Using secure socket layer (SSL) support

This topic describes how to use secure socket layer (SSL) support with the IMS resource adapter and IMS Connect.

The following table provides a high level description of how IMS Connector for Java and IMS Connect SSL support is set up and configured. Follow the steps in the order outlined below:
SSL Client (IMS Connector for Java) SSL Server (IMS Connect)
  1. Decide if client authentication is required. If client authentication is not required, skip to Step 5.
2. If client authentication is required, obtain signed certificates and private key.  
3. If client authentication is required, create a keystore and insert the client's private key and certificate. For more detail, see the description below.  
  4. If client authentication is required, insert the client's public key certificate into the keyring used by IMS Connect. See IMS Connect User's Guide (SC27-0946) for more information.
5. Create a truststore (another keystore) and insert the Server's public key certificate.  
  6. Decide which IMS Connect SSL port to use. Set up the IMS Connect and SSL Configuration members with the appropriate values. For more information about setting up the configuration member, see IMS Connect User's Guide (SC27-0946).
7. Obtain the IMS Connect SSL port number.  
8. Set up the connection factory with the appropriate SSL parameters. For more detail, see the description below.  
9. Bind the application to the SSL connection factory.  

Creating the keystore or truststore for the client

For the client and server to authenticate one another, you must provide a JKS keystore or SAF keyring with valid X.509 certificates at both the client and server end. IMS Connector for Java and IMS Connect can use either a JKS keystore or a SAF keyring as their keystores. If client authentication by the server is not required, it is not necessary to create the client certificate and add it to the server's keyring or keystore. There are several tools available for managing the keystore. To provide a JKS keystore at both the client and server end, you must perform the following steps:
  • To set up the Client, create a certificate and have it signed by a Certificate Authority (for example, VeriSign), or create your own CA using software such as OpenSSL to sign your own certificate.
  • To create a keystore, use a key management tool such as Ikeyman or Keytool. After the keystore is created, import the client certificate (if one is available) into the keystore.
  • To create a truststore, create another keystore and import the server certificate. Note: If you want to create only one keystore, import the server certificate into the same keystore as the client certificate.

SSL configuration

The SSL properties are used to create a secure SSL connection between a Java client application and IMS Connect. See Connection properties for a description of the values that have to be provided to IMS Connector for Java.

There are two ways to set up SSL properties:

  1. You can use the tooling in Rational Application Developer (development environment) to provide values for the connection properties used in a non-managed application. You can also use the wizards in Rational Application Developer to provide values for the connection properties for new connection factories that Rational Application Developer creates in a test environment server or in a standalone server instance of WebSphere Application Server. Rational Application Developer maps or binds the connection factory resource reference in the Java™ client application, which is installed on WebSphere® Application Server, to the SSL-configured connection factory by providing the JNDI name of the connection factory. The following figure displays the IMS™ connection properties interface:

    Screen capture of IMS connection properties interface

  2. You can use the Custom Properties page of a connection factory in WebSphere Application Server. If you have separate processes for development and deployment, and you configure your connection factories during deployment, you would use this approach.

    The connection factory created by the client is used during the runtime environment to set up a secure socket connection. The following figure displays custom properties that pertain to SSL:
    Screen capture of the connection factory property sheet

Note: Informational messages and warnings can be found in the trace.log file generated by the server.

At runtime, when the Java client application executes an interaction with IMS, the interaction flows on a secure (SSL) connection to IMS Connect. The following steps are transparent to the Java client application. The IMS resource adapter interacts with IMS Connect using the SSL protocol as follows:
  • IMS Connector for Java initiates a connection by sending a client hello. The server replies with a server hello and its certificate.
  • If the server does not require client authentication, the client authenticates the server's certificate using the server's public key from its truststore. If authentication is successful, the SSL handshake is completed. A session key has been established at both ends.
  • If the server does require client authentication, the client authenticates the server's certificate using the server's public key from its truststore. If this authentication is successful, a client certificate is sent from the client's keystore. If this certificate is authenticated successfully by the server, the SSL handshake is completed. A session key has been established at both ends.
  • The client and server are then ready to send and receive encrypted data.
Related concepts
IMS resource adapter security
Component-managed EIS sign-on
Container-managed EIS sign-on
Overview of secure socket layer (SSL)
Related tasks
Configuring component-managed EIS sign-on
Configuring container-managed EIS sign-on
Terms of use | Feedback
(C) Copyright IBM Corporation 2000, 2005. All Rights Reserved.