The
WebSphere MQ Java
Client supports SSL-encrypted connections over the server-connection (SVRCONN)
channel between the application and the queue manager. This topic tells you
how to make use of this SSL support when communicating between the
Configuration
Manager Proxy (CMP) and
the
Configuration Manager.
For one-way authentication
(with the client (Configuration Manager Proxy) authenticating
the server (Configuration Manager) only) perform the following
steps:
For two-way authentication (with the
Configuration Manager also authenticating the
Configuration Manager Proxy)
perform the following additional steps:
- Generate or obtain all the appropriate keys and certificates. This includes
a signed pkcs12 certificate for the client and the appropriate public key
for the certificate authority that signed the pkcs12 certificate.
- Add the certificate of the certificate authority to the queue manager
certificate store; use the standard WebSphere MQ facilities
(for example, WebSphere MQ Explorer for WebSphere MQ Version
6).
- Set the server-connection channel to always authenticate. You
can use SSLCAUTH(REQUIRED) in runmqsc, or WebSphere MQ Explorer.
- Add the pkcs12 certificate to the JSEE keystore of the JVM at the Configuration Manager Proxy end using a tool such as Keytool.
- If not using the default keystore, its full path must be passed into the Configuration Manager Proxy via the keystore parameter
When you have performed these steps, the Configuration Manager allows
the Configuration Manager Proxy to connect only if the Configuration Manager Proxy has
a certificate signed by one of the certificate authorities in its keystore.
Further
restrictions can be made using the sslPeerName field; for example, you can
allow connections only from certificate holders with a specific company or
department name in their certificates. In addition, you can invoke a security
exit for communications between the Configuration Manager Proxy and
the Configuration Manager; see Using security exits.