Secure Sockets Layer (SSL) authentication

 

We can use SSL authentication when a WebSphere MQ JMS client connects directly to a WebSphere Business Integration Event Broker or WebSphere Business Integration Message Broker broker. Only SSL authentication is supported for this type of connection. SSL cannot be used to encrypt or decrypt message data that flows between the WebSphere MQ JMS client and the broker or to perform integrity checks on the data.

Note the difference between this situation and that when a WebSphere MQ JMS client connects to a WebSphere MQ queue manager. In the latter case, the WebSphere MQ SSL support can be used to encrypt and decrypt message data that flows between the client and the queue manager and to perform integrity checks on the data, as well as providing authentication.

If you want to protect message data on a direct connection to a broker, we can use function in the broker instead. We can assign a quality of protection (QoP) value to each topic whose associated messages you want to protect. This allows you to select a different level of message protection for each topic.

If client authentication is required, a WebSphere MQ JMS client can use the same digital certificate for connecting directly to a broker as it does for connecting to a WebSphere MQ queue manager.

We can configure a WebSphere MQ JMS client to use SSL authentication in either of the following ways:

• In a WebSphere MQ JMS application, use the setDirectAuth() method of an MQConnectionFactory or MQTopicConnectionFactory object to set the direct authentication attribute to JMSC.MQJMS_DIRECTAUTH_CERTIFICATE.

• Use the WebSphere MQ JMS administration tool to set the DIRECTAUTH property to CERTIFICATE.

1. If the TRANSPORT property is set to DIRECT, then it is the DIRECTAUTH property, not the SSLCIPHERSUITE property, that determines whether SSL authentication is used.

2. If the DIRECTAUTH property is set to CERTIFICATE, the SSLPEERNAME and SSLCRL properties are used to perform the same checks as those performed when a WebSphere MQ JMS client connects to a WebSphere MQ queue manager using the WebSphere MQ SSL support.

3. The Java™ Secure Socket Extension (JSSE) keystore and truststore configurations determine which client certificate is used for authentication, and whether a server certificate is trusted, in the same way that they do when a WebSphere MQ JMS client connects to a WebSphere MQ queue manager using the WebSphere MQ SSL support.

uj34700_