IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Enabling SSL on the WebSphere MQ Java Client

The WebSphere® MQ Java™ Client supports SSL-encrypted connections over the server-connection (SVRCONN) channel between an application and the queue manager. Configure SSL support for connections between applications that use the CMP (including the IBM® Integration Toolkit and the IBM Integration Explorer) and a broker.

Use the following instructions to implement SSL security on the SVRCONN channel. You must have the appropriate software to manage SSL certificate stores; for example, you can install either the WebSphere MQ Client or the Server, and use the IBM Key Management tools for the client. You can use either JKS or PKCS12 stores.
  1. Use WebSphere MQ facilities to update the SVRCONN definition to specify the required value in the SSLCIPH attribute.
  2. In the IBM Integration Toolkit or IBM Integration Explorer, define the connection to the broker. You can set the SSL fields only when you define the connection; you cannot change them later. If you have already defined your connection, delete it, and define it again.
  3. Select the cipher suite that matches the value you set for the SSLCIPH property of the SVRCONN channel.
  4. Enter the full path and name for the keystore and truststore, or click Browse to search for them.
  5. Add the queue manager certificate to the client truststore.
  6. For one-way authentication, when the client CMP application authenticates the broker, complete the following steps:
    1. Generate or obtain all the appropriate keys and certificates. You must include a signed pkcs12 certificate for the server and the appropriate public key for the certificate authority that signed the pkcs12 certificate. See Creating SSL certificates for the WebSphere MQ Java Client, for some example steps for creating keys and certificates.
    2. Add the pkcs12 certificate to the queue manager certificate store and assign it to the queue manager. Use the standard WebSphere MQ facilities; for example, WebSphere MQ Explorer.
    3. Add the certificate of the certificate authority to the Java Secure Socket Extension (JSSE) truststore of the Java Virtual Machine (JVM) at the CMP application end by using a tool such as Keytool.
    4. Decide which cipher suite to use and change the properties on the server-connection channel by using WebSphere MQ Explorer to specify the cipher suite to be used. This channel has a default name of SYSTEM.BKR.CONFIG; this name is used unless you specified a different name on the Connect to Remote Integration Node wizard; see Connecting to a remote broker and Connecting to a remote integration node on z/OS.
    5. Add the required parameters (cipher suite, for example) to the CMP application. If a truststore other than the default is used, its full path must be passed in by the truststore parameter.
    After you complete these steps, the CMP application connects to the broker if it has a valid key that is signed by a trusted certificate authority.
  7. For two-way authentication, when the broker also authenticates the CMP application, complete the following additional steps:
    1. Generate or obtain all the appropriate keys and certificates. You must include a signed pkcs12 certificate for the client and the appropriate public key for the certificate authority that signed the pkcs12 certificate. See Creating SSL certificates for the WebSphere MQ Java Client, for some example steps for creating keys and certificates.
    2. Add the certificate of the certificate authority to the queue manager certificate store by using the standard WebSphere MQ facilities.
    3. Set the server-connection channel to always authenticate. Specify SSLCAUTH(REQUIRED) in runmqsc, or in WebSphere MQ Explorer.
    4. Add the pkcs12 certificate to the JSSE keystore of the JVM at the CMP application end by using a tool such as Keytool.
    5. If you are not using the default keystore, its full path must be passed into the CMP through the keystore parameter.
    After you complete these steps, the broker allows the CMP application to connect only if that application has a certificate signed by one of the certificate authorities in its keystore.

You can make further restrictions by using the sslPeerName field; for example, you can allow connections only from certificate holders with a specific company or department name in their certificates. In addition, you can invoke a security exit for communications between the CMP applications and the broker; see Using security exits.

For more information about configuring connections to be secured with SSL, see the WebSphere MQ Java Client developerWorks® article.

Subtopics

Parent topic: Security for the IBM Integration Toolkit and IBM Integration Explorer
Related concepts:
Security overview
Security for the IBM Integration Toolkit and IBM Integration Explorer
Related tasks:
Using security exits
Implementing SSL authentication
Related reference:
Security requirements for administrative tasks
mqsicreatebroker command
mqsichangebroker command
Related information:
WebSphere MQ Version 7 product documentation
ap12232_.htm | Last updated Friday, 21 July 2017