WebSphere Message Brokers
File: ap12232_
Writer: Stephanie J Strugnell

Task topic

This build: July 31, 2007 21:34:59

Enabling SSL on the WebSphere MQ Java Client

The WebSphere MQ Java Client supports SSL-encrypted connections over the server-connection (SVRCONN) channel between the application and the queue manager. This topic tells you how to make use of this SSL support when communicating between the Configuration Manager Proxy (CMP) and the Configuration Manager.

For one-way authentication (with the client (Configuration Manager Proxy) authenticating the server (Configuration Manager) only) perform the following steps:

  1. Generate or obtain all the appropriate keys and certificates. This includes a signed pkcs12 certificate for the server and the appropriate public key for the certificate authority that signed the pkcs12 certificate.
  2. Add the pkcs12 certificate to the queue manager certificate store and assign it to the queue manager. Use the standard WebSphere MQ facilities, for example, WebSphere MQ Explorer (for WebSphere MQ Version 6) or WebSphere MQ Services (for WebSphere MQ Version 5).
  3. Add the certificate of the certificate authority to the JSEE truststore of the Java Virtual Machine (JVM) at the Configuration Manager Proxy end using a tool such as Keytool.
  4. Decide which cipher suite to use.
  5. Change the properties on the server-connection channel using WebSphere MQ Explorer, to specify the cipher suite to be used. This channel has a default name of SYSTEM.BKR.CONFIG and this name is used unless you have specified a different name on the Create a Domain Connection panel or Domain Properties panel ; see Creating a domain connection and Modifying domain connection properties.
  6. Add the required parameters (cipher suite, for example) to the Configuration Manager Proxy. If a truststore other than the default is used, its full path must be passed in via the truststore parameter.
When you have performed these steps, the Configuration Manager Proxy will connect to the Configuration Manager if it has a valid signed key that has been signed by a trusted certificate authority.
For two-way authentication (with the Configuration Manager also authenticating the Configuration Manager Proxy) perform the following additional steps:
  1. Generate or obtain all the appropriate keys and certificates. This includes a signed pkcs12 certificate for the client and the appropriate public key for the certificate authority that signed the pkcs12 certificate.
  2. Add the certificate of the certificate authority to the queue manager certificate store; use the standard WebSphere MQ facilities (for example, WebSphere MQ Explorer for WebSphere MQ Version 6).
  3. Set the server-connection channel to always authenticate. You can use SSLCAUTH(REQUIRED) in runmqsc, or WebSphere MQ Explorer.
  4. Add the pkcs12 certificate to the JSEE keystore of the JVM at the Configuration Manager Proxy end using a tool such as Keytool.
  5. If not using the default keystore, its full path must be passed into the Configuration Manager Proxy via the keystore parameter

When you have performed these steps, the Configuration Manager allows the Configuration Manager Proxy to connect only if the Configuration Manager Proxy has a certificate signed by one of the certificate authorities in its keystore.

Further restrictions can be made using the sslPeerName field; for example, you can allow connections only from certificate holders with a specific company or department name in their certificates. In addition, you can invoke a security exit for communications between the Configuration Manager Proxy and the Configuration Manager; see Using security exits.

Related concepts
Security overview
SSL authentication
Authentication services
Related tasks
Using security exits
Implementing SSL authentication
Modifying domain connection properties
Related reference
Security requirements for administrative tasks
Broker properties
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:34:59

ap12232_ This topic's URL is: