Use SSL with WebSphere® MQ
and WebSphere MQ
File Transfer Edition to prevent unauthorized
connections between agents and queue managers, and to encrypt message
traffic between agents and queue managers.
About this task
For general information about using SSL with WebSphere MQ, see Channel security using SSL
in the WebSphere MQ V7.0.1 product documentation. In WebSphere MQ terms, WebSphere MQ
File Transfer Edition is a standard Java™ client application.
Follow
these steps to use SSL with WebSphere MQ
File Transfer Edition:
Procedure
- Create a truststore file and optionally a keystore file
(these files can be the same file). If you do not need client-authentication
(that is, SSLCAUTH=OPTIONAL on channels) you do not need to provide
a keystore. You require a truststore only to authenticate the queue
manager's certificate against.
The
key algorithm of the truststore file and keystore file must be RSA
to work with WebSphere MQ.
If you need instructions about how to create truststore
and keystore files, see the developerWorks® article, Configuring Secure Sockets Layer connectivity in WebSphere MQ File Transfer
Edition, or see the information about the keytool at the Oracle keytool documentation.
- Set up your WebSphere MQ
queue manager to use SSL. For information about how to
set up a queue manager to use SSL, see the WebSphere MQ
product documentation.
- Save the truststore file and keystore file (if you have
one) in a suitable location. A suggested location is the config_directory/coordination_qmgr/agents/agent_name directory.
- Set the SSL properties as required for each SSL-enabled
queue manager in the appropriate WebSphere MQ
File Transfer Edition properties file. Each
set of properties refers to a separate queue manager (agent, coordination,
and command), although one queue manager might perform two or more
of these roles.
One of the CipherSpec or CipherSuite properties
is required, otherwise the client tries to connect without SSL. Both
the CipherSpec or CipherSuite properties
are provided because of the terminology differences between WebSphere MQ and Java. WebSphere MQ
File Transfer Edition accepts either property and does the necessary
conversion, so you do not need to set both properties. If you do specify
both the CipherSpec or CipherSuite properties, CipherSpec takes
precedence.
The PeerName property is optional.
You can set the property to the Distinguished Name of the queue manager
that you want to connect to. WebSphere MQ
File Transfer Edition rejects
connections to an incorrect SSL server with a Distinguished Name
that does not match.
Set the SslTrustStore and SslKeyStore properties
to file names that point to the truststore and keystore files. If
you are setting up these properties for an agent that is already running,
stop and restart the agent to reconnect in SSL mode.
Properties
files contain plain-text passwords so consider setting appropriate
file system permissions.
For more information about SSL properties,
see SSL properties.
- If an agent queue manager uses SSL, you cannot provide
the necessary details when you create the agent. Use the following
steps to create the agent:
- Create the agent by using the fteCreateAgent command.
You receive a warning about being unable to publish the existence
of the agent to the coordination queue manager.
- Edit the agent.properties file
that was created by the previous step to add the SSL information.
When the agent is successfully started, the publish is attempted again.
- If agents or instances of the WebSphere MQ Explorer are running while
the SSL properties in the agent.properties file
or coordination.properties file are changed,
you must restart the agent or WebSphere MQ
Explorer.