WebSphere MQ server: Transport chain security
System security for a connection between service integration and a WebSphere MQ network is provided by the Transport Level Security (TLS) and SSL protocols.
When WAS uses SSL, the administrator must create an SSL repertoire, a channel and a transport chain. The transport chain must be referenced by the WebSphere MQ server through the server transport chain attribute, and must also be a trusted transport for the service integration bus to which the WebSphere MQ server belongs. The default setting is for service integration buses to trust only the SSL transport.
Two default transport chains are created on each WebSphere MQ server: OutboundBasicWMQClient and OutboundSecureWMQClient. The OutboundSecureWMQClient transport chain uses SSL and is configured to use the server default SSL repertoire. To create our own transport chain, define it to every WebSphere MQ server that is a service integration bus member. Here is an example of how you might define our own transport chain by using JACL:
wsadmin>tcs = AdminConfig.list("TransportChannelService" ).splitlines()[0] AdminConfig.create("TCPOutboundChannel" , tcs, [["name" , "MyWMQChain.TCP"]]) wsadmin>ssl=... wsadmin>AdminConfig.create("SSLOutboundChannel" , tcs , [["name" , "MyWMQChain.SLL"] , ["sslConfigAlias" , "MyRepertoire"]]) wsadmin>rmq=... wsadmin>AdminConfig.create("RMQOutboundChannel" , tcs , [["name" , "MyWMQChain.RMQ"]]) wsadmin>tcp=... wsadmin>AdminConfig.create("Chain" , tcs , ["name" , "MyWMQChain"] , ["enable" , "true"] , ["transportChannels", [rmg , ssl , tcp]])This example creates a transport chain suitable for connecting a WebSphere MQ server to WebSphere MQ by using SSL. The chain is called MyWMQChain, and uses an SSL repertoire called MyRepertoire.WebSphere MQ uses a single cipher suite only for securing connections to a queue manager, although WebSphere Application Server SSL repertoires allow you to specify multiple cipher suites. Each cipher suite is tried sequentially until a successful connection is established, or until all the cipher suites have been tried. The most recent cipher suite that allowed a successful connection is cached on a WebSphere MQ server bus member basis, and is tried first on subsequent connection attempts.
When transport security is enabled, the transport chain used for connections to WebSphere MQ must be a permitted chain otherwise it is not possible to establish a connection to WebSphere MQ.
Related tasks
Create a WebSphere MQ server definition
createSIBWMQServer command