Configuring HTTPInput and HTTPReply nodes to use SSL (HTTPS)

Configure the HTTPInput and HTTPReply nodes to communicate with other applications that use HTTPS by creating a keystore file, configuring the integration node or integration server to use SSL, and creating a message flow to process HTTPS requests.

Before you begin

Set up a public key infrastructure (PKI) at integration node level by following the instructions in Setting up a public key infrastructure.

About this task

Follow these steps to configure the HTTPInput and HTTPReply nodes to communicate with other applications using HTTP over SSL:

  1. If you are using the integration node listener:Configure the integration node to use SSL
  2. If you are using the integration server listener: Configure the integration server to use SSL
  3. Create a message flow
  4. Test your configuration

If you have configured your integration node and integration servers such that the integration node listener is used for some integration servers, and the integration server listener for other integration servers, you must complete step 1 for the first set of integration servers and step 2 for each integration server in the second set.

For information about which listener to use for HTTPS messages, see HTTP listeners.

Configuring the integration node to use SSL

About this task

Complete the following steps:

Procedure

  1. Turn on SSL support in the integration node, by setting a value for enableSSLConnector 
    mqsichangeproperties integrationNodeName
  -b httplistener -o HTTPListener 
  -n enableSSLConnector -v true
  2. Optional: If you do not want to use the default port 7083 for HTTPS messages, specify the port on which the integration node listens: 
    mqsichangeproperties integrationNodeName
  -b httplistener -o HTTPSConnector
  -n port -v Port_to_listen_on_for_https

    On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024.

    For the integration node to listen on these ports, the user ID under which the integration node is started must be root.
  3. Optional: Enable Client Authentication (mutual authentication): 
    mqsichangeproperties integrationNodeName -b httplistener -o HTTPSConnector
  -n clientAuth -v true
  4. Restart the integration node after changing one or more of the HTTP listener properties.
  5. Optional: Use the following commands to display HTTP listener properties: 
    mqsireportproperties integrationNodeName -b httplistener -o AllReportableEntityNames -a 
mqsireportproperties integrationNodeName -b httplistener -o HTTPListener -a 
mqsireportproperties integrationNodeName -b httplistener -o HTTPSConnector  -a

Configuring an integration server to use SSL

About this task

Complete the following steps:

Procedure

  1. Optional: Specify a specific port on which the integration server listens for HTTPS requests, or leave the value unset to use the next available port number. 
    mqsichangeproperties integrationNodeName
  -e integration_server_name -o HTTPSConnector
  -n explicitlySetPortNumber -v port_number
    On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024. For the integration server to listen on these ports, the user ID under which the integration node is started must be root.

    If you do not complete this step, the first available port in the default range (7843 - 7884) is used.

  2. Optional: Enable Client Authentication (mutual authentication): 
    mqsichangeproperties integrationNodeName
  -e integration_server_name -o HTTPSConnector
  -n clientAuth -v true
  3. Optional: Change the SSL protocol.
    The default protocol for the HTTPInput node is TLS. Run the following command to change it to SSL:
    mqsichangeproperties integrationNodeName
  -e integration_server_name -o HTTPSConnector
  -n sslProtocol -v SSL
  4. Restart the integration node after changing one or more of the listener properties.
  5. Optional: Use the following command to display HTTPS properties: 
    mqsireportproperties integrationNodeName 
  -e integration_server_name -o HTTPSConnector  -r

Creating a message flow to process HTTPS requests

About this task

You can create a simple message flow to use HTTPS by connecting an HTTPInput node to an HTTPReply node. The two most important properties to set on the HTTPInput node are:

  • Path suffix for URL; for example, /* or /testHTTPS.
  • Use HTTPS.

/* means that the HTTPInput node matches against any request that is sent to the HTTP listener on a designated port. This option is useful for testing purposes, but is not suitable for production systems.

You can now deploy the message flow to the broker. If you have completed all the documented steps, message BIP3132 is written to the local system log (on Windows, the event log), stating that the HTTPS listener has been started.

You can now test the system.

Testing your configuration

About this task

The simplest method of testing whether HTTPS is configured correctly is to use a Web browser to make a request to the integration node over HTTPS.

Start a Web browser and enter the following URL:
 https://localhost:7083/testHTTPS
Change values in the URL to reflect the changes that you have made in your broker configuration; for example, the port number. When a window is displayed asking you to accept the certificate, select Yes. The browser refreshes the window and displays an empty HTML page:
  • In Mozilla browsers, the empty HTML page looks like the following example:
    <html>   
  <body/> 
</html>
  • In Internet Explorer, the following information is displayed:
    XML document must have a top level element. Error processing resource
'https://localhost:7083/testHTTPS'

These responses mean that a blank page was returned, indicating that the setup worked correctly. To add content to the empty page, you can add a Compute node to the flow.

You can use another HTTPS client to process HTTPS requests. Read the documentation for the client to find out how to configure it to make client connections over SSL.

You can also use another HTTPS client, such as a Java™ or .NET client, instead of the Web browser. Depending on the type of client, you might need to export the certificate (which was created with keytool) from the keystore file associated with the HTTP listener, then import it into the keystore for the client. Read the client documentation to find out how to configure the client to make client connections over SSL.