Supplying a customized SSLSocketFactory in IBM MQ classes for Java
If you use a customized JSSE Socket Factory, set the MQEnvironment.sslSocketFactory to the customized factory object. Details vary between different JSSE implementations.
Different JSSE implementations can provide different features. For example, a specialized JSSE implementation might allow configuration of a particular model of encryption hardware. Additionally, some JSSE providers allow customization of keystores and truststores by program, or allow the choice of identity certificate from the keystore to be altered. In JSSE, all these customizations are abstracted into a factory class, javax.net.ssl.SSLSocketFactory.
- Create an SSLContext object using a static method on SSLContext
- Initialize this SSLContext with appropriate KeyManager and TrustManager implementations (created from their own factory classes)
- Create an SSLSocketFactory from the SSLContext
javax.net.ssl.SSLSocketFactory sf = sslContext.getSocketFactory();
MQEnvironment.sslSocketFactory = sf;
IBM® MQ classes for Java use this SSLSocketFactory to connect to the IBM MQ queue manager. This property can also be set using the CMQC.SSL_SOCKET_FACTORY_PROPERTY. If sslSocketFactory is set to null, the default SSLSocketFactory of the JVM is used. This property is ignored if sslCipherSuite is not set.
When you use custom SSLSocketFactories, consider the effect of TCP/IP connection sharing. If connection sharing is possible then a new socket is not requested of the SSLSocketFactory supplied, even if the socket produced would be different in some way in the context of a subsequent connection request. For example, if a different client certificate is to be presented on a subsequent connection, then connection sharing must not be allowed.