Skip to main content
Sign in

HOWTO: Configure JMS over SSL w/ WAS9, MQ9, JAVA8

Richard Soares
  • Updated

Prerequisites:

  • For Connect 10r560+
  • install Websphere 9.0.0.10+ with JDK 8
  • install Websphere MQ 9.0+

 

WebSphere Configuration:

  1. Login in to WebSphere Administrative Console
  2. Navigate to Security - Global Security
  3. Expand RMI/IIOP security
  4. Click CSIv2 inbound communications
  5. Select SSL-Required on CSIv2 Transport Layer - Transport
  6. Click OK
  7. Save the configuration
  8. Click CSIv2 outbound communications
  9. Select SSL-Required on CSIv2 Transport Layer - Transport
  10. Click OK
  11. Save the configuration
  12. Restart WebSphere Application Server

Connect Environment Setup Steps:

  1. Copy the following files from WAS install folder
    • -ssl.client.props (from WebSphere\AppServer\profiles\AppSrv01\properties\)
    • -sas.client.props (from WebSphere\AppServer\profiles\AppSrv01\properties\)
  2. Creating jks keystore (3 options available):
  3. Create a jks keystore mykeystore.jks with a password (example: mypassword)
  4. Create a jks truststore mytruststore.jks with password (example: mypassword)
  5. Export WebSphere Trusted Certificate in trust.cer 
  6. Import WebSphere Trusted Certificate in mytruststore

SSL Configuration:

  1. Edit ssl.client.props and be sure that the following properties match
     
    com.ibm.ssl.defaultAlias=DefaultSSLSettings
    com.ibm.ssl.alias=DefaultSSLSettings
    com.ibm.ssl.protocol=SSL
    com.ibm.ssl.securityLevel=HIGH
    com.ibm.ssl.trustManager= SunX509
    com.ibm.ssl.keyManager= SunX509
    com.ibm.ssl.contextProvider= SunJSSE
    com.ibm.ssl.enableSignerExchangePrompt=false
    com.ibm.ssl.keyStoreName=ClientDefaultKeyStore
    com.ibm.ssl.keyStore=c:/ssl/mykeystore.jks
    (change this with the path to mykeystore.jks file copied to the node)
    com.ibm.ssl.keyStorePassword=mypassword
    (change this with the password of mykeystore.jks)
    com.ibm.ssl.keyStoreType= JKS
    com.ibm.ssl.keyStoreProvider= SUN
    com.ibm.ssl.keyStoreFileBased=true
    com.ibm.ssl.trustStoreName=ClientDefaultTrustStore
    com.ibm.ssl.trustStore=c:/ssl/mytruststore. jks
    (change this with the path to mytruststore.jks file copied to the node)
    com.ibm.ssl.trustStorePassword=mypassword
    (change this with the password of mytruststore.jks)
    com.ibm.ssl.trustStoreType= JKS
    com.ibm.ssl.trustStoreProvider= SUN
    com.ibm.ssl.trustStoreFileBased=true
    com.ibm.ssl.trustStoreReadOnly=false
  2. Edit sas.client.props
     
    com.ibm.CORBA.securityEnabled=true
    com.ibm.CORBA.loginSource=none
    com.ibm.CSI.performTransportAssocSSLTLSRequired=true
    com.ibm.ssl.alias=DefaultSSLSettings
  3. Copy orb.properties from IBM JRE to kc/java/lib/ on Connect node
    (if using JRE for connect in other location then copy orb.properties in
    that location ../jre/lib)
  4. -or add the following line in Connect in jndi.properties textarea org.omg.CORBA.ORBClass=com.ibm.CORBA.iiop.ORB
  5. NOTE: In some instances orb.properties will need to exist in /jre/lib/security. If you're having difficulty with your instance place a copy of orb.properties in that directory as well. 

 

Windows Configuration:

Edit crm.env and add to JAVAOPTIONS:

-Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props"

Example:

JAVAOPTIONS=-Xmx384m -Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props"

Linux Configuration:

  1. Edit runvm.sh and runmonitor.sh:
  2. Add in same line after -Dcom.kana.connect.NodeName=%CONNECT_NODENAME%:
     
    -Dcom.ibm.SSL.ConfigURL="file:/home/connectuser/brickstSD/kc/kc/import.ext/ssl/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:/home/connectuser/brickstSD/kc/kc/import.ext/ssl/sas.client.props"
  3. Restart CRMMonitor/Connect service
  4. Start Connection Factory in Connect Admin console

Troubleshooting:

Add trace option to java processes

Windows:  

