| Author |
Message
|
| pandeg |
 Posted: Mon May 09, 2016 11:13 am Post subject: SSL configuration between JMS client and Queue Manager |
 |
|
Disciple
Joined: 21 Oct 2014
Posts: 195
|
| Hi, we have a java application which uses MQ client jar to connect to Queue Manager (version 8.0) using server connection channel. We want to configure SSL between this java application and Queue Manager. Can you please suggest me any link or sample which i can use to configure SSL. |
|
| Back to top |
|
 |
| hughson |
| Posted: Mon May 09, 2016 3:08 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
|
| Back to top |
|
|
| pandeg |
| Posted: Tue May 10, 2016 10:25 am Post subject: |
|
|
Disciple
Joined: 21 Oct 2014
Posts: 195
|
Thanks for the information.
I went the to knowledge center (https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.dev.doc/q031220_.htm?lang=en) and it mentioned that SSLFIPS is required if the application is using more than one client connection. In my case each application establishes around 4-5 instances of Server connection channel to Queue Manager. Do i need to use this attribute.
Also, below statement is mentioned :
"To connect successfully using SSL, the JSSE truststore must be set up with certificate authority root certificates from which the certificate presented by the queue manager can be authenticated. Similarly, if SSLClientAuth on the SVRCONN channel has been set to MQSSL_CLIENT_AUTH_REQUIRED, the JSSE keystore must contain an identifying certificate that is trusted by the queue manager."
I found this link published in Oct , 2013 (https://qadeer786.wordpress.com/2013/10/08/using-ssl-support-for-java-clients-websphere-mq/)which shows how to create keystore for Queue Manager and Java application. Can you please take a look and let me know if this contains the correct information as per current version of MQ (V . Also ,wanted to know if Key Management Tool is free or Licensed. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue May 10, 2016 2:35 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to Configuration forum.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue May 10, 2016 3:30 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| pandeg wrote: |
| I went the to knowledge center (https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.dev.doc/q031220_.htm?lang=en) and it mentioned that SSLFIPS is required if the application is using more than one client connection. |
I don't see anywhere in that page that says that. It does say this:-
| IBM Knowledge Center wrote: |
If you require a client connection to use a CipherSuite that is supported by the IBM® Java JSSE FIPS provider (IBMJSSEFIPS), an application can set the sslFipsRequired field in the MQEnvironment class to true. Alternatively, the application can set the environment property CMQC.SSL_FIPS_REQUIRED_PROPERTY. The default value is false, which means that a client connection can use any CipherSuite that is supported by WebSphere MQ.
If an application uses more than one client connection, the value of the sslFipsRequired field that is used when the application creates the first client connection determines the value that is used when the application creates any subsequent client connection. Therefore when the application creates a subsequent client connection, the value of the sslFipsRequired field is ignored. You must restart the application if you want to use a different value for the sslFipsRequired field. |
Perhaps have another read and see if it makes more sense the second time? You use SSLFIPS if you need to only use FIPS ciphers.
| pandeg wrote: |
| I found this link published in Oct , 2013 (https://qadeer786.wordpress.com/2013/10/08/using-ssl-support-for-java-clients-websphere-mq/)which shows how to create keystore for Queue Manager and Java application. Can you please take a look and let me know if this contains the correct information as per current version of MQ (V. |
I think the most appropriate course of action here would be to ask the author of that blog whether his infomation is correct for MQ V8. However, that said, I am not aware of there being any changes to the way certificates are created in general.
| pandeg wrote: |
| Also ,wanted to know if Key Management Tool is free or Licensed. |
Licensed and Free are not opposites. The MQ Client is freely available and licensed for use through your queue manager. I expect the Key Management Tool is the same - you are licensed to use it due to your purchase of a queue manager. What was the reason you were asking? Perhaps there is a different question that you really wanted to ask?
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| hughson |
| Posted: Tue May 10, 2016 3:34 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
P.S. I notice just now that your title does say JMS, even though your text doesn't. Please confirm whether you are asking about JMS or Java classes?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| MQMB&WAS |
| Posted: Tue Oct 03, 2017 10:37 am Post subject: |
|
|
Centurion
Joined: 12 Jun 2016
Posts: 130
|
| hughson wrote: |
| P.S. I notice just now that your title does say JMS, even though your text doesn't. Please confirm whether you are asking about JMS or Java classes? |
I'm looking for this same documentation. Could someone please direct me to any documentation for configuring SSL between JMS client and IBM MQ. Could find anything myself. Appreciate any help. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Oct 03, 2017 11:02 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
|
| Back to top |
|
|
|
|
