Prerequisites:

• For Connect 10r560+
• install Websphere 9.0.0.10+ with JDK 8
• install Websphere MQ 9.0+

WebSphere Configuration:

1. Login in to WebSphere Administrative Console
2. Navigate to Security - Global Security
3. Expand RMI/IIOP security
4. Click CSIv2 inbound communications
5. Select SSL-Required on CSIv2 Transport Layer - Transport
6. Click OK
7. Save the configuration
8. Click CSIv2 outbound communications
9. Select SSL-Required on CSIv2 Transport Layer - Transport
10. Click OK
11. Save the configuration
12. Restart WebSphere Application Server

Connect Environment Setup Steps:

1. Copy the following files from WAS install folder
   • -ssl.client.props (from WebSphere\AppServer\profiles\AppSrv01\properties\)
   • -sas.client.props (from WebSphere\AppServer\profiles\AppSrv01\properties\)
2. Creating jks keystore (3 options available):
   • Java https://support.globalsign.com/customer/en/portal/articles/2121490-java-keytool---create-keystore
   • Portecle http://portecle.sourceforge.net/create-keystore.html
   • IBM Key Management from IBM MQ https://www.ibm.com/support/knowledgecenter/en/SSMKFH/com.ibm.apmaas.doc/install/wrt_config_https_keystore.htm
3. Create a jks keystore mykeystore.jks with a password (example: mypassword)
4. Create a jks truststore mytruststore.jks with password (example: mypassword)
5. Export WebSphere Trusted Certificate in trust.cer 
6. Import WebSphere Trusted Certificate in mytruststore

SSL Configuration:

1. Edit ssl.client.props and be sure that the following properties match
   

   com.ibm.ssl.defaultAlias=DefaultSSLSettings
   com.ibm.ssl.alias=DefaultSSLSettings
   com.ibm.ssl.protocol=SSL
   com.ibm.ssl.securityLevel=HIGH
   com.ibm.ssl.trustManager= SunX509
   com.ibm.ssl.keyManager= SunX509
   com.ibm.ssl.contextProvider= SunJSSE
   com.ibm.ssl.enableSignerExchangePrompt=false
   com.ibm.ssl.keyStoreName=ClientDefaultKeyStore
   com.ibm.ssl.keyStore=c:/ssl/mykeystore.jks
   (change this with the path to mykeystore.jks file copied to the node)
   com.ibm.ssl.keyStorePassword=mypassword
   (change this with the password of mykeystore.jks)
   com.ibm.ssl.keyStoreType= JKS
   com.ibm.ssl.keyStoreProvider= SUN
   com.ibm.ssl.keyStoreFileBased=true
   com.ibm.ssl.trustStoreName=ClientDefaultTrustStore
   com.ibm.ssl.trustStore=c:/ssl/mytruststore. jks
   (change this with the path to mytruststore.jks file copied to the node)
   com.ibm.ssl.trustStorePassword=mypassword
   (change this with the password of mytruststore.jks)
   com.ibm.ssl.trustStoreType= JKS
   com.ibm.ssl.trustStoreProvider= SUN
   com.ibm.ssl.trustStoreFileBased=true
   com.ibm.ssl.trustStoreReadOnly=false

2. Edit sas.client.props
   

   com.ibm.CORBA.securityEnabled=true
   com.ibm.CORBA.loginSource=none
   com.ibm.CSI.performTransportAssocSSLTLSRequired=true
   com.ibm.ssl.alias=DefaultSSLSettings

3. Copy orb.properties from IBM JRE to kc/java/lib/ on Connect node
   (if using JRE for connect in other location then copy orb.properties in
   that location ../jre/lib)
4. -or add the following line in Connect in jndi.properties textarea org.omg.CORBA.ORBClass=com.ibm.CORBA.iiop.ORB

Windows Configuration:

Edit crm.env and add to JAVAOPTIONS:

-Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props"

Example:

JAVAOPTIONS=-Xmx384m -Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props"

Linux Configuration:

1. Edit runvm.sh and runmonitor.sh:
2. Add in same line after -Dcom.kana.connect.NodeName=%CONNECT_NODENAME%:
   

   -Dcom.ibm.SSL.ConfigURL="file:/home/connectuser/brickstSD/kc/kc/import.ext/ssl/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:/home/connectuser/brickstSD/kc/kc/import.ext/ssl/sas.client.props"

3. Restart CRMMonitor/Connect service
4. Start Connection Factory in Connect Admin console

Troubleshooting:

Add trace option to java processes

Windows:  

