This topic describes how to use secure socket layer (SSL) support
with the IMS resource adapter and IMS Connect.
The following table provides a high level description of how IMS
Connector for Java and IMS Connect SSL support is set up and configured. Follow
the steps in the order outlined below:
SSL Client (IMS Connector for Java) |
SSL Server (IMS Connect) |
|
1. Decide if client authentication is required. If client authentication
is not required, skip to Step 5. |
2. If client authentication is required, obtain signed certificates
and private key. |
|
3. If client authentication is required, create a keystore and insert
the client's private key and certificate. For more detail, see the description
below. |
|
|
4. If client authentication is required, insert the client's public
key certificate into the keyring used by IMS Connect. See IMS Connect
User's Guide (SC27-0946) for more information. |
5. Create a truststore (another keystore) and insert the Server's public
key certificate. |
|
|
6. Decide which IMS Connect SSL port to use. Set up the IMS Connect
and SSL Configuration members with the appropriate values. For more information
about setting up the configuration member, see IMS Connect User's
Guide (SC27-0946). |
7. Obtain the IMS Connect SSL port number. |
|
8. Set up the connection factory with the appropriate SSL parameters.
For more detail, see the description below. |
|
9. Bind the application to the SSL connection factory. |
|
Creating the keystore or truststore for the client
For
the client and server to authenticate one another, you must provide a JKS
keystore or SAF keyring with valid X.509 certificates at both the client and
server end. IMS Connector for Java and IMS Connect can use either a JKS keystore
or a SAF keyring as their keystores. If client authentication by the server
is not required, it is not necessary to create the client certificate and
add it to the server's keyring or keystore. There are several tools available
for managing the keystore. To provide a JKS keystore at both the client and
server end, you must perform the following steps:
- To set up the Client, create a certificate and have it signed by a Certificate
Authority (for example, VeriSign), or create your own CA using software such
as OpenSSL to sign your own certificate.
- To create a keystore, use a key management tool such as Ikeyman or Keytool.
After the keystore is created, import the client certificate (if one is available)
into the keystore.
- To create a truststore, create another keystore and import the server
certificate. Note: If you want to create only one keystore, import
the server certificate into the same keystore as the client certificate.
SSL configuration
The SSL properties are used to
create a secure SSL connection between a Java client application and IMS Connect.
See Connection properties for
a description of the values that have to be provided to IMS Connector for
Java.
There are two ways to set up SSL properties:
Note: Informational messages and warnings can be found in
the trace.log file generated by the server.
At runtime, when
the Java client
application executes an interaction with IMS, the interaction flows on a secure (SSL)
connection to IMS Connect. The following steps are transparent to the Java client
application. The IMS resource adapter interacts with IMS Connect using the
SSL protocol as follows:
- IMS Connector for Java initiates a connection by sending a client hello.
The server replies with a server hello and its certificate.
- If the server does not require client authentication, the client authenticates
the server's certificate using the server's public key from its truststore.
If authentication is successful, the SSL handshake is completed. A session
key has been established at both ends.
- If the server does require client authentication, the client authenticates
the server's certificate using the server's public key from its truststore.
If this authentication is successful, a client certificate is sent from the
client's keystore. If this certificate is authenticated successfully by the
server, the SSL handshake is completed. A session key has been established
at both ends.
- The client and server are then ready to send and receive encrypted data.