IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Configuring HTTPInput and HTTPReply nodes to use SSL (HTTPS)

Configure the HTTPInput and HTTPReply nodes to communicate with other applications that use HTTPS by creating a keystore file, configuring the broker or integration server to use SSL, and creating a message flow to process HTTPS requests.

Before you start: Set up a public key infrastructure (PKI) at broker level by following the instructions in Setting up a public key infrastructure.

Follow these steps to configure the HTTPInput and HTTPReply nodes to communicate with other applications using HTTP over SSL:

  1. If you are using the broker listener:Configure the broker to use SSL
  2. If you are using the integration server listener: Configure the integration server to use SSL
  3. Create a message flow
  4. Test your configuration

If you have configured your broker and integration servers such that the broker listener is used for some integration servers, and the integration server listener for other integration servers, you must complete step 1 for the first set of integration servers and step 2 for each integration server in the second set.

For information about which listener to use for HTTPS messages, see HTTP listeners.

Parent topic: Securing message flows by using SSL configuration

Configuring the broker to use SSL

Complete the following steps:

  1. Turn on SSL support in the broker, by setting a value for enableSSLConnector 
    mqsichangeproperties broker name
  -b httplistener -o HTTPListener 
  -n enableSSLConnector -v true
  2. Optional: If you do not want to use the default port 7083 for HTTPS messages, specify the port on which the broker listens: 
    mqsichangeproperties broker name
  -b httplistener -o HTTPSConnector
  -n port -v Port to listen on for https

    On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024.

    For the broker to listen on these ports, the user ID under which the broker is started must be root.
  3. Optional: Enable Client Authentication (mutual authentication): 
    mqsichangeproperties broker_name -b httplistener -o HTTPSConnector
  -n clientAuth -v true
  4. Restart the broker after changing one or more of the HTTP listener properties.
  5. Optional: Use the following commands to display HTTP listener properties: 
    mqsireportproperties broker_name -b httplistener -o AllReportableEntityNames -a 
mqsireportproperties broker_name -b httplistener -o HTTPListener -a 
mqsireportproperties broker_name -b httplistener -o HTTPSConnector  -a

Configuring an integration server to use SSL

Complete the following steps:

  1. Optional: Specify a specific port on which the integration server listens for HTTPS requests, or leave the value unset to use the next available port number. 
    mqsichangeproperties broker name
  -e integration_server_name -o HTTPSConnector
  -n explicitlySetPortNumber -v port_number
    On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024. For the integration server to listen on these ports, the user ID under which the broker is started must be root.

    If you do not complete this step, the first available port in the default range (7843 - 7884) is used.

  2. Optional: Enable Client Authentication (mutual authentication): 
    mqsichangeproperties broker_name
  -e integration_server_name -o HTTPSConnector
  -n clientAuth -v true
  3. Optional: Change the SSL protocol. The default protocol for the integration server's HTTPS connections is TLS. Run the following command to change it to SSL: 
    mqsichangeproperties broker_name
  -e integration_server_name -o HTTPSConnector
  -n sslProtocol -v SSL
  4. Restart the broker after changing one or more of the listener properties.
  5. Optional: Use the following command to display HTTPS properties: 
    mqsireportproperties broker_name 
  -e integration_server_name -o HTTPSConnector  -r

Creating a message flow to process HTTPS requests

You can create a simple message flow to use HTTPS by connecting an HTTPInput node to an HTTPReply node. The two most important properties to set on the HTTPInput node are:

  • Path suffix for URL; for example, /* or /testHTTPS.
  • Use HTTPS.

/* means that the HTTPInput node matches against any request that is sent to the HTTP listener on a designated port. This option is useful for testing purposes, but is not suitable for production systems.

You can now deploy the message flow to the broker. If you have completed all the documented steps, message BIP3132 is written to the local system log (on Windows, the event log), stating that the HTTPS listener has been started.

You can now test the system.

Testing your configuration

The simplest method of testing whether HTTPS is configured correctly is to use a Web browser to make a request to the broker over HTTPS.

Start a Web browser and enter the following URL:
 https://localhost:7083/testHTTPS
Change values in the URL to reflect the changes that you have made in your broker configuration; for example, the port number. When a window is displayed asking you to accept the certificate, select Yes. The browser refreshes the window and displays an empty HTML page:
  • In Mozilla browsers, the empty HTML page looks like the following example:
    <html>   
  <body/> 
</html>
  • In Internet Explorer, the following information is displayed:
    XML document must have a top level element. Error processing resource
'https://localhost:7083/testHTTPS'

These responses mean that a blank page was returned, indicating that the setup worked correctly. To add content to the empty page, you can add a Compute node to the flow.

You can use another HTTPS client to process HTTPS requests. Read the documentation for the client to find out how to configure it to make client connections over SSL.

You can also use another HTTPS client, such as a Java™ or .NET client, instead of the Web browser. Depending on the type of client, you might need to export the certificate (which was created with keytool) from the keystore file associated with the HTTP listener, then import it into the keystore for the client. Read the client documentation to find out how to configure the client to make client connections over SSL.

Related concepts:
Security overview
HTTP listeners
Related tasks:
Implementing SSL authentication
Configuring the HTTPRequest and HTTPAsyncRequest nodes to use SSL (HTTPS)
Related reference:
mqsichangeproperties command
mqsireportproperties command
HTTPInput node
HTTPReply node
HTTPRequest node
ap12234_.htm | Last updated Friday, 21 July 2017