Securing JMS communications in Liberty by using SSL
You can configure the transportSecurity-1.0
feature to enable secure
communication between the two Liberty
servers.
Before you begin
Procedure
- Configure SSL on the server.
- Service integration bus has the following default SSL
configuration.
<wasJmsEndpoint host="*" wasJmsSSLPort="7286" > <wasJmsEndpoint/>
Service integration bus inbound uses the <keyStore> element as the default SSL configuration. See Enabling SSL communication in Liberty for detailed information.
- To modify the configuration to point to a different SSL configuration other than the default,
refer to the following
example.
<keyStore id="customKeyStore" location="key.jks" type="JKS" password="{xor}NDombm1s" /> <ssl id="CustomSslNewOptions" keyStoreRef="customKeyStore"/> <wasJmsEndpoint host="*" wasJmsSSLPort="7286"> <sslOptions sslRef="CustomSslNewOptions" /> </wasJmsEndpoint>
- If the <wasJmsEndpoint> configuration is successful, then the service integration bus successfully bounds to port 7286 for secure communications. The JMS client can connect to the messaging engine in a secure way by using SSL.
- Service integration bus has the following default SSL
configuration.
- Configuring the client.
- By default, service integration bus creates an outbound chain that is called
< BootstrapSecureMessaging>. This chain uses the <keyStore> element as a default
configuration.
<wasJmsOutbound id="BootstrapSecureMessaging" useSSL="true"> </wasJmsOutbound>
- To change the default SSL configuration to point to some other configuration, refer to the
following
example:
<keyStore id="customKeyStore" location="key.jks" type="JKS" password="{xor}NDombm1s" /> <ssl id="CustomSslNewOptions" keyStoreRef="customKeyStore"/> <wasJmsOutbound id="BootstrapSecureMessaging" useSSL="true"> <sslOptions sslRef="CustomSslNewOptions" /> </wasJmsOutbound>
- To connect a messaging engine by using the secure communication, specify a secure chain in the
<remoteServerAddress> element in the connection factory.
<jmsQueueConnectionFactory jndiName="jndi_JMS_BASE_QCF"> <properties.wasJms remoteServerAddress="localhost:7286:BootstrapSecureMessaging" /> </jmsQueueConnectionFactory>
- You can also create a custom outbound chain and use it to connect to the messaging
engine.
<keyStore id="customKeyStore" location="key.jks" type="JKS" password="{xor}NDombm1s" /> <ssl id="CustomSslNewOptions" keyStoreRef="customKeyStore"/> <wasJmsOutbound id="jmsSecureCustomChain" useSSL="true"> <sslOptions sslRef="CustomSslNewOptions" /> </wasJmsOutbound>
Now the <jmsSecureCustomChain> element is enabled successfully. It uses <CustomSslNewOptions> element for SSL keystore configuration. - By default, service integration bus creates an outbound chain that is called
< BootstrapSecureMessaging>. This chain uses the <keyStore> element as a default
configuration.