Enabling JMS applications to use client mode with SSL and RACF

Use this task to enable JMS applications running under WebSphere Application Server on z/OS to communicate in client mode with WebSphere MQ using SSL-protected channels with RACF keyrings.

Before you begin

The following publications provide information that you might find useful when working on this task:

Why and when to perform this task

To enable JMS applications running under WebSphere Application Server on z/OS to communicate in client mode with WebSphere MQ using SSL-protected channels with RACF keyrings complete the following steps, described in this topic.

  1. Configure RACF
  2. Configure the WebSphere Application Server JVM settings
  3. Configure the JMS Topic Connection factory
  4. Configure the WebSphere MQ queue manager

When you have completed all the configuration steps, you must stop and restart the WebSphere Application Server Control and Servant regions, and the WebSphere MQ Channel Initiator tasks.

Steps for this task

  1. Configure RACF
    For clarity and convenience, use a separate RACF keyring for the user ID of the WebSphere Application Server Control region, Servant region, and WebSphere MQ queue manager. If you do not already have separate keyrings, create them by completing the following steps:
    1. Create a keyring for the user ID of the WebSphere Application Server Control region.
      For the user ID that owns the address space of the Control region, create a keyring called something like WASKeyring or WAS51Keyring. If a keyring for this user ID was not created during installation and customization of WebSphere Application Server, you can create the keyring by using one of the RACF Panels or by using RACDCERT commands.
    2. Create a keyring for the user ID of the WebSphere Application Server Servant region.
      If the user ID that owns the address space of the Servant region is different to the user ID that owns the Control region, create a keyring with the same name as in the previous step.
    3. Create a keyring for the user ID of the WebSphere MQ queue manager.
      For the user ID that owns the WebSphere MQ channel initiator address space, create a keyring called mmmmRING where mmmm is the 4-character queue manager name of the target queue manager; for example, for the queue manager MQ01, the keyring name is MQ01RING.
    4. (Optional)   If a user ID identified in the previous steps does not have a personal certificate, then create a certificate for that user ID.
      If you already have personal certificates for the user IDs (in an existing keyring or the RACF database), then you do not need to complete this step.

      Note: The personal certificate for the WebSphere MQ channel initiator must have a LABEL of ibmWebSphereMQmmmm where mmmm is the 4-character queue manager name of the target queue manager; for example, for the WebSphere MQ queue manager called MQ01, the LABEL value of the personal certificate must be ibmWebSphereMQMQ01. The LABEL value is case-sensitive.

    5. Connect the personal certificate for each user ID to the keyring for that user ID, as the default certificate for the keyring.
    6. Connect other required certificates to the keyring for a user ID.
      • Connect each CA certificate that signed a personal certificate to the same keyring as the personal certificate. [Such a CA certificate is referred to as a "CA signing certificate".]
      • Connect each CA signing certificate to the keyrings for the user ID that is at the other end of the client connection.
        • Connect the CA certificates for the WebSphere Application Server personal certificates to the WebSphere MQ user ID keyring.
        • Connect the CA certificate for the WebSphere MQ personal certificate to the WebSphere Application Server user ID keyrings.
  2. Configure WebSphere Application Server JVM settings
    Edit the control.jvm.options file and the servant.jvm.options file for the servers concerned to include the following six lines:
    -Djavax.net.ssl.trustStore=safkeyring:///WASKeyring_name
    -Djavax.net.ssl.trustStoreType=JCERACFKS
    -Djavax.net.ssl.trustStorePassword=password
    -Djavax.net.ssl.keyStore=safkeyring:///WASKeyring_name
    -Djavax.net.ssl.keyStoreType=JCERACFKS
    -Djavax.net.ssl.keyStorePassword=password

    Where WASKeyring_name is the name of the RACF keyring set for WebSphere Application Server in the preceding steps.

  3. Configure each JMS Queue or Topic Connection factory that defines the channel used for client connection to the WebSphere MQ queue manager.
    Use the WebSphere administrative console to create a custom property called SSLCIPHERSUITE for each connection factory used for client communication with the WebSphere MQ queue manager:
    1. Display the administrative console
    2. In the navigation pane, click Resources-> WebSphere MQ JMS Provider
    3. In the content pane, display the Custom Properties panel for the connection factory.
      • For a queue connection factory, click WebSphere MQ Queue Connection Factories-> connection_factory-> Custom Properties
      • For a topic connection factory, click WebSphere MQ Topic Connection Factories-> connection_factory-> Custom Properties
    4. Click New
    5. In the Name field, type SSLCIPHERSUITE
      This name is case sensitive.
    6. In the Value field, type the name of one of the CipherSuites listed in Appendix H. of the WebSphere MQ Using Java book
    7. Click OK
    8. Save your changes to the master configuration.
  4. Configure the WebSphere MQ queue manager.
    1. Set queue manager attributes.
      Set the following queue manager attributes, by using either the WebSphere MQ panels or MQSC commands:
      SSLKEYR(mmmmRING)
      Where mmmm is the 4-character queue manager name.
      SSLTASKS(n)
      Where n is a number in the range 3 through 50.
    2. Set the SVRCONN channel settings for each channel used for client mode connection.
      For each channel named in a WebSphere Application Server queue connection factory or topic connection factory for client communication with the WebSphere MQ queue manager, you need to configure the following attribute settings on the SVRCONN channel object.
      SSLCIPH(cipherspec_name)
      This must match the CipherSuite specified as the custom property on the WebSphere Application Server queue connection factory or topic connection factory in the preceding step.
      SSLCAUTH(REQUIRED)
      If client authentication is enabled, you must set this to REQUIRED. Otherwise, you can set this to OPTIONAL.

What to do next

Stop and restart the WebSphere Application Server Control and Servant regions, and the WebSphere MQ Channel Initiator tasks.

Related tasks
Configuring resources for the WebSphere MQ JMS provider
Configuring Secure Sockets Layer
Administering WebSphere JMS support



Searchable topic ID:   tmj_clissl
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/tmj_clissl.html

Library | Support | Terms of Use | Feedback