WebSphere Message Broker, Version 8.0.0.7 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Configuring SOAPInput and SOAPReply nodes to use SSL (HTTPS)

Configure the SOAP nodes to communicate with other applications that use HTTPS by creating a keystore file, and configuring the broker to use SSL.

Before you start: Set up a public key infrastructure (PKI) at broker or execution group level: Setting up a public key infrastructure.

Follow these steps to configure the SOAPInput and SOAPReply nodes to communicate with other applications using HTTP over SSL:

  1. If you are using the broker listener: Configure the broker to use SSL
  2. If you are using the execution group (embedded) listener: Configure an execution group to use SSL
  3. Test your configuration

If you configured your broker and execution groups such that the broker listener is used for some execution groups, and the execution group listener for other execution groups, you must complete step 1 for the first set of execution groups and step 2 for each execution group in the second set.

For information about which listener to use for HTTP messages, see HTTP listeners.

Configuring the broker to use SSL

Complete the following steps:

  1. Turn on SSL support in the broker, by setting a value for enableSSLConnector
    mqsichangeproperties broker name
      -b httplistener -o HTTPListener 
      -n enableSSLConnector -v true
  2. Optional: If you do not want to use the default port 7083 for HTTPS messages, specify the port on which the broker listens:
    mqsichangeproperties broker name
      -b httplistener -o HTTPSConnector
      -n port -v Port to listen on for https

    On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024.

    For the broker to listen on these ports, the user ID under which the broker is started must be root.
  3. Optional: Enable Client Authentication (mutual authentication):
    mqsichangeproperties broker_name -b httplistener -o HTTPSConnector
      -n clientAuth -v true 
  4. Restart the broker after changing one or more of the HTTP listener properties.
  5. Optional: Use the following commands to display HTTP listener properties:
    mqsireportproperties broker_name -b httplistener -o AllReportableEntityNames -a 
    mqsireportproperties broker_name -b httplistener -o HTTPListener -a 
    mqsireportproperties broker_name -b httplistener -o HTTPSConnector  -a 

Configuring an execution group to use SSL

Complete the following steps:

  1. Optional: Specify a specific port on which the execution group listens for HTTPS requests, or leave the value unset to use the next available port number.
    mqsichangeproperties broker name
      -e execution_group_name -o HTTPSConnector
      -n explicitlySetPortNumber -v port_number
    On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024. For the execution group to listen on these ports, the user ID under which the broker is started must be root.

    If you do not complete this step, the first available port in the default range (7843 - 7884) is used.

  2. Optional: Enable Client Authentication (mutual authentication):
    mqsichangeproperties broker_name
      -e execution_group_name -o HTTPSConnector
      -n clientAuth -v true 
  3. Optional: Change the SSL protocol. The default protocol for the HTTPInput node is TLS. Run the following command to change it to SSL:
    mqsichangeproperties broker_name
      -e execution_group_name -o HTTPSConnector
      -n sslProtocol -v SSL
  4. Restart the broker after changing one or more of the listener properties.
  5. Optional: Use the following command to display HTTPS properties:
    mqsireportproperties broker_name 
      -e execution_group_name -o HTTPSConnector  -r 

Testing your configuration

Use the SOAP Nodes sample to test your configuration. You can view information about samples only when you use the information center that is integrated with the WebSphere® Message Broker Toolkit or the online information center. You can run samples only when you use the information center that is integrated with the WebSphere Message Broker Toolkit.
  1. Import the SOAP Nodes sample.
  2. Enable SSL in the SOAPNodesSampleConsumerFlow message flow by completing the following steps:
    1. Open the Invoke_submitPO subflow.
    2. Change the HTTPTransport properties for the SOAPRequest node. In the Web Service URL field, make the following changes:
      • Change http to https
      • Change the port number to the port number of your HTTPSConnector port.
      Note: The default value of the HTTPSConnector port is 7843 but you can use the following command to verify the port number that is configured in your deployment.
      mqsireportproperties broker_name -e execution_group_name -o HTTPSConnector -n port 
      If there are no other HTTPS services in your deployment, the mqsireportproperties command returns a 0 and you should be able to use the default value of 7843 for the value of your HTTPSConnector port.
    3. If you set up your public key infrastructure by following the instructions that are detailed in Setting up a public key infrastructure, all other properties should be correct. Otherwise, you must select the appropriate protocol and change other SSL properties to match your configuration.
  3. Enable SSL in the SOAPNodesSampleProvider message flow by opening the properties for the SOAPInput node and selecting Use HTTPS in the HTTP Transport properties panel.
  4. If OrderService_SOAPNodesSampleProviderFlow and submitPO_OrderService_SOAPNodesSampleConsumerFlow are not already subflows, you must convert them to subflows. For more information about converting between message flows and subflows, see Converting between message flows and subflows.
  5. Refresh the BAR file and deploy.
  6. Test the sample. For example, you can test the sample by completing the following steps:
    1. From a web browser, enter the following URL.
      https://localhost:port_number/acmeOrders/WADDR/ProcessOrders
      where port_number is the port number of your HTTPSConnector port.
    2. When you are prompted to accept the certificate, click Yes.

    If you are using a self-signed certificate in your PKI infrastructure, the sample is working correctly if the browser window displays the message There is a problem with this web site's security certificate.

    If you are using a certificate from a certificate authority in your PKI infrastructure, the sample is working correctly if the browser displays a lock symbol next to the URL.
    Note: You can ignore any error messages that are associated with the sample.
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2016Copyright IBM Corporation 1999, 2016.

        
        Last updated:
        
        Last updated: 2016-05-23 14:47:26


Task topicTask topic | Version 8.0.0.7 | ap34021_