Securing integration services by using SSL

You can secure integration services by configuring the SOAP/HTTP binding or JavaScript client API to use SSL and certificates.

Before you begin

Create the integration server to which you want to deploy the integration service. Follow the instructions in Creating an integration server.
Decide which HTTP Listener you want to use for HTTPS messages. For information about which listener to use for HTTPS messages, see HTTP listeners.
Set up a public key infrastructure (PKI) to configure the keystores, truststores, passwords, and certificates to enable SSL communication. Follow the instructions in Setting up a public key infrastructure. This results in the integration server or integration node being configured for the PKI.

About this task

Secure your integration services by configuring the integration node or integration server to use the PKI and SSL, and configuring the integration service bindings to use SSL.

Procedure

To secure your integration services by using SSL, complete the following steps:

Configure the integration server or integration node to use SSL.
Complete one of the following substeps, depending on which HTTP listener you have chosen to use for HTTPS messages:
- If you are using the integration node listener: Configure the integration node to use SSL
- If you are using the integration server (embedded) listener: Configure the integration server to use SSL
Configure the integration service bindings to use SSL

Configuring an integration node to use SSL

If you want to use the integration node listener for HTTPS, configure values for the node's HTTP listener properties.

About this task

Complete the following steps:

Procedure

Optional: If you do not want to use the default port 7083 for HTTPS messages, specify the port on which the integration node listens:
```
mqsichangeproperties integrationNodeName
  -b httplistener -o HTTPSConnector
  -n port -v Port_to_listen_on_for_https
```
On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024.
For the integration node to listen on these ports, the user ID under which the integration node is started must be root.

Optional: Enable Client Authentication (mutual authentication):

mqsichangeproperties integrationNodeName -b httplistener -o HTTPSConnector
  -n ReqClientAuth -v true

Restart the integration node after changing one or more of the HTTP listener properties.

Optional: Use the following commands to display HTTP listener properties:

mqsireportproperties integrationNodeName -b httplistener -o AllReportableEntityNames -a 
mqsireportproperties integrationNodeName -b httplistener -o HTTPListener -a 
mqsireportproperties integrationNodeName -b httplistener -o HTTPSConnector  -a

Configuring an integration server to use SSL

If you want to use the integration server listener for HTTPS, configure values for the server's HTTP listener properties.

About this task

Complete the following steps:

Procedure

Optional: Specify a specific port on which the integration server listens for HTTPS requests, or leave the value unset to use the next available port number.
```
mqsichangeproperties integrationNodeName
  -e integration_server_name -o HTTPSConnector
  -n explicitlySetPortNumber -v port_number
```
On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024. For the integration server to listen on these ports, the user ID under which the integration node is started must be root.
If you do not complete this step, the first available port in the default range (7843 - 7884) is used.

Optional: Enable Client Authentication (mutual authentication):

mqsichangeproperties integrationNodeName
  -e integration_server_name -o HTTPSConnector
  -n ReqClientAuth -v true

Optional: Change the SSL protocol.
The default protocol for the HTTPInput node is TLS. Run the following command to change it to SSL. The only supported versions of TLSProtocols are TLSv1.2 and TLSv1.3. The values are not case-sensitive. If TLSProtocols is set to all, both versions are enabled. For more information, see Integration server HTTP listener parameters (SOAP and HTTP nodes). :
```
mqsichangeproperties integrationNodeName
  -e integration_server_name -o HTTPSConnector
  -n TLSProtocols -v TLSv1.2
```
Restart the integration node after changing one or more of the listener properties.

Optional: Use the following command to display HTTPS properties:

mqsireportproperties integrationNodeName 
  -e integration_server_name -o HTTPSConnector  -r

Configuring the integration service bindings to use SSL

About this task

Configure the integration service bindings to use SSL by completing the following steps:

Procedure

In the IBM App Connect Enterprise Toolkit, open your integration service in the integration service editor by double-clicking Integration Service Description in the Application Development view.
Click the Service tab.
The integration service description is displayed, which includes the integration service bindings.
If you are using the SOAP/HTTP binding, then click SOAP/HTTP Binding and select Use HTTPS from the HTTP Transport properties panel.
If you are using the JavaScript client API, then click JavaScript client API and then select Use HTTPS from the Basic properties panel.

Note: If you are using a web browser-based JavaScript application to call the integration service, then you must select Use HTTPS on both the SOAP/HTTP binding and the JavaScript client API. The HTTP proxy servlet routes requests only to endpoints that use the same protocol as the web browser. The HTTP proxy servlet routes requests to both the SOAP and JavaScript client API endpoints, and so both endpoints must match the web browser protocol.
Save and redeploy the integration service.

Results

You have configured the integration service to use SSL.