Viewing and setting keystore and truststore runtime properties at integration server level
Configure an integration server to refer to a keystore, a truststore, or both, before you deploy any message flows that require SSL connections, policy set or bindings for signature, encryption, or X.509 authentication, and before you enable services that use SSL connections, such as IBM® Cloud reporting services.
About this task
An integration server is a named grouping of message flows that have been assigned to an integration node. The integration node enforces a degree of isolation between message flows in distinct integration servers by ensuring that they run in separate address spaces, or as unique processes. For more information about integration servers, see Integration servers.
Integration server keystore and truststore runtime property values override equivalent property values on the integration node, if any are set.
Keystores can contain two kinds of entries: key entries and trusted certificate entries. If a keystore is used to contain trusted certificates, it is typically referred to as a truststore. IBM Integration Bus can refer to a keystore and a truststore per integration server. When the integration node is encrypting or decrypting, it uses entries in its keystore; if the integration node is verifying a signature or performing X.509 authentication, it uses entries in its truststore.
Displaying integration server level properties
About this task
To display integration server level properties, run the command:
mqsireportproperties integrationNodeName -o ComIbmJVMManager -a -e integration_server
Updating the integration server reference to a keystore
About this task
mqsichangeproperties integrationNodeName -e integration_server -o ComIbmJVMManager
-n keystoreFile
-v c:\keystore\server.keystore
where c:\keystore\server.keystore
is
the fully qualified path to the Java™ keystore
(JKS), containing the private certificates that will be used by the
integration server. Updating the integration server reference to a truststore
About this task
mqsichangeproperties integrationNodeName -e integration_server -o ComIbmJVMManager
-n truststoreFile
-v c:\truststore\server.truststore
where c:\truststore\server.truststore
is
the fully qualified path to the Java truststore
containing the public certificates that are required by the integration
server to establish trust with the services that it will connect to.Updating the keystore and truststore passwords
About this task
- To update the integration node with the keystore password; see Updating the integration node with the keystore password.
- To update the integration node with the truststore password; see Updating the integration node with the truststore password.
- To update the integration node with a private key password; see Updating the integration node with a private key password.
brokerKeystore::password
. To use
a password other than the default integration node password, use the
following commands:mqsichangeproperties integrationNodeName -e integration_server -o ComIbmJVMManager -n keystorePass
-v integration_server::keystorePass
mqsisetdbparms integrationNodeName -n integration_server::keystorePass -u na -p password
brokerTruststore::password
. To use
a password other than the default integration node password,
use the following commands:mqsichangeproperties integrationNodeName -e integration_server -o ComIbmJVMManager -n truststorePass
-v integration_server::truststorePass
mqsisetdbparms integrationNodeName -n integration_server::truststorePass -u na -p password
Adding new certificates to a keystore or truststore
About this task
If you add new certificates to a keystore or truststore, to ensure that the new certificates are picked up, you must reload the Java virtual machine (JVM). You can reload the JVM by restarting the integration server.