Supplying a customized SSLSocketFactory in IBM MQ classes for Java

If we use a customized JSSE Socket Factory, set the MQEnvironment.sslSocketFactory to the customized factory object. Details vary between different JSSE implementations.

Different JSSE implementations can provide different features. For example, a specialized JSSE implementation might allow configuration of a particular model of encryption hardware. Additionally, some JSSE providers allow customization of keystores and truststores by program, or allow the choice of identity certificate from the keystore to be altered. In JSSE, all these customizations are abstracted into a factory class, javax.net.ssl.SSLSocketFactory.

See your JSSE documentation for details of how to create a customized SSLSocketFactory implementation. The details vary from provider to provider, but a typical sequence of steps might be:
  1. Create an SSLContext object using a static method on SSLContext
  2. Initialize this SSLContext with appropriate KeyManager and TrustManager implementations (created from their own factory classes)
  3. Create an SSLSocketFactory from the SSLContext
When we have an SSLSocketFactory object, set the MQEnvironment.sslSocketFactory to the customized factory object. For example:
javax.net.ssl.SSLSocketFactory sf = sslContext.getSocketFactory();
MQEnvironment.sslSocketFactory = sf;
IBM MQ classes for Java use this SSLSocketFactory to connect to the IBM MQ queue manager. This property can also be set using the CMQC.SSL_SOCKET_FACTORY_PROPERTY. If sslSocketFactory is set to null, the default SSLSocketFactory of the JVM is used. This property is ignored if sslCipherSuite is not set.

When we use custom SSLSocketFactories, consider the effect of TCP/IP connection sharing. If connection sharing is possible then a new socket is not requested of the SSLSocketFactory supplied, even if the socket produced would be different in some way in the context of a subsequent connection request. For example, if a different client certificate is to be presented on a subsequent connection, then connection sharing must not be allowed.