• edit crm.env and add to JAVAOPTIONS:

-Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log

Example:

JAVAOPTIONS=-Xmx384m -Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props" -Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log

• Restart CRMMonitor/connect service
• Check logs for errors or info

Linux:

edit runvm.sh and runmonitor.sh and add in same line after Dcom.kana.connect.NodeName=%CONNECT_NODENAME%:

-Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log

• restart CRMMonitor/connect service
• check logs for errors or info

Logs:

• client.log
• EventLoader log
• orbtrace files
• FFDC folder and files
• mqlog files

Errors:

Hostname issues: org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible  vmcid: IBM minor code: E07 completed: No

RMI/IIOP SSL enabled on WAS but no certificate in connect: org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible  vmcid: 0x4942f000 minor code: 3591 completed: No

Incorrect username/password: com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager … with connection mode 'Client' and host name .... Please check if the supplied username and password are correct on the QueueManager you are connecting to ("JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager

orb.properties not present in jre/lib: StackOverflow error

REQUIRED JARS FROM MQ & WAS:

From MQ 9.1.1.0 (UPDATED 14/01/2019)

c:\IBM\MQ\java\lib\com.ibm.mq.allclient.jar
c:\IBM\MQ\java\lib\com.ibm.mq.connector.jar
c:\IBM\MQ\java\lib\com.ibm.mq.headers.jar
c:\IBM\MQ\java\lib\com.ibm.mq.jar
c:\IBM\MQ\java\lib\com.ibm.mq.jmqi.jar
c:\IBM\MQ\java\lib\com.ibm.mq.pcf.jar
c:\IBM\MQ\java\lib\com.ibm.mq.traceControl.jar
c:\IBM\MQ\java\lib\com.ibm.mqjms.jar
c:\IBM\MQ\java\lib\fscontext.jar
c:\IBM\MQ\java\lib\jms.jar
c:\IBM\MQ\java\lib\providerutil.jar

From WAS 9.0.0.10

c:\IBM\WebSphere\AppServer\runtimes\com.ibm.jaxrs1.1.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.jaxrs2.0.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.jaxws.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.admin.client_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\\com.ibm.ws.ejb.portable_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.ejb.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.jpa-2.0.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.jpa-2.1.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.messagingClient.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.orb_9.0.jar
c:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.runtime.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.sib.client.thin.jms_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.sib.client_ExpeditorDRE_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.webservices.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.xml.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\plugins\com.ibm.tx.ltc.jar
c:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.security.crypto.jar
c:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.sib.server.jar
c:\IBM\WebSphere\AppServer\java\8.0\jre\lib\ext\ibmkeycert.jar
c:\IBM\WebSphere\AppServer\java\8.0\jre\lib\ibmpkcs.jar

IBM MQ SSL SERVER CONFIG

1. Create keystore with stashed password for IBM MQ Server using IBM Key Management
2. MQ Explorer - right click IBM WebSphere MQ - Manage SSL Certificates - New - type CMS, name key.kdb, stash password checked, location c:/Program Data/IBM/MQ/Qmgrs/ConnectQueueManager/ssl, password mypassword
3. Create new self-signed certificate with name ibmwebspheremqconnectqueuemanager with signature algorithm SHA256WithRSA
4. Extract certificate
5. Using IBM Key Management create keystores of type JKS, password mypassword
6. Create keyStoreMQ.jks - or use the one created above
7. Create trustStoreMQ.jks; import certificate from key.kdb
8. MQ Explorer - right click IBM WebSphere MQ - Preferences - Client Connections - SSL Key Repositories
9. "Enable default SSL options"
10. Set path and password for trust store C:\IBM\MQ\qmgrs\ConnectQueueManager\ssl\trustStoreMQ.jks, mypassword or C:\ProgramData\IBM\MQ\qmgrs\ConnectQueueManager\ssl\trustStoreMQ.jks
11. Set path and password for personal store: C:\IBM\MQ\qmgrs\ConnectQueueManager\ssl\keyStoreMQ.jks, mypassword or C:\ProgramData\IBM\MQ\qmgrs\ConnectQueueManager\ssl\keyStoreMQ.jks