  • edit crm.env and add to JAVAOPTIONS:
-Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log

Example:

JAVAOPTIONS=-Xmx384m -Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props" -Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log
  • Restart CRMMonitor/connect service
  • Check logs for errors or info

Linux:

edit runvm.sh and runmonitor.sh and add in same line after Dcom.kana.connect.NodeName=%CONNECT_NODENAME%:

-Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log
  • restart CRMMonitor/connect service
  • check logs for errors or info

Logs:

  • client.log
  • EventLoader log
  • orbtrace files
  • FFDC folder and files
  • mqlog files

 

Errors:

Hostname issues: org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible  vmcid: IBM minor code: E07 completed: No

RMI/IIOP SSL enabled on WAS but no certificate in connect: org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible  vmcid: 0x4942f000 minor code: 3591 completed: No

Incorrect username/password: com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager … with connection mode 'Client' and host name .... Please check if the supplied username and password are correct on the QueueManager you are connecting to ("JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager

orb.properties not present in jre/lib: StackOverflow error

REQUIRED JARS FROM MQ & WAS:

From MQ 9.1.1.0 (UPDATED 14/01/2019)

c:\IBM\MQ\java\lib\com.ibm.mq.allclient.jar
c:\IBM\MQ\java\lib\com.ibm.mq.connector.jar
c:\IBM\MQ\java\lib\com.ibm.mq.headers.jar
c:\IBM\MQ\java\lib\com.ibm.mq.jar
c:\IBM\MQ\java\lib\com.ibm.mq.jmqi.jar
c:\IBM\MQ\java\lib\com.ibm.mq.pcf.jar
c:\IBM\MQ\java\lib\com.ibm.mq.traceControl.jar
c:\IBM\MQ\java\lib\com.ibm.mqjms.jar
c:\IBM\MQ\java\lib\fscontext.jar
c:\IBM\MQ\java\lib\jms.jar
c:\IBM\MQ\java\lib\providerutil.jar

From WAS 9.0.0.10

c:\IBM\WebSphere\AppServer\runtimes\com.ibm.jaxrs1.1.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.jaxrs2.0.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.jaxws.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.admin.client_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\\com.ibm.ws.ejb.portable_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.ejb.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.jpa-2.0.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.jpa-2.1.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.messagingClient.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.orb_9.0.jar
c:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.runtime.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.sib.client.thin.jms_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.sib.client_ExpeditorDRE_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.webservices.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.xml.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\plugins\com.ibm.tx.ltc.jar
c:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.security.crypto.jar
c:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.sib.server.jar
c:\IBM\WebSphere\AppServer\java\8.0\jre\lib\ext\ibmkeycert.jar
c:\IBM\WebSphere\AppServer\java\8.0\jre\lib\ibmpkcs.jar

 

IBM MQ SSL SERVER CONFIG

  1. Create keystore with stashed password for IBM MQ Server using IBM Key Management
  2. MQ Explorer - right click IBM WebSphere MQ - Manage SSL Certificates - New - type CMS, name key.kdb, stash password checked, location c:/Program Data/IBM/MQ/Qmgrs/ConnectQueueManager/ssl, password mypassword
  3. Create new self-signed certificate with name ibmwebspheremqconnectqueuemanager with signature algorithm SHA256WithRSA
  4. Extract certificate
  5. Using IBM Key Management create keystores of type JKS, password mypassword
  6. Create keyStoreMQ.jks - or use the one created above
  7. Create trustStoreMQ.jks; import certificate from key.kdb
  8. MQ Explorer - right click IBM WebSphere MQ - Preferences - Client Connections - SSL Key Repositories
  9. "Enable default SSL options"
  10. Set path and password for trust store C:\IBM\MQ\qmgrs\ConnectQueueManager\ssl\trustStoreMQ.jks, mypassword or C:\ProgramData\IBM\MQ\qmgrs\ConnectQueueManager\ssl\trustStoreMQ.jks
  11. Set path and password for personal store: C:\IBM\MQ\qmgrs\ConnectQueueManager\ssl\keyStoreMQ.jks, mypassword or C:\ProgramData\IBM\MQ\qmgrs\ConnectQueueManager\ssl\keyStoreMQ.jks

