Enabling SSL for external WebSphere eXtreme Scale grids

Enable SSL for an external WebSphere® eXtreme Scale grid by setting up a public key infrastructure, then enabling SSL on the integration server.

Before you begin

Read the concept information in WebSphere eXtreme Scale grids and Public key cryptography.

About this task

You can enable SSL for client connections to external WebSphere eXtreme Scale grids. You cannot enable SSL for servers in the embedded global cache.

To enable SSL communication, configure the keystore, truststore, passwords, and certificates. To enable server authentication, import the public certificate from the WebSphere eXtreme Scale server into the integration node or integration server truststore. If the server requires client authentication, you must also create a private key in the integration node or integration server keystore that the WebSphere eXtreme Scale server trusts.

You then set properties on the integration server to enable SSL and specify the required protocol. You can also nominate a particular key to use if you have more than one. SSL connections can be made only from integration servers that are not hosting catalog or container servers.

The following steps describe how to enable SSL for an external WebSphere eXtreme Scale grid.

Procedure

  1. Set up a public key infrastructure by following the instructions in Setting up a public key infrastructure.
    You can set up the public key infrastructure at integration node or integration server level.

    Connections to external WebSphere eXtreme Scale grids cannot implicitly use public certificates that are located in the JVM cacerts file.

  2. To ensure that you are enabling SSL on an integration server that does not host a catalog or container server, use one of these methods:
    • Set the integration node-level policy to none to specify roles for the integration servers manually. For example, to ensure that an integration server does not host a catalog or container server, run the following mqsichangeproperties command:
      mqsichangeproperties integrationNodeName -e execution_group_1 -o ComIbmCacheManager -n enableCatalogService,enableContainerService -v false,false
    • Set the integration node-level policy to disabled to switch off the embedded global cache and ensure that no integration servers are hosting WebSphere eXtreme Scale server components.
    To set the integration node-level policy, use the following method.
    • From the command line, run the following command, setting the -b parameter to none or disabled:
      mqsichangebroker integrationNodeName -b none
  3. Optional: If you set the integration node-level policy to none, check that the enableCatalogService and enableContainerService properties are set to false for each integration server for which you are enabling SSL.
    Use the following method.
    • From the command line, run the following command, then check that both properties are set to false:
      mqsireportproperties integrationNodeName -e integrationServerName -o ComIbmCacheManager -r
  4. To enable SSL, set the following properties on the appropriate integration server:
    • To enable SSL, set clientsDefaultToSSL to true.
    • To specify an SSL protocol, set sslProtocol to a value that is recognized by the IBM® JSSE2 security provider.
    • If the external grid requires client authentication and you have more than one trusted private key in the integration node keystore, set sslAlias to the appropriate key.
    For more information about these properties, see Parameter values for the cachemanager component.
    To set these properties on the integration server, use the following method.
    • From the command line, run the mqsichangeproperties command, as shown in the following example:
      mqsichangeproperties integrationNodeName -e execution_group_1 -o ComIbmCacheManager 
-n clientsDefaultToSSL,sslProtocol,sslAlias -v true,SSL_TLS,ProdKey
  5. Restart the integration server.
    For more information, see mqsireload command.
  6. Connect to the WebSphere eXtreme Scale grid by following the instructions in Connecting to a WebSphere eXtreme Scale grid.

Results

Keystore, truststore, and protocol settings are verified the first time that a connection is made from the integration server (either to the embedded grid, or for the first remote connection). Errors in the configuration are reported as a warning, and SSL connections are then prohibited. For example, a warning is issued if a keystore file is not found, the file is corrupted, or the keystore password is incorrect.

If you enable SSL and try to connect from an integration server that hosts WebSphere eXtreme Scale server components, the connection fails with a detailed exception message, BIP7144, which explains why the connection failed. If an SSL handshake exception occurs, the message flow fails and the exception message BIP7147 is issued.