Using secure socket layer (SSL) support

The following table provides a high level description of how IMS Connector for Java and IMS Connect SSL support is set up and configured. Follow the steps in the order outlined below:
SSL Client (IMS Connector for Java) SSL Server (IMS Connect)
  1. Decide if client authentication is required.
Note: It is strongly recommended that you do use client authentication to protect against unauthorized access to your IMS Connect.
If client authentication is not required, skip to Step 5.
2. If client authentication is required, obtain signed certificates and private key.  
3. If client authentication is required, create a keystore and insert the client's private key and certificate. For more detail, see the description below.  
  4. If client authentication is required, insert the client's public key certificate into the keyring. See IMS Connect User's Guide (SC27-0946-03) for more information.
5. Create a truststore (another optional keystore) and insert the Server's public key certificate. Alternatively, you would insert the Server's public key certificate into the client's keystore if trusted and non-trusted certificates are stored in the same keystore.  
  6. Decide which IMS Connect SSL port to use. Set up the IMS Connect and SSL Configuration members with the appropriate values. For more information about setting up these configuration members, see IMS Connect User's Guide (SC27-0946).
7. Set up the connection factory with the appropriate SSL parameters, including the port number from step 6.For more detail, see the description below.  
8. Bind the application to the SSL connection factory.  

Creating the keystore or truststore for the client

For the client and server to authenticate one another, you must provide a JKS keystore or RACF keyring with valid X.509 certificates at both the client and server ends. If client authentication by the server is not required, it is not necessary to create the client certificate and add it to the server's keyring. There are several tools available for managing the keystore. To provide a JKS keystore at both the client and server ends, you must perform the following steps:
  • To set up the client, IMS Connector for Java, create a certificate and have it signed by a Certificate Authority (for example, VeriSign), or create your own Certificate Authority (CA) using software such as OpenSSL to sign your own (self-signed) certificate.
  • To create a keystore, use a key management tool such as Ikeyman or Keytool. After the keystore is created, import the client certificate (if one is available) into the keystore.
  • To create a truststore, create another keystore and import the server's (IMS Connect's) certificate. Note: If you want to create only one keystore, import the server's certificate into the same keystore used to store the client's certificates.

SSL configuration

A secure SSL connection between a Java client application and IMS Connect is created by ensuring that the connection factory used by the Java client application has the appropriate values for its SSL properties. See Connection properties for a description of the SSL property values.

There are two ways to set up SSL properties:

  1. If you are running your Java client application in the Unit Test Environment of WebSphere Studio Application Developer Integration Edition, you use the tooling in WebSphere® Studio Application Developer Integration Edition. WebSphere Studio Application Developer Integration Edition maps or binds the connection factory resource reference in the Java™ client application, which is installed on WebSphere Application Server, to the SSL-configured connection factory by providing the JNDI name of the connection factory.
  2. If you are running your Java application in WebSphere Application Server, you can configure a connection factory so that it will create SSL connections by setting appropriate values for the SSL-related properties in the Custom Properties of a of a J2C Connection Factory in WebSphere Application Server. To set a connection factory's Custom Properties, navigate to Resources -> Resource Adapters -> myIMSResourceAdapter -> J2C Connection Factories -> myJ2CConnectionFactory -> Custom Properties in the WebSphere Application Server administrative console.

    The following figure displays a J2C Connection Factory Custom Properties property sheet:
    Screen capture of the connection factory property sheet

Note: Informational messages and warnings can be found in the trace.log file generated by WebSphere Application Server.

At runtime, when the Java client application executes an interaction with IMS™, the interaction flows on a secure (SSL) connection IMS Connector for Java to IMS Connect. The following steps are transparent to the Java client application. The IMS resource adapter interacts with IMS Connect using the SSL protocol as follows:
  • The SSL client, IMS Connector for Java initiates a connection by sending a client hello. The server, IMS Connect, replies with a server hello and its certificate containing its public key.
  • If the server does not require client authentication, the client authenticates the server's certificate using the server's public key from its certificate. If authentication is successful, the SSL handshake is completed. A session key has been established at both ends.
  • If the server does require client authentication, the client authenticates the server's certificate using the server's public key from its certificate. If this authentication is successful, a client certificate is sent from the client's keystore. If this certificate is authenticated successfully by the server, the SSL handshake is completed. A session key has been established at both ends.
  • The client and server are then ready to send and receive encrypted data.
It is important to note that, when running applications in a managed environment (as is strongly recommended when using SSL connections,) IMS Connector for Java uses only persistent socket connections to communicate with IMS Connect. When the WebSphere Application Server Connection Manager is used, connections can be serially reused by other client applications. The connection manager creates connections if necessary, and provides them to the applications as needed. When an application is finished using a connection, the connection manager returns that connection to the free pool making it available for reuse by any other application requiring that type of connection. However, client and server authentication only occurs once for each socket during the handshake that takes place when that socket is first created and initialized as an SSL socket. When a socket is reused, the SSL client, IMS Connector for Java, and server, IMS Connect, do not change. Consequently, there is no reason to re-authenticate the client and server (go through the handshake process again) when a socket is reused. Note that this is consistent with the fact that the clientID which identifies a socket remains the same each time a socket is reused.
Related concepts
IMS resource adapter security
Component-managed EIS sign-on
Container-managed EIS sign-on
Overview of secure socket layer (SSL)
Related tasks
Configuring component-managed EIS sign-on
Configuring container-managed EIS sign-on
Feedback
(C) Copyright IBM Corporation 2000, 2005. All Rights Reserved.