WebSphere Message Broker, Version 8.0.0.7 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Enabling SSL for external WebSphere eXtreme Scale grids

Enable SSL for an external WebSphere® eXtreme Scale grid by setting up a public key infrastructure, then enabling SSL on the execution group.

Before you start:

Read the concept information in WebSphere eXtreme Scale grids and Public key cryptography.

You can enable SSL for client connections to external WebSphere eXtreme Scale grids. You cannot enable SSL for servers in the embedded global cache.

To enable SSL communication, configure the keystore, truststore, passwords, and certificates. To enable server authentication, import the public certificate from the WebSphere eXtreme Scale server into the broker or execution group truststore. If the server requires client authentication, you must also create a private key in the broker or execution group keystore that the WebSphere eXtreme Scale server trusts.

You then set properties on the execution group to enable SSL and specify the required protocol. You can also nominate a particular key to use if you have more than one. SSL connections can be made only from execution groups that are not hosting catalog or container servers.

The following steps describe how to enable SSL for an external WebSphere eXtreme Scale grid.

  1. Set up a public key infrastructure by following the instructions in Setting up a public key infrastructure. You can set up the public key infrastructure at broker or execution group level.

    Connections to external WebSphere eXtreme Scale grids cannot implicitly use public certificates that are located in the JVM cacerts file.

  2. To ensure that you are enabling SSL on an execution group that does not host a catalog or container server, use one of these methods:
    • Set the broker-level policy to none to specify roles for the execution groups manually. For example, to ensure that an execution group does not host a catalog or container server, run the following mqsichangeproperties command:
      mqsichangeproperties broker_name -e execution_group_1 -o ComIbmCacheManager -n enableCatalogService,enableContainerService -v false,false
    • Set the broker-level policy to disabled to switch off the embedded global cache and ensure that no execution groups are hosting WebSphere eXtreme Scale server components.
    To set the broker-level policy, use one of the following methods:
    • From the command line, run the following command, setting the -b parameter to none or disabled:
      mqsichangebroker brokerName -b none
    • From the WebSphere Message Broker Explorer, right-click the appropriate broker, click Properties, then Global Cache, then set the cache policy to none or disabled.
  3. Optional: If you set the broker-level policy to none, check that the enableCatalogService and enableContainerService properties are set to false for each execution group for which you are enabling SSL.
    Use one of the following methods:
    • From the command line, run the following command, then check that both properties are set to false:
      mqsireportproperties brokerName -e executionGroupName -o ComIbmCacheManager -r 
    • From the WebSphere Message Broker Explorer, select the properties for each execution group, then select Global Cache. Confirm that the Catalog server enabled and Container Server enabled properties are not selected.
  4. To enable SSL, set the following properties on the appropriate execution group:
    • To enable SSL, set clientsDefaultToSSL to true.
    • To specify an SSL protocol, set sslProtocol to a value that is recognized by the IBM® JSSE2 security provider.
    • If the external grid requires client authentication and you have more than one trusted private key in the broker keystore, set sslAlias to the appropriate key.
    For more information about these properties, see Parameter values for the cachemanager component.
    To set these properties on the execution group, use one of the following methods:
    • From the command line, run the mqsichangeproperties command, as shown in the following example:
      mqsichangeproperties broker_name -e execution_group_1 -o ComIbmCacheManager 
      -n clientsDefaultToSSL,sslProtocol,sslAlias -v true,SSL_TLS,ProdKey
    • From the WebSphere Message Broker Explorer, select the properties for each execution group, then select Global Cache. Select clientsDefaultToSSL and, if required, set the SSL protocol and SSL key alias.
  5. Restart the execution group. For more information, see mqsireload command.
  6. Connect to the WebSphere eXtreme Scale grid by following the instructions in Connecting to a WebSphere eXtreme Scale grid.

Keystore, truststore, and protocol settings are verified the first time that a connection is made from the execution group (either to the embedded grid, or for the first remote connection). Errors in the configuration are reported as a warning, and SSL connections are then prohibited. For example, a warning is issued if a keystore file is not found, the file is corrupted, or the keystore password is incorrect.

If you enable SSL and try to connect from an execution group that hosts WebSphere eXtreme Scale server components, the connection fails with a detailed exception message, BIP7144, which explains why the connection failed. If an SSL handshake exception occurs, the message flow fails and the exception message BIP7147 is issued.

Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2016Copyright IBM Corporation 1999, 2016.

        
        Last updated:
        
        Last updated: 2016-05-23 14:47:51


Task topicTask topic | Version 8.0.0.7 | bc23797_