WebSphere Message Brokers
File: ap12234_
Writer: Neil Dewhurst

Task topic

This build: July 31, 2007 21:35:00

Configuring HTTPInput and HTTPReply nodes to use SSL (HTTPS)

This topic explains how to configure the HTTPInput and HTTPReply nodes to communicate with other applications using HTTP over SSL.

Create a key store file to store the broker's certificates

WebSphere Message Broker includes a Java Runtime Environment (JRE) that supplies a keystore manipulation program, which is called keytool. To invoke this command complete the following steps:

  1. Select Start > IBM WebSphere Message Brokers 6.0 > Command Console to open the broker command console.
  2. In the command console, type the following command:
    "%MQSI_FILEPATH%\jre\bin\keytool"
    This displays the help options and therefore validates that the command is working.
  3. Use the keytool command to create the key store: In the command console, type the following command:
    "%MQSI_FILEPATH%\jre\bin\keytool" -genkey -keypass password
    -keystore keystore file -alias tomcat
    password
    the password used for the keystore
    keystore file
    the fully qualified name of the keystore file. This file is typically called .keystore and is located in the WebSphere Message Broker home directory.
    The command then prompts you for some personal details that are used to generate the certificates. You personal details are then added to a key store, if it already exists, or a key store is generated.

    These values can be set to any values that are required but the properties on the broker must be changed to reflect these values. The -genkey generates all the certificate files that are required to get HTTPS working but they are not official certificates and would not be advisable for use in a production system. You must purchase a real certificate from a certificate organization. Consult your system administrator to find out your company policy for certificate creation. To import a certificate generated by a certificate authority use the -import option instead of the -genkey option.

The keystore is now created and is ready for use by the broker.

Configuring the broker to use SSL on a particular port

The broker requires several properties to be set to make use of HTTP over SSL. All of these properties can be changed using the mqsichangeproperties command. Change the properties as follows:

Ensure that all of these properties are set with correct values for your system. Only the enableSSLConnector property has to be set. The other three properties have default values. However, it is advisable to change these default values. The mqsichangeproperties command lists the default values for all the properties.

Creating a message flow to process HTTPS requests

The most simple message flow that shows the HTTPS functionality working is one that contains an HTTPInput node connected directly to an HTTPReply node: The two important properties to set on the HTTPInput node are:

  • Path suffix for URL. For example /* or /testHTTPS
  • Use HTTPS. Tick the box if you want to use HTTPS

/* means that the HTTPInput node will match against any request that is sent to the http listener on a designated port. This is useful for testing purposes, but is not recommended for production.

You can now deploy the message flow to the broker. If all other steps have been followed up to this point, a BIP3132 message should appear in the local system log (this is the event log on Windows) stating that the https listener has been started.

You can now test the system.

Testing your example

The most simple method of testing whether HTTPS is configured correctly is to use a web browser to make a request to the broker over HTTPS.

Start a web browser and type the following URL:
 https://localhost:7083/testHTTPS
Change any values in the URL to reflect changes you have made in your broker configuration. When a pop up window appears asking you to accept the certificate, select yes to any questions. The browser should then refresh and display the structure of an empty html page. In Mozilla browsers this will look like the following example:
<html>   
  <body/> 
</html>
and in Internet Explorer the following information should be displayed:
XML document must have a top level element. Error processing resource
'https://localhost:7083/testHTTPS'

These responses mean that a blank page was returned, showing that the set up worked correctly. To add content to the page that is returned, you can add a compute node to the flow.

You can use another HTTPS client to process HTTPS requests. Read the documentation for the client to find out how it should be configured to make client connections over SSL.

Another HTTPS client, such as a Java or .net client, could be used instead of the web browser. Depending on the type of client, the certificate that was created with keytool might have to be exported from the http listener’s keystore file and then imported into that client’s own keystore. Consult the client documentation to find out how you should configure the client to make client connections over SSL.

Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:35:00

ap12234_ This topic's URL is: