7 Configuring JMS over SSL
Parent topic: 7 Configuring JMS over SSL

7.2 Configuring JMS over SSL in Connect (WebSphere)

IMPORTANT: The WebSphere user should be part of the Connect group and have access to write to the $KCHOME directory

Required Jars for JMS Configuration

In order to cofnigure JMS using TIBCO, you will require the following jars:

  • com.ibm.jaxws.thinclient_7.0.0.jar
  • com.ibm.mq.commonservices.jar
  • com.ibm.mq.headers.jar
  • com.ibm.mq.jar
  • com.ibm.mq.jmqi.jar
  • com.ibm.mq.jmqi.remote.jar
  • com.ibm.mq.jmqi.system.jar
  • com.ibm.mqjms.jar
  • com.ibm.msg.client.commonservices.j2se.jar
  • com.ibm.msg.client.commonservices.jar
  • com.ibm.msg.client.jms.internal.jar
  • com.ibm.msg.client.jms.jar
  • com.ibm.msg.client.provider.jar
  • com.ibm.msg.client.wmq.common.jar
  • com.ibm.msg.client.wmq.factories.jar
  • com.ibm.msg.client.wmq.jar
  • com.ibm.ws.admin.client_7.0.0.jar
  • com.ibm.ws.orb_7.0.0.jar
  • com.ibm.ws.runtime.jar
  • com.ibm.ws.wlm.jar
  • dhbcore.jar
  • ibmkeycert.jar
  • ibmpkcs.jar

These jars should be provided to you from your MQ team.

Configuring JMS in WebSphere

Perform the following steps in WebSphere:
  1. Login to theWebSphere administrative console
  2. Navigate to Security - Global Security
  3. Expand the RMI/IIOP Security section
    1. Click CSIv2 inbound communications
      1. Select SSL-Required on CSIv2 Transport Layer - Transport
      2. Click OK
      3. Save the configuration
    2. Click CSIv2 outbound communications
      1. Select SSL-Required on CSIv2 Transport Layer - Transport
      2. Click OK
      3. Save the configuration
  4. Restart the WebSphere Application Server

Setting Up the JMS Environment

Perform the following steps to configure the environment:
  1. Copy the following files from WAS install folder:

    • ssl.client.props (from WebSphere\AppServer\profiles\AppSrv01\properties\)

    • sas.client.props (from WebSphere\AppServer\profiles\AppSrv01\properties\)

  2. Create a jks keystore key.jks
  3. Create a jks truststore trust.jks
  4. Extract certificate from key.p12 (from WebSphere\AppServer\profiles\AppSrv01\etc\) and import it in key.jks
    Note: The keystore password is located in ssl.client.props -> com.ibm.ssl.keyStorePassword. The password is encoded if starts with {xor}.

    For example: com.ibm.ssl.keyStorePassword={xor}CDo9Hgw= or com.ibm.ssl.keyStorePassword=WebAS

  5. Extract certificate from trust.p12 (from WebSphere\AppServer\profiles\AppSrv01\etc\) and import it in trust.jks
    Note: The keystore password is located in ssl.client.props -> com.ibm.ssl.trustStorePassword. The passwordis encoded if starts with {xor}.

    For example: com.ibm.ssl.trustStorePassword ={xor}CDo9Hgw= or com.ibm.ssl.trustStorePassword =WebAS

Configuring the Inside Nodes in Connect

To configure the inside nodes in Connect:
  1. Copy the files to the inside node(s)
  2. Perform the command edit ssl.client.props and ensure the following properties match the following settings:

    • com.ibm.ssl.defaultAlias=DefaultSSLSettings

    • com.ibm.ssl.alias=DefaultSSLSettings
    • com.ibm.ssl.protocol=SSL
    • com.ibm.ssl.securityLevel=HIGH
    • com.ibm.ssl.trustManager= SunX509
    • com.ibm.ssl.keyManager= SunX509
    • com.ibm.ssl.contextProvider= SunJSSE
    • com.ibm.ssl.enableSignerExchangePrompt=gui

    • com.ibm.ssl.keyStoreName=ClientDefaultKeyStore

    • com.ibm.ssl.keyStore=c:/ssl/key.jks (Note: Change this with the path to key.jks file copied to the node)

    • com.ibm.ssl.keyStorePassword=WebAS (Note: Change this with the password of the keystore on WAS)

    • com.ibm.ssl.keyStoreType= JKS

    • com.ibm.ssl.keyStoreProvider= SUN

    • com.ibm.ssl.keyStoreFileBased=true

    • com.ibm.ssl.trustStoreName=ClientDefaultTrustStore

    • com.ibm.ssl.trustStore=c:/ssl/trust. jks (Note: Change this with the path to trust.jks file copied to the node)

    • com.ibm.ssl.trustStorePassword=WebAS (Note: Change this with the password of the truststore on WAS)

    • com.ibm.ssl.trustStoreType= JKS

    • com.ibm.ssl.trustStoreProvider= SUN

    • com.ibm.ssl.trustStoreFileBased=true

    • com.ibm.ssl.trustStoreReadOnly=false

  3. Perform the command edit sas.client.props and ensure the following properties match the following settings:

    • com.ibm.CORBA.securityEnabled=true

    • com.ibm.CORBA.loginSource=none

    • com.ibm.CSI.performTransportAssocSSLTLSRequired=true

    • com.ibm.ssl.alias=DefaultSSLSettings

  4. Perform the command copy orb.properties from IBM JRE to kc/java/lib/ in the Connect node
    Note: If you are using JRE for Connect in another location, copy the orb.properties file into

    that location ../jre/lib

  5. Edit crm.env and add to JAVAOPTIONS:
    • Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props"
    • Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props"
    Example:
    • JAVAOPTIONS=-Xmx384m
    • Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props"
    • Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props"
  6. Restart the CRMMonitor/connect service
  7. Start Connection Factory in the Connect Admin console

Troubleshooting JMS Configuration

If you run into problems configuring JMS:

  1. You may choose to add trace option to java processes
    Edit the crm.env file and add to JAVAOPTIONS:
    • Dcom.ibm.CORBA.Debug=true
    • Dcom.ibm.CORBA.CommTrace=true
    • Dcom.ibm.CORBA.Debug.Output=client.log
    Example:
    • JAVAOPTIONS=-Xmx384m
    • Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props"
    • Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props"
    • Dcom.ibm.CORBA.Debug=true
    • Dcom.ibm.CORBA.CommTrace=true
    • Dcom.ibm.CORBA.Debug.Output=client.log
  2. Restart the CRMMonitor/connect service
  3. Check logs for errors or information:

    • client.log

    • EventLoader log

    • orbtrace files, FFDC folder and files, mqlog files

Parent topic: 7 Configuring JMS over SSL
WebHelp output generated byXML Author