| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL Implementation in Broker V6.1 |
View previous topic :: View next topic |
| Author |
Message
|
| mqxplorer |
 Posted: Wed Mar 03, 2010 4:47 pm Post subject: SSL Implementation in Broker V6.1 |
 |
|
Master
Joined: 22 Jun 2009
Posts: 206
|
Hi,
After going through various documents related to SSL implementation, I unsderstood that SSL implmentation is little bit different in Websphere Message Broker compared to Websphere MQ. However, as per the documentation I followed, there are three main things to be done either as client or as a server.
1. Create a keystore to store the digital certificates.
2. Create a certificate request - this creates a key pair (private and public key). While creating this we provide info like OU, Org Name etc. Public key is kept secret in the key store and the we have to send this request to a CA. This certificate request contains requester's public key, his credentials to prove he is who he is. CA signs this document and sends it back to the requester. This CA signed certificate contains the requester's public key, requester company name, CA name and CA digital signature. Along with the signed certificate, CA sends its Certificate.
3. The requester has to import the CA signed certificate to the keystore he has created. [In case of MQ, the CA signed certificate and CA certificate will be added to the keystore created for that QM]. However, (as per my understanding)..in Message Broker, the CA Signed certifiacte will be added to the keystore created using keytool and the CA certifiacte should be added to 'cacerts' file located in ..\jre\lib\security. Please correct me, if I am wrong.
However, the documentation in Info center does not tell anything about certificate request to be created in order to send it to the CA to get it signed. It says about self-sgned certificate to be created. It also talks about importing a CA generated certificate. Does it infer a CA signed certificate?
| Quote: |
The -genkey parameter generates all the certificate files necessary to enable HTTPS to work for testing purposes, but they are not suitable for use in a production system. You must purchase an official certificate from a certification authority. Consult your system administrator to check your company policy for certificate creation.
To import a certificate generated by a certification authority, use the -import parameter instead of the -genkey parameter.
|
I have a question regarding self-signed certificate. Is creating a self-signed certificate equal to - creating a certificate request + send to CA + receive the CA siged certificate into the keystore?
Webservice client using WMB:
MQInput --> Compute --> HTTPRequest ---> Compute ---> MQOutput
Webservice provider using WMB:
HTTPInput --> Compute --> HTTPReply
For client - Create a keystore + Create a Certificate request + send it to CA + Import the CA signed certificate to the created keystore + add the CA's certificate to broker's 'cacerts' file.
For server - Craete a keystore + Create a Certificate request + send it to CA + Import the CA signed certificate to the created keystore + add the CA's certificate to broker's 'cacerts' file.
The info provided in info center is confusing.
http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=/com.ibm.etools.mft.doc/ac04565_.htm
and http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r1m0/index.jsp?topic=/com.ibm.etools.mft.doc/ap12235_.htm
Could someone explain the SSL implementation in Message Broker? I am really clear about SSL in MQ. Please provide me some steps to create SSL in broker.
Thanks in advance. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Mar 03, 2010 9:00 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Quote: |
| I have a question regarding self-signed certificate. Is creating a self-signed certificate equal to - creating a certificate request + send to CA + receive the CA signed certificate into the keystore? |
Not quite. If you are dealing in self signed certs you need to add the public cert to every party you are connecting to...
It gets a little bit easier if you can setup your own CA authority when dealing with internal stuff and before you buy certs.
There is an excellent pdf referenced somewhere in the security forum about using SSL with MQ, when setting up your own CA authority
See http://www.ibm.com/support/docview.wss?rs=171&uid=swg21233897
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqxplorer |
| Posted: Fri Mar 05, 2010 7:37 am Post subject: |
|
|
Master
Joined: 22 Jun 2009
Posts: 206
|
Hi Saper,
Thanks for your reply. As I explianed in my post, I am pretty clear about MQ SSL, however, I am really confused with broker SSL implementation where 'cacerts' file comes into picture. What should I import into 'cacerts' file (the default broker key repository) - the CA's certificate or the certificate from the service provider (when I am client) / certificate from client (when I am a provider)? Please let me know.
