Configure the Connect:Direct® bridge agent and
the Connect:Direct node to connect to each other through
the SSL protocol by creating a keystore and a truststore, and by setting properties in the Connect:Direct bridge agent properties file.
About this task
These steps include instructions for getting your keys
signed by a certificate authority. If you do not use a certificate
authority, you can generate a self-signed certificate. For more information
about generating a self-signed certificate, see Working with SSL/TLS on AIX, Linux, and Windows.
These steps include instructions for creating a new keystore and truststore for the Connect:Direct bridge agent. If the Connect:Direct bridge agent already has a keystore and truststore
that it uses to connect securely to IBM MQ queue
managers, you can use the existing keystore and truststore when connecting securely to the Connect:Direct node. For more information, see Configuring SSL or TLS encryption for MFT.
Procedure
For the Connect:Direct node, complete the
following steps:
-
Generate a key and signed certificate for the Connect:Direct node.
You can do this by using the
IBM Key
Management tool that is provided with
IBM MQ. For more
information, see
Working with SSL/TLS.
- Send a request to a certificate authority to have the key
signed. You receive a certificate in return.
- Create a text file; for example, /test/ssl/certs/CAcert,
that contains the public key of your certification authority.
-
Install the Secure+ Option on the Connect:Direct
node.
If the node already exists, you can install the Secure+ Option by running the installer again,
specifying the location of the existing installation, and choosing to install only the Secure+
Option.
- Create a new text file; for example, /test/ssl/cd/keyCertFile/node_name.txt.
- Copy the certificate that you received from your certification
authority and the private key, located in /test/ssl/cd/privateKeys/node_name.key,
into the text file.
The contents of
/test/ssl/cd/keyCertFile/node_name.txt must
be in the following format:
-----BEGIN CERTIFICATE-----
MIICnzCCAgigAwIBAgIBGjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJHQjES
MBAGA1UECBMJSGFtcHNoaXJlMRAwDgYDVQQHEwdIdXJzbGV5MQwwCgYDVQQKEwNJ
Qk0xDjAMBgNVBAsTBU1RSVBUMQswCQYDVQQDEwJDQTAeFw0xMTAzMDExNjIwNDZa
Fw0yMTAyMjYxNjIwNDZaMFAxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hp
cmUxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFTVFGVEUxDzANBgNVBAMTBmJpbmJh
ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvgP1QIklU9ypSKD1XoODo1yk
EyMFXBOUpZRrDVxjoSEC0vtWNcJ199e+Vc4UpNybDyBu+NkDlMNofX4QxeQcLAFj
WnhakqCiQ+JIAD5AurhnrwChe0MV3kjA84GKH/rOSVqtl984mu/lDyS819XcfSSn
cOOMsK1KbneVSCIV2XECAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNXMIpSc
csBXUniW4A3UrZnCRsv3MB8GA1UdIwQYMBaAFDXY8rmj4lVz5+FVAoQb++cns+B4
MA0GCSqGSIb3DQEBBQUAA4GBAFc7klXa4pGKYgwchxKpE3ZF6FNwy4vBXS216/ja
8h/vl8+iv01OCL8t0ZOKSU95fyZLzOPKnCH7v+ItFSE3CIiEk9Dlz2U6WO9lICwn
l7PL72TdfaL3kabwHYVf17IVcuL+VZsZ3HjLggP2qHO9ZuJPspeT9+AxFVMLiaAb
8eHw
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,64A02DA15B6B6EF9
57kqxLOJ/gRUOIQ6hVK2YN13B4E1jAi1gSme0I5ZpEIG8CHXISKB7/0cke2FTqsV
lvI99QyCxsDWoMNt5fj51v7aPmVeS60bOm+UlGre8B/Ze18JVj2O4K2Uh72rDCXE
5e6eFxSdUM207sQDy20euBVELJtM2kOkL1ROdoQQSlU3XQNgJw/t3ZIx5hPXWEQT
rjRQO64BEhb+PzzxPF8uwzZ9IrUK9BJ/UUnqC6OdBR87IeA4pnJD1Jvb2ML7EN9Z
5Y+50hTKI8OGvBvWXO4fHyvIX5aslwhBoArXIS1AtNTrptPvoaP1zyIAeZ6OCVo/
SFo+A2UhmtEJeOJaZG2XZ3H495fAw/EHmjehzIACwukQ9nSIETgu4A1+CV64RJED
