WebSphere Message Brokers
File: ap12235_
Writer: John Cooper

Task topic

This build: July 31, 2007 21:35:00

Configuring an HTTPRequest node to use SSL (HTTPS)

This task topic explains how to configure the HTTPRequest node to communicate with other applications using HTTP over SSL. The task covers the steps required for windows system but almost identical tasks are required for any other platform. To complete the HTTPRequest task, an HTTPS server application is required. For simplicity, the only details that are given here are for using the HTTPInput node for SSL as the server application. However, the same details also apply when you are using any other server application.

Adding certificates to the cacerts file

The certificate for the server application to be called must be added to the cacerts file for WebSphere Message Broker. This is located in the JRE security directory. To find the cacerts file on Windows, complete the following steps:
  1. Select Start > IBM WebSphere Message Brokers 6.0 > Command Console to open a broker command console.
  2. In the command console, type the following command to change directory to where the cacerts files is located:
    cd "%MQSI_FILEPATH%\jre\lib\security"

To modify the cacerts file, you must use the keytool command.

Importing a certificate into the cacerts file
  1. Select Start > IBM WebSphere Message Brokers 6.0 > Command Console to open a broker command console.
  2. In the command console, type the following command:
    "%MQSI_FILEPATH%\jre\bin\keytool" -import -alias mykey
    -file name of certificate file -keystore cacerts
    -keypass changeit
    name of certificate file
    the fully qualified name of the certificates file. This file is normally found in the message broker users home directory.
    changeit
    the default password for the cacerts file. You should change this password as soon as possible. You can use keytool to change the password.
Extracting a certificate from another keystore
  1. Select Start > IBM WebSphere Message Brokers 6.0 > Command Console to open a broker command console.
  2. In the command console, type the following command:
    "%MQSI_FILEPATH%\jre\bin\keytool" -export -alias tomcat
    -file name of certificate file -keystore keystore file
    -keypass changeit
    name of certificate file
    the fully qualified name of the certificates file. This file is normally called .keystore and is usually located in the message broker users home directory.
    keystore file
    the fully qualified name of the keystore file. This file is normally found in the message broker users home directory.
    changeit
    the default password for the cacerts file. You should change this password as soon as possible. You can use keytool to change the password.
It is important to ensure that the correct certificate has been imported into the cacerts. The correct certificate is the certificate that the HTTP server should use.

Creating a message flow to make HTTPS requests

The following message flow creates a generic message flow for converting an WebSphere MQ message into an HTTPRequest.:

  1. Create a message flow with the nodes MQInput->HTTPRequest->Compute->MQOutput.
  2. For the MQInput node, set the queue name to HTTPS.IN1 and create the MQSeries queue.
  3. For the MQOutput node, set the queue name to HTTPS.OUT1 and create the MQSeries queue.
  4. For the HTTPRequest node, set the Web Service URL to point to the HTTP server to call. For calling the HTTPInput task use https://localhost:7083/testHTTPS.
  5. For the HTTPRequest node, set the advance properties to use OutputRoot.BLOB as the Response location in tree.
  6. In the compute node add in the following esql:
    CREATE COMPUTE MODULE test_https_Compute
        CREATE FUNCTION Main() RETURNS BOOLEAN
        BEGIN
            -- CALL CopyMessageHeaders();
            CALL CopyEntireMessage();
            set OutputRoot.HTTPResponseHeader = null;
            RETURN TRUE;
        END;
    
        CREATE PROCEDURE CopyMessageHeaders() BEGIN
            DECLARE I INTEGER;
            DECLARE J INTEGER;
            SET I = 1;
            SET J = CARDINALITY(InputRoot.*[]);
            WHILE I < J DO
                SET OutputRoot.*[I] = InputRoot.*[I];
                SET I = I + 1;
            END WHILE;
        END;
    
        CREATE PROCEDURE CopyEntireMessage() BEGIN
            SET OutputRoot = InputRoot;
        END;
    END MODULE;

The message flow is now ready to be deployed to the broker and tested.

Testing your example

To test that the example works, complete the following steps

  1. Follow all of the instructions given in Configuring HTTPInput and HTTPReply nodes to use SSL (HTTPS), including testing the example.
  2. Deploy the HTTPRequest message flow.
  3. Put a message to the MQSeries queue HTTPS.IN1. A message should appear on the output queue. If it fails, an error appears in the local error log (event log on windows).
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:35:00

ap12235_ This topic's URL is: