Authenticating an SSL telemetry connection using self-signed certificates
Use self-signed certificates generated using Keytool to authenticate an SSL connection. You have the option of authenticating the telemetry channel, or the telemetry channel and the clients that attach to it. Messages flowing on the connection are encrypted.
Before you begin
Do the task, Creating your first MQ Telemetry Transport publisher application using Java before you start, to get PubSync.java working with an unsecured TCP/IP connection. In this task, you modify PubSync.java to work with an SSL connection.
About this task
The steps in the task are written as a programming exercise. You must adapt the procedure to perform real authentication in a production environment.
The task is written for Windows. Change the directory paths for Linux®.
Procedure
Modifying PubSync.java to use SSL
Modify the first publisher program example to connect to a telemetry channel using SSL. Set the SSL properties used by the modified program.
Before you begin
You are assumed to have installed the MQTT v3 client jar files, Javadoc, Eclipse, configured telemetry channels and coded and run PubSync.java before performing this task. You have an Eclipse workspace that includes a running version of PubSync.java.
About this task
The task uses the publisher client, PubSync.java, you created in Creating your first MQ Telemetry Transport publisher application using Java as a base. Only small modifications are necessary to use SSL; see Figure 1 and Figure 2.
Procedure
Examples
The modifications to PubSync.java to add SSL are shown in Figure 1 in italics. The modifications to Example.java are shown in Figure 2.Authenticating the telemetry channel
Clients authenticate the telemetry channel to encrypt the contents of the messages flowing on the channel, and to ensure a client connects to the correct telemetry channel. The server does not authenticate the client.
About this task
You can use a number of different keystore editors to create and manage self-signed certificates. The task uses the command line keytool command, which is part of the JRE. You can use the GUI tool iKeyman, which is shipped with WebSphere MQ to browse keystores and generate keys. Launch iKeyman using the command strmqikm.
Procedure
Authenticating the telemetry channel and clients
Clients authenticate the telemetry channel and the telemetry channel authenticates clients attaching to it. Messages flowing on the channel are encrypted.
About this task
You can use a number of different keystore editors to create and manage self-signed certificates. The task uses the command line keytool command, which is part of the JRE. You can use the GUI tool iKeyman, which is shipped with WebSphere MQ to browse keystores and generate keys. Launch iKeyman using the command strmqikm.
The telemetry channel is configured with a different keystore to the task, Authenticating the telemetry channel. You can use the same keystore, and omit step 2 to add keys to the keystore.