SSL authentication is available for the Real Time node, the HTTP listener, and the WebSphere MQ Java Client.
SSL authentication in WebSphere Message Broker supports an authentication protocol known as mutual challenge-response password authentication. This is a non-standard variant of the industry standard SSL protocol in which the public key cryptography called for by SSL is replaced by symmetric secret key cryptography. While this protocol is both secure and convenient to administer, it might be better to use the industry standard SSL protocol exactly as defined, especially if a public key cryptography infrastructure is already deployed for other purposes. There are two standardized versions of SSL which are:
In both instances, SSL authentication does not keep the SSL protocol up for the entire lifetime of a connection, because that would incur protection overheads on all messages. The SSL protocol remains in force long enough to accomplish mutual authentication and to establish a shared secret session key that can be used by message protection (see Message protection). Messages are then individually protected in accordance with the protection level specified for the given topic.
The SSL protocol implementation requires a Public-Key Cryptography Standards (PKCS) file, containing X.509 V3 certificates for the broker's private key, and possibly the public keys of clients and other brokers. This file, called the key ring file, must contain at least one certificate for the broker and for the trusted certification authority (CA) that issued and signed the broker's certificate. For the R form of SSL, the key ring file can also have the public keys of clients and other brokers that need to be authenticated, and the certificates supporting those public keys. However, the SSL protocol calls for the exchange of public keys and certificates, so key ring files do not need to be fully primed in this fashion, as long as there are enough commonly-trusted authorities to ensure that authentication completes.
By convention, key ring files are encrypted and protected by a passphrase, which is stored in a second file. The passphrase file requires careful protection using operating system mechanisms to ensure that it is not exposed to unauthorized observers. An observer who learns the passphrase can learn the private keys in the key ring file. However, only the passphrase file needs to be secure in this way and the key ring file is protected by the passphrase. Only private keys are sensitive. Other information in the key ring file, such as the broker's certificates, can be revealed without compromising security.
For more information on SSL authentication for the Real Time node, see Enabling SSL for the Real Time node.
For information on SSL authentication for the HTTP listener, see Configuring HTTPInput and HTTPReply nodes to use SSL (HTTPS), and Configuring an HTTPRequest node to use SSL (HTTPS).
For information on SSL authentication for the MQ Java Client, see Enabling SSL on the WebSphere MQ Java Client.
Notices |
Trademarks |
Downloads |
Library |
Support |
Feedback
![]() ![]() |
ap12210_ |