Configure the HTTPInput and HTTPReply nodes to communicate with
other applications using HTTPS by creating a key store file, configuring the
broker to use SSL, and creating a message flow to process HTTPS requests.
Follow these steps to configure the HTTPInput and HTTPReply nodes to communicate with other applications using HTTP over SSL:
WebSphere® Message Broker includes a Java Runtime Environment (JRE) that supplies a keystore manipulation program, which is called keytool. To invoke this command complete the following steps:
The keystore is now created and is ready for use by the broker.
The broker requires several properties to be set to make use of HTTP over SSL. All of these properties can be changed using the mqsichangeproperties command. Change the properties as follows:
Ensure that each of these properties is set with correct values for your system. Only the enableSSLConnector property must be set; the other three properties have default values. The mqsichangeproperties command lists the default values for all the properties.
On UNIX systems,
only processes that run under a privileged user account (in most cases, root)
can bind to ports lower than 1024. For the broker to listen on these ports,
the broker's service user ID must be root.
You can create a simple message
flow to use HTTPS by connecting an HTTPInput node
to an HTTPReply node. The two
most important properties to set on the HTTPInput node
are:
/* means that the HTTPInput node will match against any request that is sent to the HTTP listener on a designated port. This is useful for testing purposes, but is not recommended for production systems.
You can now deploy the message flow to the broker. If all other steps have been followed up to this point, a BIP3132 message appears in the local system log (which is the event log on Windows) stating that the HTTPS listener has been started.
You can now test the system.
The simplest method of testing whether HTTPS is configured correctly is to use a Web browser to make a request to the broker over HTTPS.
https://localhost:7083/testHTTPSChange any values in the URL to reflect changes that you have made in your broker configuration. When a window is displayed asking you to accept the certificate, select Yes. The browser refreshes the window and displays an empty HTML page. In Mozilla browsers the empty HTML page looks like the following example:
<html> <body/> </html>and in Internet Explorer the following information is displayed:
XML document must have a top level element. Error processing resource 'https://localhost:7083/testHTTPS'
These responses mean that a blank page was returned, indicating that the setup worked correctly. To add content to the empty page, you can add a compute node to the flow.
You can use another HTTPS client to process HTTPS requests. Read the documentation for the client to find out how to configure it to make client connections over SSL.
You can also use another HTTPS client, such as a Java or .net client, instead of the Web browser. Depending on the type of client, you might need to export the certificate (which was created with keytool) from the HTTP listener’s key store file and then import it into the client’s key store. Read the client documentation to find out how to configure the client to make client connections over SSL.