Configure the Connect:Direct® bridge agent and
the Connect:Direct node to
connect to each other through the SSL protocol by creating a keystore
and a truststore, and by setting properties in the Connect:Direct bridge agent properties
file.
About this task
These steps include instructions for getting your keys signed by a certificate authority. If you
do not use a certificate authority, you can generate a self-signed certificate. For more information
about generating a self-signed certificate, see Working with SSL/TLS on UNIX
and Windows systems.
These steps include instructions
for creating a new keystore and truststore for the Connect:Direct bridge agent.
If the Connect:Direct bridge
agent already has a keystore and truststore that it uses to connect
securely to WebSphere® MQ
queue managers, you can use the existing keystore and truststore when
connecting securely to the Connect:Direct node. For more
information, see Configuring SSL encryption for WebSphere MQ File Transfer Edition.
Procedure
For the Connect:Direct node,
complete the following steps:
- Generate a key and signed certificate for the Connect:Direct node. You
can do this by using the IBM® Key
Management tool that is provided with WebSphere MQ. For more information, see Using iKeyman, iKeycmd, GSKCapiCmd, and GSK7Cmd.
- Send a request to a certificate authority to have the key
signed. You receive a certificate in return.
- Create a text file; for example, /test/ssl/certs/CAcert,
that contains the public key of your certification authority.
- Install the Secure+ Option on the Connect:Direct node. If
the node already exists, you can install the Secure+ Option by running
the installer again, specifying the location of the existing installation,
and choosing to install only the Secure+ Option.
- Create a new text file; for example, /test/ssl/cd/keyCertFile/node_name.txt.
- Copy the certificate that you received from your certification
authority and the private key, located in /test/ssl/cd/privateKeys/node_name.key,
into the text file. The contents of /test/ssl/cd/keyCertFile/node_name.txt must
be in the following format:
-----BEGIN CERTIFICATE-----
MIICnzCCAgigAwIBAgIBGjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJHQjES
MBAGA1UECBMJSGFtcHNoaXJlMRAwDgYDVQQHEwdIdXJzbGV5MQwwCgYDVQQKEwNJ
Qk0xDjAMBgNVBAsTBU1RSVBUMQswCQYDVQQDEwJDQTAeFw0xMTAzMDExNjIwNDZa
Fw0yMTAyMjYxNjIwNDZaMFAxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hp
cmUxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFTVFGVEUxDzANBgNVBAMTBmJpbmJh
ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvgP1QIklU9ypSKD1XoODo1yk
EyMFXBOUpZRrDVxjoSEC0vtWNcJ199e+Vc4UpNybDyBu+NkDlMNofX4QxeQcLAFj
WnhakqCiQ+JIAD5AurhnrwChe0MV3kjA84GKH/rOSVqtl984mu/lDyS819XcfSSn
cOOMsK1KbneVSCIV2XECAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNXMIpSc
csBXUniW4A3UrZnCRsv3MB8GA1UdIwQYMBaAFDXY8rmj4lVz5+FVAoQb++cns+B4
MA0GCSqGSIb3DQEBBQUAA4GBAFc7klXa4pGKYgwchxKpE3ZF6FNwy4vBXS216/ja
8h/vl8+iv01OCL8t0ZOKSU95fyZLzOPKnCH7v+ItFSE3CIiEk9Dlz2U6WO9lICwn
l7PL72TdfaL3kabwHYVf17IVcuL+VZsZ3HjLggP2qHO9ZuJPspeT9+AxFVMLiaAb
8eHw
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,64A02DA15B6B6EF9
57kqxLOJ/gRUOIQ6hVK2YN13B4E1jAi1gSme0I5ZpEIG8CHXISKB7/0cke2FTqsV
lvI99QyCxsDWoMNt5fj51v7aPmVeS60bOm+UlGre8B/Ze18JVj2O4K2Uh72rDCXE
5e6eFxSdUM207sQDy20euBVELJtM2kOkL1ROdoQQSlU3XQNgJw/t3ZIx5hPXWEQT
rjRQO64BEhb+PzzxPF8uwzZ9IrUK9BJ/UUnqC6OdBR87IeA4pnJD1Jvb2ML7EN9Z
5Y+50hTKI8OGvBvWXO4fHyvIX5aslwhBoArXIS1AtNTrptPvoaP1zyIAeZ6OCVo/