Thanks |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Mar 05, 2010 12:54 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqxplorer wrote: |
Hi Saper,
Thanks for your reply. As I explained in my post, I am pretty clear about MQ SSL, however, I am really confused with broker SSL implementation where 'cacerts' file comes into picture. What should I import into 'cacerts' file (the default broker key repository) - the CA's certificate or the certificate from the service provider (when I am client) / certificate from client (when I am a provider)? Please let me know.
Thanks |
MQ SSL / Broker SSL very little difference.
The big difference is that you must look at what view point your broker has.
Is your broker acting as the service provider? (same as MQ QMGR)
Is your broker acting as the service client? (same as MQ client)
If you are dealing with public CA you can use a trustore that will only hold CA certificates. Whether you decide to go with keystore = truststore or a separate truststore is then your decision...
You can view the article I referenced as a good training ground.
You can set up your own CA and pretend it is a public one and set up your environment accordingly. Once you have understood the way it works and done your poc, you can graduate to a public CA.
For the rest there should be enough documentation, either in the infocenter or developerworks to get you through
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqxplorer |
| Posted: Fri Mar 05, 2010 1:45 pm Post subject: |
|
|
Master
Joined: 22 Jun 2009
Posts: 206
|
Thanks Saper. I will implement it this weekend and post it here...the results.
Thanks |
|
| Back to top |
|
|
| Ekta Saxena |
| Posted: Mon Jan 02, 2012 12:43 am Post subject: SSL Implementation in Broker 6.1 |
|
|
Newbie
Joined: 01 Jan 2012
Posts: 1
|
Hi,
I also tried SSL implementation in WMB6.1.I developed a message flow serving as a web service using HTTPInput and HTTPReply nodes .I implemented one way authentication(server side), where SOAP UI client authenticates the broker(Server) on which the web service is deployed.
I was able to test the service successfully using "https" using SOAP UI.
Here i am sharing the steps. You people can try and test it.
I used keytool for creating certificates and keystore. it can be found in ..\IBM\MQSI\6.1\jre15\bin.
Step1- Create a keystore file for broker and self-signed certificate.This certificate will be used as trusted(CA) certificate for both client and server.This suits for testing only not for production.
keytool -genkey -keyalg RSA -alias ssltest -keystore sslkeystore.jks -storepass sslpass -validity 360 -keysize 2048
Step-2 Export the certificate so that it can be imported in to client machine.
keytool -export -alias ssltest -file sslselfsign.crt -keystore sslkeystore.jks
Step-3 Create a new keystore for client (clientkeystore1.jks)
keytool -genkey -keyalg RSA -alias clienttest –keystore clientkeystore1.jks -storepass client1pass -validity 360 -keysize 2048
Step-4 Import self-signed certificate into client’s machine
keytool -import -alias ssltest -file sslselfsign.crt -keystore "C:\ Program Files\IBM\MQSI\6.1\jre15\bin\clientkeystore1.jks"
Step-5 Configure the broker to use SSL on a particular port.For that you need to set some properties.
mqsichangeproperties BROKER1 -b httplistener -o HTTPListener -n enableSSLConnector -v true
mqsichangeproperties BROKER1 -b httplistener -o HTTPSConnector -n keystoreFile -v "..\sslkeystore.jks”
mqsichangeproperties BROKER1 -b httplistener -o HTTPSConnector -n keystorePass -v sslpass
mqsichangeproperties BROKER1 -b httplistener -o HTTPSConnector -n port -v 7085
Note: By default the port for https is 7083.
Step-6 In your message flow Check the “use HTTPS” property in HTTPInput Node.
Step-7 To test your application using SOAP UI. Do the following settings in SOAP UI
Under soapUI Preferences
SSL Settings->keyStore<keystore file created>
keyStore Password <keystore password>
In the SOAP UI enter the proper URL preceeding "https".
It hits your service....
Just Try!!! |
|
| Back to top |
|
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
