Securing JMS client and JMS resource adapter connections
There are two approaches to configuring Secure Sockets Layer (SSL) for the 搭配 WebSphere® Application Server 的 Thin Client for JMS and the 搭配 WebSphere Application Server 的 Resource Adapter for JMS. The global configuration approach affects all stand-alone outbound connections from the process, and the private approach applies only to client or resource adapter connections from the process.
About this task
The 搭配 WebSphere Application Server 的 Thin Client for JMS and the 搭配 WebSphere Application Server 的 Resource Adapter for JMS use the standard Java™ Secure Socket Extension (JSSE) that all supported JREs provide for making Secure Sockets Layer (SSL) connections. For information about JSSE, see the JSSE documentation.
-Djavax.net.ssl.keyStore=key.p12
-Djavax.net.ssl.keyStorePassword={xor}Lz4sLCgwLTs=
-Djavax.net.ssl.trustStore=trust.p12
-Djavax.net.ssl.trustStorePassword={xor}PSo4LSov
You can use the private configuration approach to specify security settings that are specific to the 搭配 WebSphere Application Server 的 Thin Client for JMS or the 搭配 WebSphere Application Server 的 Resource Adapter for JMS connections. You can configure the com.ibm.ws.sib.client.ssl.properties system property to specify the location of an IBM SSL properties file. If this system property is not configured, an attempt is made load the properties file from the classpath instead.
- If the property has a value defined in the properties file containing the IBM SSL properties, the client uses this value.
- If there is no value for the property in the properties file, and there is a suitable property in the associated JRE system properties, the client uses this value.
- If there is no suitable javax.net.ssl property, the client uses the default value.
IBM SSL property | JRE global property | Default value |
---|---|---|
com.ibm.ssl.keyStoreType | javax.net.ssl.keyStoreType | JKS |
com.ibm.ssl.keyStore | javax.net.ssl.keyStore | None |
com.ibm.ssl.keyManager | javax.net.ssl.keyStoreProvider | IbmX509 |
com.ibm.ssl.trustManager | javax.net.ssl.trustStoreProvider | IbmX509 |
com.ibm.ssl.keyStorePassword | javax.net.ssl.keyStorePassword | None |
com.ibm.ssl.protocol | None | SSL |
com.ibm.ssl.contextProvider | None | IBMJSSE2 |
com.ibm.ws.sib.jsseProvider | None | com.ibm.jsse2.IBMJSSEProvider2 |
com.ibm.ssl.trustStore | javax.net.ssl.trustStore | None |
com.ibm.ssl.trustStoreType | javax.net.ssl.trustStoreType | JKS |
com.ibm.ssl.trustStorePassword | javax.net.ssl.trustStorePassword | None |
com.ibm.ssl.keyStore=/thinclient/key.p12
com.ibm.ssl.keyStoreType=PKCS12
com.ibm.ssl.keyStorePassword=WebAS
com.ibm.ssl.trustStore=/thinclient/trust.p12
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStorePassword=WebAS
You can use the PropFilePasswordEncoder tool in the WebSphere Application Server bin directory to encode passwords stored in plain text property files. For further information see Encoding passwords in files.
- SSL connections from SUN JREs that use the 搭配 WebSphere Application Server 的 Thin Client for JMS cannot use the default WebSphere Application Server PKCS12 key and trust stores. If you are running the client securely from SUN JREs, you must first extract the certificates from the trust store by using an IBM software development kit (SDK). You can then import these certificates into a keystore that the Sun JRE can recognize correctly, such as a JKS keystore.
- SSL connections are not supported by the IBM JRE shipped with WebSphere Application Server - a non-WebSphere Application Server installed JRE must be used.