See information about the latest product version
Accessing a secure WSRR repository
To access a secure WebSphere® Service Registry and Repository (WSRR) repository, set the configuration parameters by using the mqsichangeproperties command.
You must connect over HTTPS, not HTTP, which is specified in the endpointAddress configuration parameter of the default WSRR profile, DefaultWSRR. The endpointAddress configuration parameter must specify the domain qualified host name and port of your WSRR server.
For more information about the endpointAddress configuration parameter, see Configuration parameters for the WebSphere Service Registry and Repository nodes.
To access a secure WebSphere Service Registry and Repository, enter the following sequence of commands:
- Ensure that the broker is running. If it is not, use the mqsistart command to start it.
- Use the ServiceRegistries configurable service to configure
the broker to use HTTPS to communicate with the WSRR server. You can
view the current configuration parameters for the ServiceRegistries
configurable service by using the following command:
where:mqsireportproperties MB8BROKER -c ServiceRegistries -o DefaultWSRR -r
-c specifies the configurable service (in this case, ServiceRegistries)
-o specifies the name of the object (in this case, DefaultWSRR)
-r specifies that all property values of the object are displayed, including the
child values, if appropriate.To change the endpointAddress configuration parameter to specify HTTPS and the secure port for the DefaultWSRR of the ServiceRegistries configurable service, use the following command. The endpointAddress applies to the version of WSRR (for more information, see Configuration parameters for the WebSphere Service Registry and Repository nodes).
where:mqsichangeproperties MB8BROKER -c ServiceRegistries -o DefaultWSRR -n endpointAddress -v https://localhost:9443/WSRR6_1/services/WSRRCoreSDOPort
-c specifies the configurable service (in this case, ServiceRegistries)
-o specifies the name of the object (in this case, DefaultWSRR)
-n specifies the names of the properties to be changed
(in this case, endpointAddress)
-v specifies the values of properties defined by the -n parameter
(in this case, https://localhost:9443/WSRR6_1/services/WSRRCoreSDOPort)Note: If the connection fails and reports the following message:
ensure that you are using the correct domain qualified host name in the endpointAddress in the DefaultWSRR configurable service.BIP3680S: The following error was returned by WSRR: 'GSR0166E: An error occurred while trying to invoke the Web service
For information about the specific levels of WSRR that are supported with WebSphere Message Broker, see WebSphere Message Broker Requirements.
- Configure the broker keystore to contain your
WSRR server certificate keys; for a discussion of digital certificates,
see Digital certificates.
Obtain these certificate keys from the installation of the WebSphere Application
Server that hosts your WSRR server.
The broker uses a single keystore, therefore, if your broker also
implements WS-Security, HTTPS, or SSL-secured WebSphere MQ, you might need to merge the
provided keys into an existing keystore file. The broker keystore
is configured by using the mqsichangeproperties command
to change configuration parameters for the broker. Display the current
configuration parameters of the broker by using the following command:
where:mqsireportproperties MB8BROKER -o BrokerRegistry -r
-o specifies the name of the object (in this case, BrokerRegistry)
-r specifies that all property values of the object are displayed, including the
child values, if appropriate.To change the brokerKeystoreFile configuration parameters for the broker, use the following command:
where:mqsichangeproperties MB8BROKER -o BrokerRegistry -n brokerKeystoreFile -v C:\WSRR\SSL\ClientKeyFile.jks
-o specifies the name of the object (in this case, BrokerRegistry)
-n specifies the names of the properties to be changed (in this case, brokerKeystoreFile)
-v specifies the values of properties defined by the -n parameter
(in this case, C:\WSRR\SSL\ClientKeyFile.jks) - Configure the broker truststore to contain signer certificates
for your WSRR server. As described previously for the keystore, the
broker uses a single truststore, therefore certificates might need
to be merged into an existing truststore file. The broker truststore
is configured by using the mqsichangeproperties command.
To change the brokerTruststoreFile configuration
parameters for the broker, use the following command:
where:mqsichangeproperties MB8BROKER -o BrokerRegistry -n brokerTruststoreFile -v C:\WSRR\SSL\ClientTrustFile.jks
-o specifies the name of the object
(in this case, BrokerRegistry)
-n specifies the names of the properties to be changed
(in this case, brokerTruststoreFile)
-v specifies the values of properties defined by the -n parameter
(in this case, C:\WSRR\SSL\ClientTrustFile.jks) - Stop the broker by using the mqsistop command. You must stop the broker to complete the following step.
- Set the WebSphere Application
Server user
name and password by using the following command:
where:mqsisetdbparms MB8BROKER -n DefaultWSRR::WSRR -u wasuser -p waspass
-n specifies the name of the data source
(in this case, DefaultWSRR::WSRR)
-u specifies the user ID to be associated with this data source (in this case, wasuser)
-p specifies the password to be associated with this data source (in this case, waspass) - Set the brokerKeystore user name and password
by using the following command:
where:mqsisetdbparms MB8BROKER -n brokerKeystore::password -u dummy -p WebAS
-n specifies the name of the data source (in this case, brokerKeystore::password)
-u specifies the user ID to be associated with this data source (in this case, dummy)
-p specifies the password to be associated with this data source (in this case, WebAS) - Set the brokerTrustStore user name and
password by using the following command:
where:mqsisetdbparms MB8BROKER -n brokerTruststore::password -u dummy -p WebAS
-n specifies the name of the data source (in this case, brokerTruststore::password)
-u specifies the user ID to be associated with this data source (in this case, dummy)
-p specifies the password to be associated with this data source (in this case, WebAS) - To use cache notification with your secure WSRR server, follow the instructions in Setting up cache notification.
- Restart the broker by using the mqsistart command.