Two keystores are included in the sample, server.keystore and client.keystore, these keystores are imported with the AddressBook project; you can leave them where they are or export them to a more convenient location. You must configure your broker to use these keystores; the provider and consumer are deployed to different execution groups, and you can set a different keystore and truststore for each execution group. Viewing the contents of these keystores helps you to understand the two bindings that must be created to set up WS-Security. To view the contents, issue the following commands in the directory containing the keystores:
keytool -list -keystore server.keystore -storepass server -v
keytool -list -keystore client.keystore -storepass client -v
Keystores can contain two kinds of entries: keyEntrys and trustedCertificateEntries. If a keystore is used to contain trusted certificates it is typically referred to as a truststore. Your broker can refer to a keystore and a truststore per execution group. If your broker is encrypting or decrypting, it uses entries in its keystore, if it is verifying a signature or doing X.509 authentication it uses entries in its truststore. This sample uses the same keystore for both the keystore and the truststore.
To find out which truststore and keystore your broker can use, issue the following commands:
mqsireportproperties MB8BROKER -o ComIbmJVMManager -a -e AddressSampleProvider
mqsireportproperties MB8BROKER -o ComIbmJVMManager -a -e AddressSampleConsumer
The properties are blank unless you have set any of the values relating to keystores and truststores. To set up a keystore and truststore per execution group, the following six values must be set: keystoreType, keyStoreFile, keystorePass, truststoreType, truststoreFile, and truststorePass.
To set up the provider keystore and truststore, use the following commands to change the location to the fully qualified location (not just server.keystore and client.keystore) of the keystore, you might find it useful to export the keystores from the workspace to a location such as C:\keystores:
mqsichangeproperties MB8BROKER -e AddressSampleProvider -o ComIbmJVMManager -n keystoreFile -v [Location of server keystore] mqsichangeproperties MB8BROKER -e AddressSampleProvider -o ComIbmJVMManager -n keystoreType -v JKS mqsichangeproperties MB8BROKER -e AddressSampleProvider -o ComIbmJVMManager -n keystorePass -v addressBookProvider::password mqsichangeproperties MB8BROKER -e AddressSampleProvider -o ComIbmJVMManager -n truststoreFile -v [Location of server keystore] mqsichangeproperties MB8BROKER -e AddressSampleProvider -o ComIbmJVMManager -n truststoreType -v JKS mqsichangeproperties MB8BROKER -e AddressSampleProvider -o ComIbmJVMManager -n truststorePass -v addressBookProvider::password
Use the following commands to set up the consumer keystore and truststore:
mqsichangeproperties MB8BROKER -e AddressSampleConsumer -o ComIbmJVMManager -n keystoreFile -v [Location of client keystore] mqsichangeproperties MB8BROKER -e AddressSampleConsumer -o ComIbmJVMManager -n keystoreType -v JKS mqsichangeproperties MB8BROKER -e AddressSampleConsumer -o ComIbmJVMManager -n keystorePass -v addressBookConsumer::password mqsichangeproperties MB8BROKER -e AddressSampleConsumer -o ComIbmJVMManager -n truststoreFile -v [Location of client keystore] mqsichangeproperties MB8BROKER -e AddressSampleConsumer -o ComIbmJVMManager -n truststoreType -v JKS mqsichangeproperties MB8BROKER -e AddressSampleConsumer -o ComIbmJVMManager -n truststorePass -v addressBookConsumer::password
Keystores typically have passwords; the password for server.keystore is "server" and the password for client.keystore is "client". The previous commands set up references to where the passwords are stored. Because the same keystore is being used for the keystore and truststore, only two references are required, one for the keystore for the consumer, and one for the keystore for the provider. Use the following commands to configure the broker:
mqsistop MB8BROKER
Set the passwords:
mqsisetdbparms MB8BROKER -n addressBookProvider::password -u temp -p server mqsisetdbparms MB8BROKER -n addressBookConsumer::password -u temp -p client
The -u (user) option is not used. Restart the broker:
mqsistart MB8BROKER
The broker now has access to the keystores. To verify that the above commands have run correctly you can report the properties of the two execution groups again; the output looks similar to the following output:
For the provider:
ComIbmJVMManager uuid='ComIbmJVMManager' userTraceLevel='none' traceLevel='none' userTraceFilter='none' traceFilter='none' jvmVerboseOption='none' jvmDisableClassGC='false' jvmNativeStackSize='-1' jvmMinHeapSize='33554432' jvmMaxHeapSize='-1' jvmDebugPort='0' keystoreType='JKS' keystoreFile='C:\keystores\server.keystore' keystorePass='addressBookProvider::password' truststoreType='JKS' truststoreFile='C:\keystores\server.keystore' truststorePass='addressBookProvider::password' BIP8071I: Successful command completion.
For the consumer:
ComIbmJVMManager uuid='ComIbmJVMManager' userTraceLevel='none' traceLevel='none' userTraceFilter='none' traceFilter='none' jvmVerboseOption='none' jvmDisableClassGC='false' jvmNativeStackSize='-1' jvmMinHeapSize='33554432' jvmMaxHeapSize='-1' jvmDebugPort='0' keystoreType='JKS' keystoreFile='C:\keystores\client.keystore' keystorePass='addressBookConsumer::password' truststoreType='JKS' truststoreFile='C:\keystores\client.keystore' truststorePass='addressBookConsumer::password' BIP8071I: Successful command completion.
Back to Extending the sample to add WS-Security