IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Enabling SSL for external WebSphere eXtreme Scale grids

Enable SSL for an external WebSphere® eXtreme Scale grid by setting up a public key infrastructure, then enabling SSL on the integration server.

Before you start:

Read the concept information in WebSphere eXtreme Scale grids and Public key cryptography.

You can enable SSL for client connections to external WebSphere eXtreme Scale grids. You cannot enable SSL for servers in the embedded global cache.

To enable SSL communication, configure the keystore, truststore, passwords, and certificates. To enable server authentication, import the public certificate from the WebSphere eXtreme Scale server into the broker or integration server truststore. If the server requires client authentication, you must also create a private key in the broker or integration server keystore that the WebSphere eXtreme Scale server trusts.

You then set properties on the integration server to enable SSL and specify the required protocol. You can also nominate a particular key to use if you have more than one. SSL connections can be made only from integration servers that are not hosting catalog or container servers.

The following steps describe how to enable SSL for an external WebSphere eXtreme Scale grid.

  1. Set up a public key infrastructure by following the instructions in Setting up a public key infrastructure. You can set up the public key infrastructure at broker or integration server level.

    Connections to external WebSphere eXtreme Scale grids cannot implicitly use public certificates that are located in the JVM cacerts file.

  2. To ensure that you are enabling SSL on an integration server that does not host a catalog or container server, use one of these methods:
    • Set the broker-level policy to none to specify roles for the integration servers manually. For example, to ensure that an integration server does not host a catalog or container server, run the following mqsichangeproperties command:
      mqsichangeproperties broker_name -e execution_group_1 -o ComIbmCacheManager -n enableCatalogService,enableContainerService -v false,false
    • Set the broker-level policy to disabled to switch off the embedded global cache and ensure that no integration servers are hosting WebSphere eXtreme Scale server components.
    To set the broker-level policy, use one of the following methods:
    • From the command line, run the following command, setting the -b parameter to none or disabled:
      mqsichangebroker brokerName -b none
    • From the IBM® Integration Explorer, right-click the appropriate broker, click Properties, then Global Cache, then set the cache policy to none or disabled.
  3. Optional: If you set the broker-level policy to none, check that the enableCatalogService and enableContainerService properties are set to false for each integration server for which you are enabling SSL.
    Use one of the following methods:
    • From the command line, run the following command, then check that both properties are set to false:
      mqsireportproperties brokerName -e integrationServerName -o ComIbmCacheManager -r
    • From the IBM Integration Explorer, select the properties for each integration server, then select Global Cache. Confirm that the Catalog server enabled and Container Server enabled properties are not selected.
  4. To enable SSL, set the following properties on the appropriate integration server:
    • To enable SSL, set clientsDefaultToSSL to true.
    • To specify an SSL protocol, set sslProtocol to a value that is recognized by the IBM JSSE2 security provider.
    • If the external grid requires client authentication and you have more than one trusted private key in the broker keystore, set sslAlias to the appropriate key.
    For more information about these properties, see Parameter values for the cachemanager component.
    To set these properties on the integration server, use one of the following methods:
    • From the command line, run the mqsichangeproperties command, as shown in the following example:
      mqsichangeproperties broker_name -e execution_group_1 -o ComIbmCacheManager 
-n clientsDefaultToSSL,sslProtocol,sslAlias -v true,SSL_TLS,ProdKey
    • From the IBM Integration Explorer, select the properties for each integration server, then select Global Cache. Select clientsDefaultToSSL and, if required, set the SSL protocol and SSL key alias.
  5. Restart the integration server. For more information, see mqsireload command.
  6. Connect to the WebSphere eXtreme Scale grid by following the instructions in Connecting to a WebSphere eXtreme Scale grid.

Keystore, truststore, and protocol settings are verified the first time that a connection is made from the integration server (either to the embedded grid, or for the first remote connection). Errors in the configuration are reported as a warning, and SSL connections are then prohibited. For example, a warning is issued if a keystore file is not found, the file is corrupted, or the keystore password is incorrect.

If you enable SSL and try to connect from an integration server that hosts WebSphere eXtreme Scale server components, the connection fails with a detailed exception message, BIP7144, which explains why the connection failed. If an SSL handshake exception occurs, the message flow fails and the exception message BIP7147 is issued.

Related concepts:
Public key cryptography
WebSphere eXtreme Scale grids
IBM Integration Explorer
Related tasks:
Setting up a public key infrastructure
Connecting to a WebSphere eXtreme Scale grid
Configuring the embedded global cache
Related reference:
Parameter values for the cachemanager component
mqsichangebroker command
mqsichangeproperties command
mqsireportproperties command
bc23797_.htm | Last updated Friday, 21 July 2017