Secure JMS client and JMS resource adapter connections

Network Deployment (Distributed operating systems), v8.0 > Administer applications and their environment > Administer Messaging resources > Manage messaging with the default messaging provider > Use JMS from stand-alone clients to interoperate with service integration resources

Secure JMS client and JMS resource adapter connections

There are two approaches to configuring Secure Sockets Layer (SSL) for the Thin Client for JMS with WAS and the Resource Adapter for JMS with WAS . The global configuration approach affects all stand-alone outbound connections from the process, and the private approach applies only to client or resource adapter connections from the process.
The Thin Client for JMS with WAS and the Resource Adapter for JMS with WAS use the standard Java Secure Socket Extension (JSSE) that all supported JREs provide for making SSL connections. For information about JSSE, see the JSSE documentation.
The global configuration approach uses JRE global properties and affects all outbound SSL connections that the application initiates. For a JRE configured to use SSL connections to connect to WAS, you typically have to set the following javax.net.ssl system properties:
-Djavax.net.ssl.keyStore=key.p12
-Djavax.net.ssl.keyStorePassword={xor}Lz4sLCgwLTs=
-Djavax.net.ssl.trustStore=trust.p12
-Djavax.net.ssl.trustStorePassword={xor}PSo4LSov
You can use the private configuration approach to specify security settings that are specific to the Thin Client for JMS with WAS or the Resource Adapter for JMS with WAS connections. You can configure the com.ibm.ws.sib.client.ssl.properties system property to specify the location of an IBM SSL properties file. If this system property is not configured, an attempt is made load the properties file from the classpath instead.
The client obtains the value that it uses for any particular SSL property as follows:

If the property has a value defined in the properties file containing the IBM SSL properties, the client uses this value.

If there is no value for the property in the properties file, and there is a suitable property in the associated JRE system properties, the client uses this value.

If there is no suitable javax.net.ssl property, the client uses the default value.

The table below summarizes the IBM SSL property keys that can be configured inside the IBM SSL properties file, and the corresponding javax.net.ssl.* system property keys and default values.

IBM SSL property values and corresponding JRE global property and default values. The first column of the table lists the IBM SSL property keys and the second column lists the corresponding JRE global property keys. The third column provides the default values of the properties.

IBM SSL property JRE global property Default value
com.ibm.ssl.keyStoreType javax.net.ssl.keyStoreType JKS
com.ibm.ssl.keyStore javax.net.ssl.keyStore None
com.ibm.ssl.keyManager javax.net.ssl.keyStoreProvider IbmX509
com.ibm.ssl.trustManager javax.net.ssl.trustStoreProvider IbmX509
com.ibm.ssl.keyStorePassword javax.net.ssl.keyStorePassword None
com.ibm.ssl.protocol None SSL
com.ibm.ssl.contextProvider None IBMJSSE2
com.ibm.ws.sib.jsseProvider None com.ibm.jsse2.IBMJSSEProvider2
com.ibm.ssl.trustStore javax.net.ssl.trustStore None
com.ibm.ssl.trustStoreType javax.net.ssl.trustStoreType JKS
com.ibm.ssl.trustStorePassword javax.net.ssl.trustStorePassword None

For example, you might create an ssl.properties file that contains the following properties and values:
com.ibm.ssl.keyStore=/thinclient/key.p12
com.ibm.ssl.keyStoreType=PKCS12
com.ibm.ssl.keyStorePassword=WebAS
com.ibm.ssl.trustStore=/thinclient/trust.p12
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStorePassword=WebAS
We can use the PropFilePasswordEncoder tool in the WAS bin directory to encode passwords stored in plain text property files. For further information see Encode passwords in files.
Notes:

SSL connections from SUN JREs that use the Thin Client for JMS with WAS cannot use the default WAS PKCS12 key and trust stores. If you are running the client securely from SUN JREs, first extract the certificates from the trust store by using an IBM software development kit (SDK). We can then import these certificates into a keystore that the Sun JRE can recognize correctly, such as a JKS keystore.
SSL connections are not supported by the IBM JRE shipped with WAS - a non- WAS installed JRE must be used.

Procedure
Obtain the necessary key and trust store files.
Set the javax.net.ssl system properties required for the global configuration approach.
For the private configuration approach, use the com.ibm.ws.sib.client.ssl.properties system property to specify the file from which the SSL properties are to be loaded, as shown in the following example:
-Dcom.ibm.ws.sib.client.ssl.properties=c:/ssl.properties
Use JMS to connect to a WAS default messaging provider messaging engine
Use JMS from a third party application server to interoperate with service integration resources

+
Search Tips | Advanced Search

IBM SSL property	JRE global property	Default value
com.ibm.ssl.keyStoreType	javax.net.ssl.keyStoreType	JKS
com.ibm.ssl.keyStore	javax.net.ssl.keyStore	None
com.ibm.ssl.keyManager	javax.net.ssl.keyStoreProvider	IbmX509
com.ibm.ssl.trustManager	javax.net.ssl.trustStoreProvider	IbmX509
com.ibm.ssl.keyStorePassword	javax.net.ssl.keyStorePassword	None
com.ibm.ssl.protocol	None	SSL
com.ibm.ssl.contextProvider	None	IBMJSSE2
com.ibm.ws.sib.jsseProvider	None	com.ibm.jsse2.IBMJSSEProvider2
com.ibm.ssl.trustStore	javax.net.ssl.trustStore	None
com.ibm.ssl.trustStoreType	javax.net.ssl.trustStoreType	JKS
com.ibm.ssl.trustStorePassword	javax.net.ssl.trustStorePassword	None