aYBCM8UjaAkbZDH5gn7+eBov0ssXAXWDyJBVhUOjXjvAj/e1h+kcSF1hax5D//AI
66nRMZzboSxNqkjcVd8wfDwP+bEjDzUaaarJTS7lIFeLLw7eJ8MNAkMGicDkycL0
EPBU9X5QnHKLKOfYHN/1WgUk8qt3UytFXXfzTXGF3EbsWbBupkT5e5+lYcX8OVZ6
sHFPNlHluCNy/riUcBy9iviVeodX8IomOchSyO5DKl8bwZNjYtUP+CtYHNFU5BaD
I+1uUOAeJ+wjQYKT1WaeIGZ3VxuNITJul8y5qDTXXfX7vxM5OoWXa6U5+AYuGUMg
/itPZmUmNrHjTk7ghT6i1IQOaBowXXKJBlMmq/6BQXN2IhkD9ys2qrvM1hdi5nAf
egmdiG50loLnBRqWbfR+DykpAhK4SaDi2F52Uxovw3Lhiw8dQP7lzQ==
-----END RSA PRIVATE KEY-----
- Start the Secure+ Admin Tool.
- On AIX and Linux systems, run the command spadmin.sh.
- On Windows systems, click
The CD Secure+ Admin Tool starts.
- In the CD Secure+ Admin Tool, double-click the .Local line
to edit the main SSL or TLS settings.
- Select Enable SSL Protocol or Enable
TLS Protocol, depending on which protocol you are using.
- Select Disable Override.
- Select at least one Cipher Suite.
- If you want two-way authentication, change the value
of Enable Client Authentication to Yes.
- In the Trusted Root Certificate field,
enter the path to the public certificate file of your certification
authority, /test/ssl/certs/CAcert.
- In the Key Certificate File field,
enter the path to the file that you created, /test/ssl/cd/keyCertFile/node_name.txt.
- Double-click the .Client line to
edit the main SSL or TLS settings.
- Select Enable SSL Protocol or Enable
TLS Protocol, depending on which protocol you are using.
- Select Disable Override.
For the Connect:Direct bridge agent, perform
the following steps:
- Create a truststore. You can do this by creating a dummy
key and then deleting the dummy key.
You can use the following
commands:
keytool -genkey -alias dummy -keystore /test/ssl/fte/stores/truststore.jks
keytool -delete -alias dummy -keystore /test/ssl/fte/stores/truststore.jks
- Import the public certificate of the certification authority
into the truststore.
You can use the following command:
keytool -import -trustcacerts -alias myCA
-file /test/ssl/certs/CAcert
-keystore /test/ssl/fte/stores/truststore.jks
-
Edit the Connect:Direct bridge agent properties
file.
Include the following lines anywhere in the
file:
cdNodeProtocol=protocol
cdNodeTruststore=/test/ssl/fte/stores/truststore.jks
cdNodeTruststorePassword=password
In
the example in this step,
protocol is the protocol you are using, either SSL or
TLS, and
password is the password that you specified when you created the
truststore.
-
If you want two-way authentication, create a key and certificate for the Connect:Direct bridge agent.
-
Create a keystore and key.
You can use the following
command:
keytool -genkey -keyalg RSA -alias agent_name
-keystore /test/ssl/fte/stores/keystore.jks
-storepass password -validity 365
-
Generate a signing request.
You can use the following
command:
keytool -certreq -v -alias agent_name
-keystore /test/ssl/fte/stores/keystore.jks -storepass password
-file /test/ssl/fte/requests/agent_name.request
-
Import the certificate you receive from the preceding step into the keystore. The certificate
must be in x.509 format.
You can use the following
command:
keytool -import -keystore /test/ssl/fte/stores/keystore.jks
-storepass password -file certificate_file_path
-
Edit the Connect:Direct bridge agent properties
file.
Include the following lines anywhere in the
file:
cdNodeKeystore=/test/ssl/fte/stores/keystore.jks
cdNodeKeystorePassword=password
In
the example in this step,
password is the password that you specified when you
created the keystore.