| Author |
Message
|
| rajess_kr |
 Posted: Mon Mar 01, 2010 11:02 am Post subject: Using SSL in JMS client java appln |
 |
|
Newbie
Joined: 26 Feb 2010
Posts: 8
|
hi,
i have a java appl'n using MQ Java API.
I need to make it SSL compliant and want minimal changes
In order to make it SSL compliant, it requires us to set the following settings:-
javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword
javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
the client does not want us to save the keystore and truststore password as PLAIN TEXT either in Java Files or in Config files.
The client wants us to use JMS compliant code and says in such a case, all the SSL configuration is done in ConnectionFactories on the IBM WAS Server and our client code only needs to retrieve these settings from JNDI.
Query:-
1) If i use JMS, does it not require to set those 4 properties in my JMS client Java code?
2) is it possible to use JNDI for retrieving the keystore and truststore password and still make the Java appln with MQ Java API work?
3) a working JMS request - reply sample will be helpful.
thanks |
|
| Back to top |
|
 |
| rajess_kr |
| Posted: Mon Mar 01, 2010 1:05 pm Post subject: Using SSL in JMS client java appln |
|
|
Newbie
Joined: 26 Feb 2010
Posts: 8
|
hi,
any comments / help from you guys?
thks |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Mar 01, 2010 7:20 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well typically you would start WebSphere (WAS) with the -D flag to specify keystore and truststore. How you specify the passwords then depends on your WAS setup, but you should not need them from JMS.
All you need to specify is the CipherSuite corresponding to the CipherSpec in the channel (There is a translation table in the infocenter). Make sure the JNDI setup of the connection factory is done with the ciphersuite and SSLPeer values....
Caveat... I've been trying to setup multiple connections to (different) qmgrs in a JMS standalone on the same thread, but I have been unsuccessful. I believe the SSLContext mandates a different thread for each connection...
Somebody with better Java SSL knowledge correct me and show me the way if I am wrong...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rajess_kr |
| Posted: Tue Mar 02, 2010 8:08 am Post subject: Using SSL in JMS client java appln |
|
|
Newbie
Joined: 26 Feb 2010
Posts: 8
|
However is it possible to use JNDI for retrieving the keystore and truststore password and still make the Java application with MQ Java API work?
Secondly any working sample on JMS with SSL will be helpful
thks |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Mar 02, 2010 8:41 pm Post subject: Re: Using SSL in JMS client java appln |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| rajess_kr wrote: |
However is it possible to use JNDI for retrieving the keystore and truststore password and still make the Java application with MQ Java API work?
Secondly any working sample on JMS with SSL will be helpful
thks |
I had no problem with java 1.4 and SSL. All you need is
- -Djavax.net.ssl.keyStore
- -Djavax.net.ssl.keyStorePassword
- -Djavax.net.ssl.trustStore (mandatory even if trustore = keystore)
- -Djavax.net.ssl.trustStorePassword
- -Djava.security.policy (optional)
- CipherSuite translated from the CipherSpec on the channel (See translation table in infocenter)
- SSLPeer values (optional)
However this will only work as standalone JMS client with one connection.
I have a mix with SSL and non SSL and whichever way I sequence the qmgrs in the property file it always seems to read a non SSL qmgr first.
The SSL call to the next qmgr (SSL) then aborts with RC 2400.
When I connect only to 1 qmgr (so far I have only one that will do SSL), I have no problems connecting to it, using CipherSuite as per table in infocenter and SSL Peer values...
It looks like to mix non SSL and SSL qmgr client connections in standalone JMS, each new connection needs to be done in a different process. (From OS run java + parms)
If somebody knows how to use java 1.4 to connect to multiple qmgrs (not necessarily at the same time, one after the other works for me) with a mix of different Ciphersuites / SSL Peer, host and port values, including no SSL, in indifferent order, from the same process, same thread or different thread, in a standalone JMS app, I'd be happy to hear about it.
I understand that with java 6 you can access the default context and potentially invalidate an SSLSession attached to it... or set/remove the object (CF?) from the session / context...
Thanks
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rajess_kr |
| Posted: Sat Mar 06, 2010 3:54 am Post subject: Using SSL in JMS client java appln |
|
|
Newbie
Joined: 26 Feb 2010
Posts: 8
|
I dont think that i am going to have a mix of this:- to mix non SSL and SSL qmgr client connections in standalone JMS.
I will run JMS API code in a J2SE component, though it would run in a J2EE container as part of a web application.
appreciate if some sample code exists.
thks |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Mar 06, 2010 7:56 pm Post subject: Re: Using SSL in JMS client java appln |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| rajess_kr wrote: |
I dont think that i am going to have a mix of this:- to mix non SSL and SSL qmgr client connections in standalone JMS.
I will run JMS API code in a J2SE component, though it would run in a J2EE container as part of a web application.
appreciate if some sample code exists.
thks |
There is no particular coding for SSL. It all happens behind the scenes. What you need to do is the setup of the connection factory and have the keystore and truststore available to the environment.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
