Configuring IBM Integration Bus and Business Process Manager to work together with SSL

You can configure Business Process Manager (BPM) and IBM® Integration Bus to work together with SSL by using a key and truststore.

The example uses self-signed certificates. Adapt this certificate to use the certificates from the various certificate authorities in a production environment.

Before you begin

Set up a public key infrastructure (PKI) at integration node level by following the instructions in Setting up a public key infrastructure. Create a key and truststore in IBM Integration Bus.

About this task

Follow these steps to configure the IBM Integration Bus to use the key and truststore:

Procedure

  1. Open a command window as an IBM Integration Bus administrator and issue the following commands: 
    mqsichangeproperties integrationnodename -o BrokerRegistry -n brokerKeystoreFile -v /var/mqm/BrokerKeyStore.jks
mqsichangeproperties integrationnodename -o BrokerRegistry -n brokerTruststoreFile -v /var/mqm/BrokerTrustStore.jks
mqsistop integrationnodename mqsisetdbparms integrationnodename -n brokerKeystore::password -u ignore -p *******
mqsisetdbparms integrationnodename -n brokerTruststore::password -u ignore -p
*******
mqsistart integrationnodename
  2. Check that the IBM Integration Bus was configured correctly by issuing the following command 
    mqsireportproperties integrationnodename -o BrokerRegistry -r

    and verifying that the output by using the mqsireportproperties command:

    -bash-3.2$ mqsireportproperties integrationnodename -o BrokerRegistry -r

BrokerRegistry
  uuid='BrokerRegistry'
  brokerKeystoreType='JKS'
  brokerKeystoreFile='/var/mqm/BrokerKeystore.jks'
  brokerTruststoreType='JKS'
  brokerTrusttoreFile='/var/mqm/BrokefrTrustStore.jks'
  brokerTrustorrePass=''
  httpConnectorPortRange=''
  httpsConnectorPortRange=''
  modeExtensions=''
  operationMode='advanced'
  shortDesc=''
  longDesc=''

BIP{8071I: Successful command completion.
  3. Extract the signer certificate from BPM and install it on IBM Integration Bus.

    Swap certificates between the two run times. For BPM, there are two certificate stores: the standard WebSphere® truststore, and the WebSphere MQ Java™ client. The runtime environment uses the truststore to pass credentials when SSL services are called. In IBM Process Designer, the designer uses the Java client during discovery of services. It is not mandatory to copy the BPM root certificate to the JVM certificates file. However, copying the certificate helps when the Process Designer is looking for SSL services on its own server.

    1. Export the BPM certificate
      1. Log in to the WebSphere Application Server administrator console.
      2. Go to Security > SSL Certificate and Key Management > Key Stores and Certificates > nodeDefaultTrustStore > Signer Certificates
      3. Select the root certificate and then click Export.
      4. Enter a name for the export file and click OK.
    2. Import the certificate into the IBM Integration Bus truststore.
      1. Copy the file from WAS_profile_home/etc to your IBM Integration Bus environment.
      2. On the IBM Integration Bus server start ikeyman, open the truststore and select Signer Certificates.
      3. Click Add to install your certificate from BPM.
  4. Install the IBM Integration Bus certificate on the BPM Server
    You install the certificate in two places:
    1. To support execution of SSL services between BPM and IBM Integration Bus,
    2. To support discovery of SSL services on IBM Integration Bus by the IBM Process Designer.
    • Install the certificate into the WebSphere Application Server truststore.
      1. Log in to the WebSphere Application Server administrator console.
      2. Select Security > SSL Certificate and Key Management > Key Stores and Certificates > nodeDefaultTrustStore > Signer Certificates
      3. Click Retrieve from Port.
      4. Select the hostname and SSL port of the IBM Integration Bus and click Retrieve Signer Information.
    • Install into WebSphere Application Server JVM certificate store
      1. Start ikeyman in WAS_home/java/jre/bin .
      2. Open the certificates file in WAS_home/java/jre/lib/security. The password, if unchanged, is changeit.
      3. You see many standard certificates and security providers that are listed here.
      4. Add both the IBM Integration Bus self-signed certificate and the BPM signer certificate that you extracted earlier into the store.
      5. Close ikeyman and restart your BPM server.

Results

Your environment now supports SSL between BPM and IBM Integration Bus and you can see the certificate that is installed in the truststore.