Configuring an HTTPRequest node to use SSL (HTTPS)

Start of changeConfigure the HTTPRequest node to communicate with other applications that use HTTP over SSL by adding certificates to the cacerts file and creating a message flow to make HTTP requests.End of change

Start of change

This topic describes the steps that you need to follow when configuring an HTTPRequest node on a Windows® system. The steps that you need to follow on other operating systems are almost identical.

To enable an HTTPRequest node to communicate using HTTP over SSL, an HTTPS server application is required. The information provided in this topic shows how to use the HTTPInput node for SSL as the server application, but the same details also apply when you are using any other server application.

End of change

Adding certificates to the cacerts file

You must add the certificate for the server application to be called (and trusted) to the cacerts file for WebSphere® Message Broker. This file is the default trust store for the broker and is located in the broker's JRE security directory. To find the cacerts file on Windows:
  1. Click Start > IBM WebSphere Message Brokers 6.0 > Command Console to open a broker command console.
  2. Start of changeIn the command console, type the following command to change to the directory in which the cacerts files is stored, for example:
    cd "%MQSI_FILEPATH%\jre\lib\security"
    or
    cd "%MQSI_FILEPATH%\jre15\lib\security"
    End of change
Start of changeOn UNIX® systems, the cacerts file is stored in the following directory:
/opt/IBM/mqsi/6.1/jre15/ppc64/lib/security
or
$MQSI_FILEPATH/jre15/ppc64/lib/security
End of change

Importing a certificate into the cacerts file

Use the keytool command to modify the cacerts file:

  1. Click Start > IBM WebSphere Message Brokers 6.0 > Command Console to open a broker command console.
  2. Start of changeIn the command console, type the following command:
    "%MQSI_FILEPATH%\jre\bin\keytool" -import -alias mykey
    -file name of certificate file -keystore cacerts
    -storepass changeit
    where:
    name of certificate file
    is the fully qualified name of the certificates file. This file is typically found in the message broker user's home directory.
    changeit
    is the default password for the cacerts file. You can use the keytool command to change the password, but, because it is not a configurable property of the broker, the broker always attempts to access the cacerts file using the default password changeit.

    If you must change the cacerts password, or if you must use a different trust store, you can pass the information to the broker's Java Virtual Machine (JVM) by setting the following environment variable:

    On Windows, AIX®, and Linux®:

    IBM_JAVA_OPTIONS=
    -Djavax.net.ssl.trustStore=<trustStore_path>/<trustStore_filename>
    -Djavax.net.ssl.trustStorePassword=<trustStore_password>

    On Solaris and HP-UX:

    _JAVA_OPTIONS=
    -Djavax.net.ssl.trustStore=<trustStore_path>/<trustStore_filename>
    -Djavax.net.ssl.trustStorePassword=<trustStore_password>

    Use caution when using this environment variable, because if the setting is not valid, the broker's execution groups might be unable to create their JVM, and therefore cannot start successfully. Do not use the IBM_JAVA_OPTIONS (or _JAVA_OPTIONS) environment variable if you are also using SSL authentication with Real-time nodes, or with the WebSphere MQ Java™ Client.

    End of change
Extracting a certificate from another keystore
  1. Click Start > IBM WebSphere Message Brokers 6.0 > Command Console to open a broker command console.
  2. Start of changeIn the command console, type the following command:
    "%MQSI_FILEPATH%\jre\bin\keytool" -export -alias mykey
    -file name of certificate file -keystore keystore file
    -storepass password
    where
    name of certificate file
    is the fully qualified name of the certificate file. This file typically has the extension .keystore and is located in the broker user's home directory.
    keystore file
    is the fully qualified name of the keystore file. This file is typically found in the broker user's home directory.
    mykey
    is the alias name for the keystore entry (certificate).
    changeit
    is the password for the keystore file.
    End of change
You must import the correct certificate (which the HTTP server uses to present its authentication credentials) into the cacerts file.

Creating a message flow to make HTTPS requests

The following message flow creates a generic message flow for converting a WebSphere MQ message into an HTTPRequest:

  1. Create a message flow with the nodes MQInput->HTTPRequest->Compute->MQOutput.
  2. On the MQInput node, set the queue name to HTTPS.IN1 and create the WebSphere MQ queue.
  3. On the MQOutput node, set the queue name to HTTPS.OUT1 and create the WebSphere MQ queue.
  4. On the HTTPRequest node, set the Web Service URL to point to the HTTP server to call. To call the HTTPInput node, use https://localhost:7083/testHTTPS.
  5. On the Advanced properties tab of the HTTPRequest node, set the Response message location in tree property to OutputRoot.BLOB.
  6. On the Compute node, add the following ESQL code:
    CREATE COMPUTE MODULE test_https_Compute
        CREATE FUNCTION Main() RETURNS BOOLEAN
        BEGIN
            -- CALL CopyMessageHeaders();
            CALL CopyEntireMessage();
            set OutputRoot.HTTPResponseHeader = null;
            RETURN TRUE;
        END;
    
        CREATE PROCEDURE CopyMessageHeaders() BEGIN
            DECLARE I INTEGER;
            DECLARE J INTEGER;
            SET I = 1;
            SET J = CARDINALITY(InputRoot.*[]);
            WHILE I < J DO
                SET OutputRoot.*[I] = InputRoot.*[I];
                SET I = I + 1;
            END WHILE;
        END;
    
        CREATE PROCEDURE CopyEntireMessage() BEGIN
            SET OutputRoot = InputRoot;
        END;
    END MODULE;

The message flow is now ready to be deployed to the broker and tested.

Testing your example

To test that the example works, complete the following steps:

  1. Follow the instructions in Configuring HTTPInput and HTTPReply nodes to use SSL (HTTPS), including testing the example.
  2. Deploy the HTTPRequest message flow.
  3. Put a message to the WebSphere MQ queue HTTPS.IN1. If successful, a message appears on the output queue. If the process fails, an error appears in the local error log (which is the event log on Windows).
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2009Copyright IBM Corporation 1999, 2009.
Last updated : 2009-01-07 15:22:50

ap12235_