IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Securing integration services by using SSL configuration

You can secure integration services by configuring the SOAP/HTTP binding or JavaScript client API to use SSL and certificates.

Define a public key infrastructure (PKI) for IBM® Integration Bus; see Setting up a public key infrastructure.

After you establish a public key infrastructure configuration for your whole broker or for some of its integration servers, you can use the configuration to secure your integration services by completing the following steps:
  1. If you are using the broker listener: Configure the broker to use SSL.
  2. If you are using the embedded (integration server) listener: Configure the integration server to use SSL.
  3. Configure the integration service bindings to use SSL
Parent topic: Setting up message flow security

Configuring the broker to use SSL

Complete the following steps:

  1. Turn on SSL support in the broker, by setting a value for enableSSLConnector 
    mqsichangeproperties broker name
  -b httplistener -o HTTPListener 
  -n enableSSLConnector -v true
  2. Optional: If you do not want to use the default port 7083 for HTTPS messages, specify the port on which the broker listens: 
    mqsichangeproperties broker name
  -b httplistener -o HTTPSConnector
  -n port -v Port to listen on for https

    On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024.

    For the broker to listen on these ports, the user ID under which the broker is started must be root.
  3. Optional: Enable Client Authentication (mutual authentication): 
    mqsichangeproperties broker_name -b httplistener -o HTTPSConnector
  -n clientAuth -v true
  4. Restart the broker after changing one or more of the HTTP listener properties.
  5. Optional: Use the following commands to display HTTP listener properties: 
    mqsireportproperties broker_name -b httplistener -o AllReportableEntityNames -a 
mqsireportproperties broker_name -b httplistener -o HTTPListener -a 
mqsireportproperties broker_name -b httplistener -o HTTPSConnector  -a

Configuring an integration server to use SSL

Complete the following steps:

  1. Optional: Specify a specific port on which the integration server listens for HTTPS requests, or leave the value unset to use the next available port number. 
    mqsichangeproperties broker name
  -e integration_server_name -o HTTPSConnector
  -n explicitlySetPortNumber -v port_number
    On UNIX systems, only processes that run under a privileged user account (in most cases, root) can bind to ports lower than 1024. For the integration server to listen on these ports, the user ID under which the broker is started must be root.

    If you do not complete this step, the first available port in the default range (7843 - 7884) is used.

  2. Optional: Enable Client Authentication (mutual authentication): 
    mqsichangeproperties broker_name
  -e integration_server_name -o HTTPSConnector
  -n clientAuth -v true
  3. Optional: Change the SSL protocol. The default protocol for the integration server's HTTPS connections is TLS. Run the following command to change it to SSL: 
    mqsichangeproperties broker_name
  -e integration_server_name -o HTTPSConnector
  -n sslProtocol -v SSL
  4. Restart the broker after changing one or more of the listener properties.
  5. Optional: Use the following command to display HTTPS properties: 
    mqsireportproperties broker_name 
  -e integration_server_name -o HTTPSConnector  -r

Configuring the integration service bindings to use SSL

Configure the integration service bindings to use SSL by completing the following steps:
  1. In the IBM Integration Toolkit, open your integration service in the integration service editor by double-clicking Integration Service Description in the Application Development view.
  2. Click the Service tab. The integration service description is displayed, which includes the integration service bindings.
  3. If you are using the SOAP/HTTP binding, then click SOAP/HTTP Binding and select Use HTTPS from the HTTP Transport properties panel.
  4. If you are using the JavaScript client API, then click JavaScript client API and then select Use HTTPS from the Basic properties panel.
    Note: If you are using a web browser-based JavaScript application to call the integration service, then you must select Use HTTPS on both the SOAP/HTTP binding and the JavaScript client API. The HTTP proxy servlet routes requests only to endpoints that use the same protocol as the web browser. The HTTP proxy servlet routes requests to both the SOAP and JavaScript client API endpoints, and so both endpoints must match the web browser protocol.
  5. Save and redeploy the integration service.

You have configured the integration service to use SSL.

Related concepts:
Integration service JavaScript client API
Related tasks:
Implementing SSL authentication
ss26060_.htm | Last updated Friday, 21 July 2017