Configuring HTTPInput and HTTPReply nodes to use SSL (HTTPS)

Start of changeConfigure the HTTPInput and HTTPReply nodes to communicate with other applications using HTTPS by creating a key store file, configuring the broker to use SSL, and creating a message flow to process HTTPS requests.End of change

Follow these steps to configure the HTTPInput and HTTPReply nodes to communicate with other applications using HTTP over SSL:

Create a key store file to store the broker's certificates

WebSphere® Message Broker includes a Java Runtime Environment (JRE) that supplies a keystore manipulation program, which is called keytool. To invoke this command complete the following steps:

  1. Select Start > IBM WebSphere Message Brokers 6.0 > Command Console to open the broker command console.
  2. In the command console, type the following command:
    "%MQSI_FILEPATH%\jre\bin\keytool"
    This displays the help options and therefore validates that the command is working.
  3. Start of changeUse the keytool command to create the key store and generate a new self-signed certificate (or key pair):
    1. In the command console, type the following command:
      "%MQSI_FILEPATH%\jre\bin\keytool" -genkey -keystore keystore file
       -storepass password -alias mykey
      where keystore file is the fully qualified name of the key store file, password is the password used for the key store, and mykey is the name (or label) given to the new key pair that is being generated. The key store file is typically called .keystore and is located in the WebSphere Message Broker home directory.
    2. Enter the personal details that are required to generate the certificates.
    3. When you are prompted to enter a key password for the alias, press Enter to use the same password as the key store. The key store is either generated or updated (if it already exists).

    This command creates a key store of type JKS, which is the only store type supported by the broker.

    You can set these parameters to any values, but the properties on the broker must be changed to reflect them.

    The -genkey parameter generates all the certificate files necessary to enable HTTPS to work for testing purposes, but they are not suitable for use in a production system. You must purchase an official certificate from a certification authority. Consult your system administrator to check your company policy for certificate creation.

    To import a certificate generated by a certification authority, use the -import parameter instead of the -genkey parameter.

    Start of changeYou must ensure that the server key and the cipher that you are using are compatible with each other. For example, if the server is using a DSA key, and the client is using a SSL_DHE_RSA_WITH_AES_128_CBC_SHA cipher, you need to use an RSA key on the server.End of change

    Start of changeTo change the server key to RSA, add the following parameter to the keytool command before the -alias parameter:
       -keyalg RSA
    End of change
    End of change

The keystore is now created and is ready for use by the broker.

Configuring the broker to use SSL on a particular port

The broker requires several properties to be set to make use of HTTP over SSL. All of these properties can be changed using the mqsichangeproperties command. Change the properties as follows:

Ensure that each of these properties is set with correct values for your system. Only the enableSSLConnector property must be set; the other three properties have default values. The mqsichangeproperties command lists the default values for all the properties.

Start of changeOn UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024. For the broker to listen on these ports, the broker's service user ID must be root. End of change

Creating a message flow to process HTTPS requests

Start of changeYou can create a simple message flow to use HTTPS by connecting an HTTPInput node to an HTTPReply node. The two most important properties to set on the HTTPInput node are: End of change

  • Path suffix for URL. For example /* or /testHTTPS
  • Use HTTPS.

/* means that the HTTPInput node will match against any request that is sent to the HTTP listener on a designated port. This is useful for testing purposes, but is not recommended for production systems.

You can now deploy the message flow to the broker. If all other steps have been followed up to this point, a BIP3132 message appears in the local system log (which is the event log on Windows) stating that the HTTPS listener has been started.

You can now test the system.

Testing your example

The simplest method of testing whether HTTPS is configured correctly is to use a Web browser to make a request to the broker over HTTPS.

Start a Web browser and enter the following URL:
 https://localhost:7083/testHTTPS
Change any values in the URL to reflect changes that you have made in your broker configuration. When a window is displayed asking you to accept the certificate, select Yes. The browser refreshes the window and displays an empty HTML page. In Mozilla browsers the empty HTML page looks like the following example:
<html>   
  <body/> 
</html>
and in Internet Explorer the following information is displayed:
XML document must have a top level element. Error processing resource
'https://localhost:7083/testHTTPS'

These responses mean that a blank page was returned, indicating that the setup worked correctly. To add content to the empty page, you can add a compute node to the flow.

You can use another HTTPS client to process HTTPS requests. Read the documentation for the client to find out how to configure it to make client connections over SSL.

You can also use another HTTPS client, such as a Java or .net client, instead of the Web browser. Depending on the type of client, you might need to export the certificate (which was created with keytool) from the HTTP listener’s key store file and then import it into the client’s key store. Read the client documentation to find out how to configure the client to make client connections over SSL.

Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2009Copyright IBM Corporation 1999, 2009.
Last updated : 2009-01-07 15:22:50

ap12234_