SFo+A2UhmtEJeOJaZG2XZ3H495fAw/EHmjehzIACwukQ9nSIETgu4A1+CV64RJED
aYBCM8UjaAkbZDH5gn7+eBov0ssXAXWDyJBVhUOjXjvAj/e1h+kcSF1hax5D//AI
66nRMZzboSxNqkjcVd8wfDwP+bEjDzUaaarJTS7lIFeLLw7eJ8MNAkMGicDkycL0
EPBU9X5QnHKLKOfYHN/1WgUk8qt3UytFXXfzTXGF3EbsWbBupkT5e5+lYcX8OVZ6
sHFPNlHluCNy/riUcBy9iviVeodX8IomOchSyO5DKl8bwZNjYtUP+CtYHNFU5BaD
I+1uUOAeJ+wjQYKT1WaeIGZ3VxuNITJul8y5qDTXXfX7vxM5OoWXa6U5+AYuGUMg
/itPZmUmNrHjTk7ghT6i1IQOaBowXXKJBlMmq/6BQXN2IhkD9ys2qrvM1hdi5nAf
egmdiG50loLnBRqWbfR+DykpAhK4SaDi2F52Uxovw3Lhiw8dQP7lzQ==
-----END RSA PRIVATE KEY-----
- Start the Secure+ Admin Tool.
- On Linux or UNIX systems, run the command spadmin.sh.
- On Windows systems, click
The CD Secure+ Admin Tool starts.
- In the CD Secure+ Admin Tool, double-click the .Local line
to edit the main SSL or TLS settings.
- Select Enable SSL Protocol or Enable
TLS Protocol, depending on which protocol you are using.
- Select Disable Override.
- Select at least one Cipher Suite.
- If you want two-way authentication, change the value
of Enable Client Authentication to Yes.
- In the Trusted Root Certificate field,
enter the path to the public certificate file of your certification
authority, /test/ssl/certs/CAcert.
- In the Key Certificate File field,
enter the path to the file that you created, /test/ssl/cd/keyCertFile/node_name.txt.
- Double-click the .Client line to
edit the main SSL or TLS settings.
- Select Enable SSL Protocol or Enable
TLS Protocol, depending on which protocol you are using.
- Select Disable Override.
For the Connect:Direct bridge
agent, perform the following steps:
- Create a truststore. You can do this by creating a dummy
key and then deleting the dummy key. You can use the following
commands:
keytool -genkey -alias dummy -keystore /test/ssl/fte/stores/truststore.jks
keytool -delete -alias dummy -keystore /test/ssl/fte/stores/truststore.jks
- Import the public certificate of the certification authority
into the truststore. You can use the following command:
keytool -import -trustcacerts -alias myCA
-file /test/ssl/certs/CAcert
-keystore /test/ssl/fte/stores/truststore.jks
- Edit the Connect:Direct bridge
agent properties file. Include the following lines anywhere
in the file:
cdNodeProtocol=protocol
cdNodeTruststore=/test/ssl/fte/stores/truststore.jks
cdNodeTruststorePassword=password
In
the example above, protocol is the protocol you
are using, either SSL or TLS, and password is the
password that you specified when you created the truststore.
- If you want two-way authentication, create a key and certificate
for the Connect:Direct bridge
agent.
- Create a keystore and key. You can use the
following command:
keytool -genkey -keyalg RSA -alias agent_name
-keystore /test/ssl/fte/stores/keystore.jks
-storepass password -validity 365
- Generate a signing request. You can use the
following command:
keytool -certreq -v -alias agent_name
-keystore /test/ssl/fte/stores/keystore.jks -storepass password
-file /test/ssl/fte/requests/agent_name.request
- Import the certificate you receive from the preceding
step into the keystore. The certificate must be in x.509 format. You can use the following command:
keytool -import -keystore /test/ssl/fte/stores/keystore.jks
-storepass password -file certificate_file_path
- Edit the Connect:Direct bridge
agent properties file. Include the following lines anywhere
in the file:
cdNodeKeystore=/test/ssl/fte/stores/keystore.jks
cdNodeKeystorePassword=password
In the
example above, password is the password that you
specified when you created the keystore.