-key parameter specifies the vault key to be used for creating the vault.
The --create parameter specifies the vault key to be used for creating the vault.
The --credential-type parameter specifies the type of credential (in this example, wsrr is used).
The --username parameter specifies the username.
The --password parameter specifies the password.
- Set the username and password by running the mqsisetdbparms command.
-
If your WebSphere Service Registry and Repository server uses mutual SSL
authentication, set the brokerKeystore username and
password by using one of the following methods.
Set the username and password by running the mqsisetdbparms command:
The parameters in this example represent the following values:mqsisetdbparms INODE -n brokerKeystore::password -u dummy -p WebAS
The -n parameter specifies the name of the data source (in this case,brokerKeystore::password
).
The -u parameter specifies the user ID to be associated with this data source (in this case,dummy
).
The -p parameter specifies the password to be associated with this data source (in this case,WebAS
).Set the brokerKeyStore by running the mqsicredentials command:
The parameters in this example represent the following values:mqsicredentials INODE --all-integration-servers --vault-key <myvaultkey> --create --credential-type keystore --credential-name vaultpassword --password changeme
The --all-integration-servers parameter specifies that the command applies to all integration servers on the specified integration node. Alternatively, you can specify a named integration server (-integration-server IntegrationServerName
).
The --vault-key parameter specifies the vault key that was used to create the vault.
The --create parameter creates credentials in the vault.
The --credential-type parameter specifies the credential type.
The --credential-name parameter specifies the name of the credential. In this case, vaultpassword is used. You must update the node.conf.yaml to set this name as follows.BrokerRegistry: brokerKeystorePass: ‘vaultpassword'
The --password parameter specifies the password to be associated with this resource.
-
Set the brokerTrustStore username and
password by using one of the following methods:
- Set the username and password by running the mqsisetdbparms command.
The parameters in this example represent the following values:mqsisetdbparms INODE -n brokerTruststore::password -u dummy -p WebAS
The -n parameter specifies the name of the data source (in this case,brokerTruststore::password
).
The -u parameter specifies the user ID to be associated with this data source (in this case,dummy
).
The -p parameter specifies the password to be associated with this data source (in this case,WebAS
). - Set the brokerTrustStore by running the mqsicredentials
command:
mqsicredentials INODE --all-integration-servers --vault-key <myvaultkey> --create --credential-type truststore --credential-name vaultpassword --password changeme
You must update the node.conf.yaml file set the specified credential name as follows.
The parameters in the example represent the following values:BrokerRegistry: brokerTruststorePass: 'vaultpassword'
The --all-integration-servers parameter specifies that the command applies to all integration servers on the specified integration node. Alternatively, you can specify a named integration server (-integration-server IntegrationServerName
).
The --vault-key parameter specifies the vault key that was used to create the vault.
The --create parameter creates credentials in the vault.
The --credential-type parameter specifies the credential type.
The --credential-name parameter specifies the name of the credential. In this case, vaultpassword is used to match the setting of BrokerRegistry.brokerKeystorePass in the .conf.yaml configuration file.
The --password parameter specifies the password to be associated with this resource.
- Set the username and password by running the mqsisetdbparms command.
- To use cache notification with your secure WebSphere Service Registry and Repository server, follow the instructions in Setting up cache notification.
-
Restart the integration node by using the mqsistart
command.
If you create a vault key, you must specify the --vault-key parameter in the mqsistart command.
mqsistart INODE --vault-key 12345678 -u userid -p password