The
WebSphere MQ Java Client supports
SSL-encrypted connections over the SVRCONN channel between the application
and the queue manager. This topic tells you how to make use of this SSL support
when communicating between the
Configuration
Manager Proxy (CMP) and
the
Configuration
Manager.
For one-way authentication
(with the client (Configuration Manager Proxy) authenticating
the server (Configuration
Manager) only) perform the following
steps:
- Generate or obtain all the appropriate keys and certificates. This includes a signed pkcs12 certificate for the server and the appropriate
public key for the certificate authority that signed the pkcs12 certificate.
- Add the pkcs12 certificate to the queue manager certificate store
and assign it to the queue manager. Use the standard WebSphere MQ facilities,
for example, WebSphere MQ Explorer (for WebSphere MQ Version
6) or WebSphere MQ Services (for WebSphere MQ Version
5).
- Add the certificate of the certificate authority to the JSEE truststore
of the Java Virtual Machine (JVM) at the Configuration Manager Proxy end
using a tool such as Keytool.
- Decide which cipher suite to use.
- Change the properties on the SYSTEM.BKR.CONFIG channel to specify
the cipher suite to be used. Use the standard WebSphere MQ facilities
(for example, WebSphere MQ Explorer).
- Add the required parameters (cipher suite, for example) to the Configuration Manager Proxy. If a truststore other than
the default is used, its full path must be passed in via the truststore parameter.
When you have performed these steps, the Configuration Manager Proxy will
connect to the Configuration
Manager if it has a valid
signed key that has been signed by a trusted certificate authority.
For two-way authentication (with the
Configuration
Manager also
authenticating the
Configuration Manager Proxy) perform the
following additional steps:
- Generate or obtain all the appropriate keys and certificates. This includes
a signed pkcs12 certificate for the client and the appropriate public key
for the certificate authority that signed the pkcs12 certificate.
- Add the certificate of the certificate authority to the queue manager
certificate store; use the standard WebSphere MQ facilities
(for example, WebSphere MQ Explorer for WebSphere MQ Version
6).
- Set the SYSTEM.BKR.CONFIG channel to always authenticate. You can use
SSLCAUTH(REQUIRED) in runmqsc, or WebSphere MQ Explorer.
- Add the pkcs12 certificate to the JSEE keystore of the JVM at the Configuration Manager Proxy end using a tool such as Keytool.
- If not using the default keystore, its full path must be passed into the Configuration Manager Proxy via the keystore parameter
When you have performed these steps, the Configuration
Manager allows
the Configuration Manager Proxy to connect only if the Configuration Manager Proxy has
a certificate signed by one of the certificate authorities in its keystore.
Further
restrictions can be made using the sslPeerName field; for example, you can
allow connections only from certificate holders with a specific company or
department name in their certificates. In addition, you can invoke a security
exit for communications between the Configuration Manager Proxy and
the Configuration
Manager; see Using security exits.