IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Configuring TCP/IP client nodes to use SSL

Configure a TCP/IP configuration to use SSL to secure connectivity to and from the TCPIP client nodes.

You can create or modify TCP/IP client connections that use SSL, by creating or modifying a configurable service. You can specify the type of protocol, and the allowed cipher suites. By default, SSL is not enabled for any configurable services. The nodes use the standard broker keystore and truststore configuration.

Before you start: Set up a public key infrastructure (PKI) at broker or integration server level by following the instructions in Setting up a public key infrastructure.

Follow these steps to configure the TCPIP nodes to use SSL:

  1. Changing a TCP/IP client configuration to use SSL
  2. Creating a TCP/IP client configuration that uses SSL

Changing a TCP/IP client configuration to use SSL

Use the mqsichangeproperties command to change an existing TCPIPClient configurable service.

  1. The following command specifies that the myTCPIPClientService configurable service must use SSLv3 as the protocol, with any available cipher suite.
    mqsichangeproperties MYBROKER 
      -c TCPIPClient 
      -o myTCPIPClientService 
      -n SSLProtocol 
      -v SSLv3
  2. Restart the integration server that contains the message flows.

Creating a TCP/IP client configuration that uses SSL

Use the mqsicreateconfigurableservice command to create a TCPIPClient configurable service.

  1. The following command creates a TCPIPClient configurable service for making connections on port 1455 on the local machine. It uses the SSL protocol SSLv3 with a specific list of allowed cipher suites.
    mqsicreateconfigurableservice MYBROKER 
      -c TCPIPClient 
      -o myTCPIPClientService
      -n Port,Hostname,SSLProtocol,SSLCiphers 
      -v 1455,localhost,SSLv3,SSL_RSA_WITH_RC4_128_MD5;
         SSL_RSA_WITH_3DES_EDE_CBC_SHA
  2. Restart the integration server that contains the message flows.

Testing your configuration

Use either a TCPIPClientInput node, or a TCPIPClientOutput node to open a connection to a remote SSL server application that is listening on a TCP/IP port.

bp34100_.htm | Last updated Friday, 21 July 2017