IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Configuring the broker to use SSL with JMS nodes

Configure your broker to work with a JMS provider that supports JMS clients that can connect by using the Secure Sockets Layer (SSL) protocol.

Before you start: Create a keystore file to store the broker's certificates: Setting up a public key infrastructure.

The JMS 1.1 Specification states that JMS does not provide features for controlling or configuring message integrity or message privacy. JMS providers typically support these additional features, and provide their own administration tools to configure these services. Clients can get the appropriate security configuration as part of the administered objects that they use.

If you want to apply SSL security to the JMS connections created by the three built-in nodes JMSInput, JMSOutput, and JMSReply, check the documentation supplied by your chosen JMS provider. The configuration of the JNDI administered objects that are used by the JMS nodes is specific to each JMS provider.

The three built-in nodes JMSInput, JMSOutput, and JMSReply are referred to in this topic by the generic term JMS nodes; apply the information and instructions here to the specific type of node that you are using.

One example of a JMS provider that provides SSL support for connecting JMS clients is TIBCO Enterprise Message Service (EMS). The following sections describe the authentication model used for JMS nodes, with specific reference to TIBCO EMS, and provide information about how to connect JMS nodes to a TIBCO EMS JMS Server securely by using SSL:

  1. SSL authentication model for the JMS nodes
  2. Configuring your JMS nodes to use SSL-enabled JNDI administered objects

SSL authentication model for the JMS nodes

The JMS provider TIBCO EMS supports Java™ clients that can use either the Java Secure Sockets Extension (JSSE) Java package, or an SSL implementation supplied by Entrust. For details about the services provided, see the documentation provided with your chosen package.

TIBCO EMS supports a number of different authentication scenarios, but JMS nodes can use only client authentication to the server. In this scenario, the TIBCO EMS server requests the client's digital certificate during an SSL handshake, and checks its issuer against the server's list of trusted Certificate Authorities. If the authority is not in the server's list, further communications are prevented with the JMS node.

Therefore, you must configure the EMS server to explicitly enable client authentication of the SSL certificates in its configuration file; configure the JNDI administered SSL JMS connection factories for the same level of support.

Configuring your JMS nodes to use SSL-enabled JNDI administered objects

The JMS nodes use JNDI to look up a connection factory object that is used to create JMS connections to a TIBCO EMS server.

  1. Configure the JMS node property Connection factory name to specify a pre-configured connection factory that is enabled for SSL connectivity.

    Make sure that you have set the appropriate parameters in the corresponding SSL JMS connection factory definition:

    • Enable client authentication
    • Specify the SSL protocol in the server URL
    • Set other parameters to define the support your require.
    See the provider's documentation for information about how to generate this JNDI administered object:
  2. Configure the JMS node property Location JNDI Bindings with the URL that points to the JNDI bindings containing the JNDI administered objects for SSL connectivity.

    For TIBCO EMS , this URL takes the following format:

    tibjmsnaming://server_name:ssl_port
    • server_name is the host name of the computer where the server is installed.
    • ssl_port is the server port for SSL connectivity; typically, this is port 7243 for a TIBCO EMS server.
  3. Make the TIBCO EMS client JAR files available to the broker to which you deploy the message flow that includes your JMS nodes. Use the mqsicreateconfigurableservice or the mqsichangeproperties command to set the JMSProviders configurable service property jarsURL to point to the directory that contains the JMS provider's client JAR files and the SSL vendor's JAR files.

    If you are using JSSE for the SSL support, the following JAR files are typically located in the jarsURL directory:

    • jsse.jar
    • net.jar
    • jcert.jar
    • tibcrypt.jar
    You can find standard non-SSL client JAR files in the same location.

ap12237_.htm | Last updated Friday, 21 July 2017