Configuring TLS 1.3 for QMF Standalone Server

You can configure the TLS 1.3 protocol on the QMF Server to use it as a standalone server.

About this task

To configure TLS on QMF Server as a standalone server, perform the following steps:

Procedure

  1. Create a Jetty Server instance.
    To create a Jetty Server instance:
    1. Set up the standalone Jetty Server using the QMFServerSetup.jar file and validate that the application data and the server files are created.
  2. Configure the Jetty server to run on TLS1.3.
    To configure the Jetty server to run on TLS 1.3:
    1. Open {AppData}\IBM\QMF Server\jettyXMLConf\jetty.xml file.
    2. Remove the comments added to all the lines inside the tag <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
    3. Add the following lines inside the tag <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">: 
      <Set name="KeyStorePath">{KeyStorePath}\keystore.jks</Set> 
<Set name="KeyStorePassword">{KeystorePassword}</Set> 
<Set name="KeyManagerPassword">{KeystorePassword}</Set> 
<Set name="TrustStorePath">{TrustStorePath}\truststore.jks</Set> 
<Set name="TrustStorePassword">{TrustStorePassword}</Set> 
<Set name="IncludeProtocols"> 
    <Array type="java.lang.String"> 
        <Item>TLSv1.3</Item> 
    </Array> 
</Set>
    4. Under the section <!—HTTP Connector [START] -->, inside the tag <Array type="org.eclipse.jetty.server.Connector">, comment the all the lines in the <Item> tag . Commenting out this section will disable the HTTP connector settings.
    5. Under the section <!—SSL/HTTPS Connector [START] -->, inside the tag <Array type="org.eclipse.jetty.server.Connector">, remove the comment added for all the line in the <Item> tag . Removing the comment enables the SSL Connector settings.
    6. Save the file.
  3. Configure the startServer command.
    1. Open the startServer.cmd file with Notepad++ or any other editor.
    2. Replace java --add-opens=java.base/java.io=ALL-UNNAMED -jar QMFServer.jar above the popd command with the following line: 
       java -Dfile.encoding=UTF-8 –Dqmf.activemq.protocol=ssl 
–Dqmf.activemq.protocol=ssl
-Djavax.net.ssl.trustStore={KeyStorePath}\keystore.jks 
-Djavax.net.ssl.trustStorePassword=changeit --add-opens=java.base/java.io=ALL-UNNAMED -jar QMFServer.jar
      This enables the server to recognize the TLS connection established with the QMF Server Registry.
      Note: Adding the definition -Dqmf.activemq.protocol=ssl in the file will configure the ActiveMQ communication in SSL mode.
  4. Start the server by running the cmd file.