SETUP MQ SERVER TO USE SSL

1. Setup CipherSpec for MQ to TLS_RSA_WITH_AES_128_CBC_SHA256 (or TLS_RSA_WITH_3DES_EDE_CBC_SHA or other supported CipherSpec)
2. MQ Explorer - right click IBM WebSphere MQ - Preferences - Client Connections - SSL Options - SSL CipherSpec
3. Setup path for ConnectQueueManager - SSL - SSL Key Repository to "c:/Program Data/IBM/MQ/Qmgrs/ConnectQueueManager\ssl\key"
4. Setup CipherSpec for Channel ConnectionChannel to TLS_RSA_WITH_AES_128_CBC_SHA256 (or TLS_RSA_WITH_3DES_EDE_CBC_SHA or other supported CipherSpec)
5. Set SSL Authentication from Optional to Required
6. Setup CipherSpec for Channel SYSTEM.DEF.SRVCONN (click Show System Objects near right Refresh button) to TLS_RSA_WITH_AES_128_CBC_SHA256 (or TLS_RSA_WITH_3DES_EDE_CBC_SHAor other supported CipherSpec)
7. Refresh SSL
8. ConnectQueueManager - Security - Refresh SSL...
9. Create user connectuser for ConnectQueueManager in MQExplorer give connectuser access to queues:
   ConnectQueueManager -> Queues -> RequestQueue -> right click - Object Authorities - Manage Authority Records... - Specific Profiles - RequestQueue - new user - connecuser - select all
   ConnectQueueManager - Queues - ResponseQueue - right click - Object Authorities - Manage Authority Records... - Specific Profiles - ResponseQueue - new user - connecuser - select all

SETUP WAS TO USE SSL FOR MQ

1. WAS - Resources - JMS - Queue connection factories - jms.cellQueueConnectionFactory - check "Use SSL to secure communication with WebSphere MQ"
2. Restart WAS

SETUP CONNECT

Windows:

1. Add truststore, keystore files to deployer
2. Add path to files and CipherSuite in crm.env for windows
3. When using JAVA8 the following system property must be added for some Cipher Spec:
   

   -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
   
   JAVAOPTIONS=-Xmx384m -Djavax.net.ssl.trustStore="c:/trustStoreMQ.jks" -Djavax.net.ssl.keyStore="c:/keyStoreMQ.jks" -Djavax.net.ssl.keyStorePassword=mypassword -Djavax.net.ssl.trustStorePassword=mypassword -Dconnect.jms.cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256

4. Restart vms

Finally with both HTTPS JNDI RMI IIOP and IBM MQ SERVER SSL enabled the JAVAOPTIONS should look like:

for windows (crm.env)

JAVAOPTIONS=-Xmx384m -Dcom.ibm.SSL.ConfigURL=file:c:/ssl.client.props -Dcom.ibm.CORBA.ConfigURL=file:c:/sas.client.props -Dconnect.jms.cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256 -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -Djavax.net.ssl.trustStore=c:/trustStoreMQ.jks -Djavax.net.ssl.trustStorePassword=mypassword -Djavax.net.ssl.keyStore=c:/keyStoreMQ.jks -Djavax.net.ssl.keyStorePassword=mypassword

Linux:

1. Add truststore, keystore files to deployer
2. Add path to files and CipherSuite in runvm.sh/runmonitor.sh for linux
3. When using JAVA8 the following system property must be added for some Cipher Spec:
   

   -Dcom.ibm.mq.cfg.useIBMCipherMappings=false
   
   -Djavax.net.ssl.trustStore="c:/trustStoreMQ.jks" -Djavax.net.ssl.keyStore="c:/keyStoreMQ.jks" -Djavax.net.ssl.keyStorePassword=mypassword -Djavax.net.ssl.trustStorePassword=mypassword -Dconnect.jms.cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256

4. Restart vms

Finally with both HTTPS JNDI RMI IIOP and IBM MQ SERVER SSL enabled the line with exec $JAVAEXE from runvm.sh should look like:

exec $JAVAEXE ${BITTYPE} $JAVAOPTIONS $JAVAOPTIONS2 $JAVA_DEBUG -Dcom.kana.connect.NodeName=$CONNECT_NODENAME -Dcom.ibm.SSL.ConfigURL=file:/ssl.client.props -Dcom.ibm.CORBA.ConfigURL=file:/sas.client.props -Dconnect.jms.cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256 -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -Djavax.net.ssl.trustStore=/trustStoreMQ.jks -Djavax.net.ssl.trustStorePassword=mypassword -Djavax.net.ssl.keyStore=/keyStoreMQ.jks -Djavax.net.ssl.keyStorePassword=mypassword -Djava.vm=kc$1 -Dkc.depl=$CONNECT_DEPLOYMENTID -classpath $CLASSPATH com.kana.connect.server.CRM -vmid $1 -disableConsoleOutput