IBM MQ server: Transport chain security

System security for a connection between service integration and a IBM MQ network is provided by the Transport Level Security (TLS) and Secure Sockets Layer (SSL) protocols.

When WebSphere® Application Server uses SSL, the administrator must create an SSL repertoire, a channel and a transport chain. The transport chain must be referenced by the IBM MQ server through the server transport chain attribute, and must also be a trusted transport for the service integration bus to which the IBM MQ server belongs. The default setting is for service integration buses to trust only the SSL transport.

Two default transport chains are created on each IBM MQ server: OutboundBasicWMQClient and OutboundSecureWMQClient. The OutboundSecureWMQClient transport chain uses SSL and is configured to use the server default SSL repertoire. If you want to create your own transport chain, you must define it to every IBM MQ server that is a service integration bus member. Here is an example of how you might define your own transport chain by using JACL:
wsadmin>tcs = AdminConfig.list("TransportChannelService" ).splitlines()[0]

AdminConfig.create("TCPOutboundChannel" , tcs, [["name" , "MyWMQChain.TCP"]])

wsadmin>ssl=...

wsadmin>AdminConfig.create("SSLOutboundChannel" , tcs , [["name" , "MyWMQChain.SLL"] ,
 ["sslConfigAlias" , "MyRepertoire"]]) 

wsadmin>rmq=...

wsadmin>AdminConfig.create("RMQOutboundChannel" , tcs , [["name" , "MyWMQChain.RMQ"]])

wsadmin>tcp=...

wsadmin>AdminConfig.create("Chain" , tcs , ["name" , "MyWMQChain"] , ["enable" , "true"] ,
 ["transportChannels", [rmg , ssl , tcp]])
This example creates a transport chain suitable for connecting a IBM MQ server to IBM MQ by using SSL. The chain is called MyWMQChain, and uses an SSL repertoire called MyRepertoire.

IBM MQ uses a single cipher suite only for securing connections to a queue manager, although WebSphere Application Server SSL repertoires allow you to specify multiple cipher suites. Each cipher suite is tried sequentially until a successful connection is established, or until all the cipher suites have been tried. The most recent cipher suite that allowed a successful connection is cached on a IBM MQ server bus member basis, and is tried first on subsequent connection attempts.

When transport security is enabled, the transport chain used for connections to IBM MQ must be a permitted chain otherwise it is not possible to establish a connection to IBM MQ.


指出主題類型的圖示 概念主題



時間戳記圖示 前次更新: July 9, 2016 11:10
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=cjfp0016_
檔名:cjfp0016_.html