For this purpose we need to complete below steps -
1. Set up a public key infrastructure
2. Configuring Broker/integration server to use SSL
3. Create a message flow
4. Test the configuration
---------------------------------------------------
1. Set up a public key infrastructure
To enable SSL communication, and Web Services Security, configure
- keystores,
- truststores,
- passwords, and
- certificates
uses the command line tool options, which are supplied with the IBM Integration Bus JVM, include the following:
- A command-line tool, keytool.
- A graphical tool, iKeyman.
To create the infrastructure, complete the following tasks:
- Creating a keystore file or a truststore
- Creating a self-signed certificate for test use
- Importing a certificate for production use
- Viewing details of a certificate
- Extracting a certificate
- Adding a signer certificate to the truststore
- Listing all certificates in a keystore
- Configuring PKI at broker level
- Configuring PKI for the broker-wide HTTP listener
- Configuring PKI at an integration server level
1. Creating a kestore file or a truststore :
runmqckm -keydb -create -db "C:\Program Files\IBM\IIB\10.0.0.12\ibkeystore.jks" -pw ibpass -type jks
runmqckm -keydb -create -db "C:\Program Files\IBM\IIB\10.0.0.12\ibtruststore.jks" -pw ibpass -type jks
2. Creating a self-signed certificate for test use
runmqckm -cert -create -db "C:\Program Files\IBM\IIB\10.0.0.12\ibkeystore.jks" -pw ibpass -label ibcert -dn "CN=IIB.ABC.com, O=ABC, OU=
IIB, L=Vizag, C=IN"
3. Viewing details of a certificate
runmqckm -cert -details -db ibkeystore.jks -pw ibpass -label ibcert
4. Extracting a certificate
Certificates can be extracted in two formats:
- Base64-encoded ASCII data (.arm). This format is convenient for inclusion in XML messages, and transmission over the Internet.
- Binary DER data (.der).
runmqckm -cert -extract -db ibkeystore.jks -pw ibpass -label ibcert -target ibcert.arm -format ascii
5. Adding a signer certificate to the truststore
runmqckm -cert -add -db ibtruststore.jks -pw ibpass -label ibcert -file ibcert.arm -format ascii
runmqckm -cert -details -db ibtruststore.jks -pw ibpass -label ibcert
6. Listing all certificates in a keystore
runmqckm -cert -list -db ibtruststore.jks -pw ibpass
---------------------------------------------------
7. Configuring PKI at broker level
Define the broker registry properties that identify the location, name, and password of the keystore and truststore files.
These settings are used as the default settings for the broker-wide HTTP listener and all embedded HTTP listeners in integration servers on the broker.
1. Start the broker:
mqsistart IBD01
2. Display the current settings of the broker registry properties:
mqsireportproperties IBD01 -o BrokerRegistry –r
C:\Program Files\IBM\IIB\10.0.0.12\tools>mqsireportproperties IBD01 -o BrokerRegistry -r
BrokerRegistry
uuid='BrokerRegistry'
brokerKeystoreType='JKS'
brokerKeystoreFile=''
brokerKeystorePass='brokerKeystore::password'
brokerTruststoreType='JKS'
brokerTruststoreFile=''
brokerTruststorePass='brokerTruststore::password'
brokerCRLFileList=''
httpConnectorPortRange=''
httpsConnectorPortRange=''
brokerKerberosConfigFile=''
brokerKerberosKeytabFile=''
allowSSLv3=''
allowSNI=''
reenableTransportAlgorithms=''
reenableCertificateAlgorithms=''
mqCCDT=''
modeExtensions=''
operationMode='advanced'
adminMessageLogging=''
productFunctionality=''
mqKeyRepository=''
dataCapturePolicyUri='/apiv1/policy/DataCapture/default'
shortDesc=''
longDesc=''
BIP8071I: Successful command completion.
3. Set the keystore property:
mqsichangeproperties IBD01 -o BrokerRegistry -n brokerKeystoreFile -v "C:\Program Files\IBM\IIB\10.0.0.12\ibkeystore.jks"
C:\Program Files\IBM\IIB\10.0.0.12\tools>mqsichangeproperties IBD01 -o BrokerRegistry -n brokerKeystoreFile -v "C:\Program Files\IBM\IIB\10.0.0.12\ibkeystore.jks"
BIP8071I: Successful command completion.
