IBM Integration Bus, Version 10.0.0.0 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS


Securing integration services by using SSL configuration

You can secure integration services by configuring the SOAP/HTTP binding or JavaScript client API to use SSL and certificates.

Before you begin

Define a public key infrastructure (PKI) for IBM® Integration Bus; see Setting up a public key infrastructure.

About this task

After you establish a public key infrastructure configuration for your whole integration node or for some of its integration servers, you can use the configuration to secure your integration services by completing the following steps:
  1. If you are using the integration node listener: Configure the integration node to use SSL.
  2. If you are using the embedded (integration server) listener: Configure the integration server to use SSL.
  3. Configure the integration service bindings to use SSL

Configuring the integration node to use SSL

About this task

Complete the following steps:

Procedure

  1. Turn on SSL support in the integration node, by setting a value for enableSSLConnector
    mqsichangeproperties integrationNodeName
      -b httplistener -o HTTPListener 
      -n enableSSLConnector -v true
  2. Optional: If you do not want to use the default port 7083 for HTTPS messages, specify the port on which the integration node listens:
    mqsichangeproperties integrationNodeName
      -b httplistener -o HTTPSConnector
      -n port -v Port_to_listen_on_for_https

    On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024.

    For the integration node to listen on these ports, the user ID under which the integration node is started must be root.
  3. Optional: Enable Client Authentication (mutual authentication):
    mqsichangeproperties integrationNodeName -b httplistener -o HTTPSConnector
      -n clientAuth -v true 
  4. Restart the integration node after changing one or more of the HTTP listener properties.
  5. Optional: Use the following commands to display HTTP listener properties:
    mqsireportproperties integrationNodeName -b httplistener -o AllReportableEntityNames -a 
    mqsireportproperties integrationNodeName -b httplistener -o HTTPListener -a 
    mqsireportproperties integrationNodeName -b httplistener -o HTTPSConnector  -a 

Configuring an integration server to use SSL

About this task

Complete the following steps:

Procedure

  1. Optional: Specify a specific port on which the integration server listens for HTTPS requests, or leave the value unset to use the next available port number.
    mqsichangeproperties integrationNodeName
      -e integration_server_name -o HTTPSConnector
      -n explicitlySetPortNumber -v port_number
    On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024. For the integration server to listen on these ports, the user ID under which the integration node is started must be root.

    If you do not complete this step, the first available port in the default range (7843 - 7884) is used.

  2. Optional: Enable Client Authentication (mutual authentication):
    mqsichangeproperties integrationNodeName
      -e integration_server_name -o HTTPSConnector
      -n clientAuth -v true 
  3. Optional: Change the SSL protocol. The default protocol for the HTTPInput node is TLS. Run the following command to change it to SSL:
    mqsichangeproperties integrationNodeName
      -e integration_server_name -o HTTPSConnector
      -n sslProtocol -v SSL
  4. Restart the integration node after changing one or more of the listener properties.
  5. Optional: Use the following command to display HTTPS properties:
    mqsireportproperties integrationNodeName 
      -e integration_server_name -o HTTPSConnector  -r 

Configuring the integration service bindings to use SSL

About this task

Configure the integration service bindings to use SSL by completing the following steps:

Procedure

  1. In the IBM Integration Toolkit, open your integration service in the integration service editor by double-clicking Integration Service Description in the Application Development view.
  2. Click the Service tab. The integration service description is displayed, which includes the integration service bindings.
  3. If you are using the SOAP/HTTP binding, then click SOAP/HTTP Binding and select Use HTTPS from the HTTP Transport properties panel.
  4. If you are using the JavaScript client API, then click JavaScript client API and then select Use HTTPS from the Basic properties panel.
    Note: If you are using a web browser-based JavaScript application to call the integration service, then you must select Use HTTPS on both the SOAP/HTTP binding and the JavaScript client API. The HTTP proxy servlet routes requests only to endpoints that use the same protocol as the web browser. The HTTP proxy servlet routes requests to both the SOAP and JavaScript client API endpoints, and so both endpoints must match the web browser protocol.
  5. Save and redeploy the integration service.

Results

You have configured the integration service to use SSL.


ss26060_.htm | Last updated 2015-03-27 19:28:57