4. Set the truststore property:
mqsichangeproperties IBD01 -o BrokerRegistry -n brokerTruststoreFile -v "C:\Program Files\IBM\IIB\10.0.0.12\ibtruststore.jks"
C:\Program Files\IBM\IIB\10.0.0.12\tools>mqsichangeproperties IBD01 -o BrokerRegistry -n brokerTruststoreFile -v "C:\Program Files\IBM\IIB\10.0.0.12\ibtruststore.jks"
BIP8071I: Successful command completion.
5. Stop the broker:
mqsistop IBD01
6. Set the password for the keystore:
mqsisetdbparms IBD01 -n brokerKeystore::password -u ignore -p ibpass
7. Set the password for the truststore:
mqsisetdbparms IBD01 -n brokerTruststore::password -u ignore -p ibpass
8. Start the broker:
mqsistart IBD01
9. Display and verify the broker registry properties:
mqsireportproperties IBD01 -o BrokerRegistry -r
C:\Program Files\IBM\IIB\10.0.0.12\tools>mqsireportproperties IBD01 -o BrokerRegistry -r
BrokerRegistry
uuid='BrokerRegistry'
brokerKeystoreType='JKS'
brokerKeystoreFile='C:\Program Files\IBM\IIB\10.0.0.12\ibkeystore.jks'
brokerKeystorePass='brokerKeystore::password'
brokerTruststoreType='JKS'
brokerTruststoreFile='C:\Program Files\IBM\IIB\10.0.0.12\ibtruststore.jks'
brokerTruststorePass='brokerTruststore::password'
brokerCRLFileList=''
httpConnectorPortRange=''
httpsConnectorPortRange=''
brokerKerberosConfigFile=''
brokerKerberosKeytabFile=''
allowSSLv3=''
allowSNI=''
reenableTransportAlgorithms=''
reenableCertificateAlgorithms=''
mqCCDT=''
modeExtensions=''
operationMode='advanced'
adminMessageLogging=''
productFunctionality=''
mqKeyRepository=''
dataCapturePolicyUri='/apiv1/policy/DataCapture/default'
shortDesc=''
longDesc=''
BIP8071I: Successful command completion.
8. Configuring PKI for the broker-wide HTTP listener
Define the properties for the broker-wide HTTP listener to identify the location, name, and password of the keystore and truststore files.
These settings override any PKI configuration that is set at the broker level.
If you enable SSL on the broker-wide HTTP listener but do not set the following properties, then the broker-level settings are applied
1. Start the broker.
mqsistart IBD01
2. Display the current settings of the broker-wide listener properties.
mqsireportproperties IBD01 -b httplistener -o HTTPSConnector -a
3. Set the keystore property.
mqsichangeproperties IBD01 -b httplistener -o HTTPSConnector -n keystoreFile -v "C:\Program Files\IBM\IIB\10.0.0.12\ibkeystore.jks"
4. Set the truststore property.
mqsichangeproperties IBD01 -b httplistener -o HTTPSConnector -n truststoreFile -v "C:\Program Files\IBM\IIB\10.0.0.12\ibtruststore.jks"
5. Set the password for the keystore.
mqsichangeproperties IBD01 -b httplistener -o HTTPSConnector -n keystorePass -v ibpass
6. Set the password for the truststore.
mqsichangeproperties IBD01 -b httplistener -o HTTPSConnector -n truststorePass -v ibpass
7. Display and verify the broker-wide listener properties.
mqsireportproperties IBD01 -b httplistener -o HTTPSConnector -a
9. Configuring PKI at an integration server level
Define the ComIbmJVMManager properties for the required integration server to identify the location, name, and password of the keystore and truststore files.
These settings override any PKI configuration that is set at the broker level.
If you enable SSL on an embedded HTTP listener but do not set the following properties, then the broker-level settings are applied.
1. Start the broker.
mqsistart IBD01
2. Display the current settings of the ComIbmJVMManager properties.
mqsireportproperties IBD01 -e Test -o ComIbmJVMManager -r
3. Set the keystore property.
mqsichangeproperties IBD01 -e Test -o ComIbmJVMManager -n keystoreFile -v ""
4. Set the keystore password key property. The value for this property is in the format any_prefix_name::password. This value is used to correlate the password that is defined in the mqsisetdbparms command.
mqsichangeproperties IBD01 -e Test -o ComIbmJVMManager -n keystorePass -v TestKeystore::password
5. Set the truststore property.
mqsichangeproperties IBD01 -e exec_grp_name -o ComIbmJVMManager -n truststoreFile -v ""
6. Set the truststore password key property. The value for this property is in the format any_prefix_name::password. This value is used to correlate the password that is defined in the mqsisetdbparms command.
mqsichangeproperties IBD01 -e Test-o ComIbmJVMManager -n truststorePass -v TestTruststore::password
7. Stop the broker.
mqsistop IBD01
8. Set the password for the keystore.
mqsisetdbparms IBD01 -n TestKeystore::password -u ignore -p keystore_pass
9. Set the password for the truststore.
mqsisetdbparms IBD01 -n TestTruststore::password -u ignore -p truststore_pass
10. Start the broker.
mqsistart IBD01
11. Display and verify the ComIbmJVMManager properties.
mqsireportproperties IBD01 -e Test -o ComIbmJVMManager -r
***********************************************************
2. Configuring Broker/integration server to use SSL
Configuring the broker to use SSL
Complete the following steps:
1. Turn on SSL support in the broker, by setting a value for enableSSLConnector
mqsichangeproperties IBD01 -b httplistener -o HTTPListener -n enableSSLConnector -v true
C:\Program Files\IBM\IIB\10.0.0.12\tools>mqsireportproperties IBD01 -b httplistener -o HTTPListener -a
HTTPListener
uuid='HTTPListener'
enableSSLConnector='false'
threadPoolSize=''
traceOverrideLevel=''
traceOverrideSize=''
traceLevel='none'
traceSize=''
javaDebugPort=''
allowSSLv3=''
startListener='true'
BIP8071I: Successful command completion.
2. Optional: If you do not want to use the default port 7083 for HTTPS messages, specify the port on which the broker listens:
mqsichangeproperties IBD01 -b httplistener -o HTTPSConnector -n port -v Port
On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024.
For the broker to listen on these ports, the user ID under which the broker is started must be root.
3. Optional: Enable Client Authentication (mutual authentication):
mqsichangeproperties IBD01 -b httplistener -o HTTPSConnector -n clientAuth -v true
4. Restart the broker after changing one or more of the HTTP listener properties.
5. Optional: Use the following commands to display HTTP listener properties:
mqsireportproperties IBD01 -b httplistener -o AllReportableEntityNames -a
mqsireportproperties IBD01 -b httplistener -o HTTPListener -a
mqsireportproperties IBD01 -b httplistener -o HTTPSConnector -a
Configuring an integration server to use SSL
Complete the following steps:
1. Optional: Specify a specific port on which the integration server listens for HTTPS requests, or leave the value unset to use the next available port number.
mqsichangeproperties IBD01 -e Test -o HTTPSConnector -n explicitlySetPortNumber -v port_number
On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024. For the integration server to listen on these ports, the user ID under which the broker is started must be root.
If you do not complete this step, the first available port in the default range (7843 - 7884) is used.
2. Optional: Enable Client Authentication (mutual authentication):
mqsichangeproperties IBD01 -e Test -o HTTPSConnector -n clientAuth -v true
3. Optional: Change the SSL protocol. The default protocol for the integration server's HTTPS connections is TLS. Run the following command to change it to SSL:
mqsichangeproperties IBD01 -e Test -o HTTPSConnector -n sslProtocol -v SSL
4. Restart the broker after changing one or more of the listener properties.
5. Optional: Use the following command to display HTTPS properties:
mqsireportproperties IBD01 -e Test -o HTTPSConnector -r
No comments:
Post a Comment