SETUP MQ SERVER TO USE SSL

  1. Setup CipherSpec for MQ to TLS_RSA_WITH_AES_128_CBC_SHA256 (or TLS_RSA_WITH_3DES_EDE_CBC_SHA or other supported CipherSpec)
  2. MQ Explorer - right click IBM WebSphere MQ - Preferences - Client Connections - SSL Options - SSL CipherSpec
  3. Setup path for ConnectQueueManager - SSL - SSL Key Repository to "c:/Program Data/IBM/MQ/Qmgrs/ConnectQueueManager\ssl\key"
  4. Setup CipherSpec for Channel ConnectionChannel to TLS_RSA_WITH_AES_128_CBC_SHA256 (or TLS_RSA_WITH_3DES_EDE_CBC_SHA or other supported CipherSpec)
  5. Set SSL Authentication from Optional to Required
  6. Setup CipherSpec for Channel SYSTEM.DEF.SRVCONN (click Show System Objects near right Refresh button) to TLS_RSA_WITH_AES_128_CBC_SHA256 (or TLS_RSA_WITH_3DES_EDE_CBC_SHAor other supported CipherSpec)
  7. Refresh SSL
  8. ConnectQueueManager - Security - Refresh SSL...
  9. Create user connectuser for ConnectQueueManager in MQExplorer give connectuser access to queues:
    ConnectQueueManager -> Queues -> RequestQueue -> right click - Object Authorities - Manage Authority Records... - Specific Profiles - RequestQueue - new user - connecuser - select all
    ConnectQueueManager - Queues - ResponseQueue - right click - Object Authorities - Manage Authority Records... - Specific Profiles - ResponseQueue - new user - connecuser - select all

SETUP WAS TO USE SSL FOR MQ

  1. WAS - Resources - JMS - Queue connection factories - jms.cellQueueConnectionFactory - check "Use SSL to secure communication with WebSphere MQ"
  2. Restart WAS

SETUP CONNECT

Windows:

  1. Add truststore, keystore files to deployer
  2. Add path to files and CipherSuite in crm.env for windows
  3. When using JAVA8 the following system property must be added for some Cipher Spec:
     
    -Dcom.ibm.mq.cfg.useIBMCipherMappings=false

    JAVAOPTIONS=-Xmx384m -Djavax.net.ssl.trustStore="c:/trustStoreMQ.jks" -Djavax.net.ssl.keyStore="c:/keyStoreMQ.jks" -Djavax.net.ssl.keyStorePassword=mypassword -Djavax.net.ssl.trustStorePassword=mypassword -Dconnect.jms.cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256
  4. Restart vms

Finally with both HTTPS JNDI RMI IIOP and IBM MQ SERVER SSL enabled the JAVAOPTIONS should look like:

for windows (crm.env)

JAVAOPTIONS=-Xmx384m -Dcom.ibm.SSL.ConfigURL=file:c:/ssl.client.props -Dcom.ibm.CORBA.ConfigURL=file:c:/sas.client.props -Dconnect.jms.cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256 -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -Djavax.net.ssl.trustStore=c:/trustStoreMQ.jks -Djavax.net.ssl.trustStorePassword=mypassword -Djavax.net.ssl.keyStore=c:/keyStoreMQ.jks -Djavax.net.ssl.keyStorePassword=mypassword

Linux:

  1. Add truststore, keystore files to deployer
  2. Add path to files and CipherSuite in runvm.sh/runmonitor.sh for linux
  3. When using JAVA8 the following system property must be added for some Cipher Spec:
     
    -Dcom.ibm.mq.cfg.useIBMCipherMappings=false

    -Djavax.net.ssl.trustStore="c:/trustStoreMQ.jks" -Djavax.net.ssl.keyStore="c:/keyStoreMQ.jks" -Djavax.net.ssl.keyStorePassword=mypassword -Djavax.net.ssl.trustStorePassword=mypassword -Dconnect.jms.cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256
  4. Restart vms

Finally with both HTTPS JNDI RMI IIOP and IBM MQ SERVER SSL enabled the line with exec $JAVAEXE from runvm.sh should look like:

 

exec $JAVAEXE ${BITTYPE} $JAVAOPTIONS $JAVAOPTIONS2 $JAVA_DEBUG -Dcom.kana.connect.NodeName=$CONNECT_NODENAME -Dcom.ibm.SSL.ConfigURL=file:/ssl.client.props -Dcom.ibm.CORBA.ConfigURL=file:/sas.client.props -Dconnect.jms.cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256 -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -Djavax.net.ssl.trustStore=/trustStoreMQ.jks -Djavax.net.ssl.trustStorePassword=mypassword -Djavax.net.ssl.keyStore=/keyStoreMQ.jks -Djavax.net.ssl.keyStorePassword=mypassword -Djava.vm=kc$1 -Dkc.depl=$CONNECT_DEPLOYMENTID -classpath $CLASSPATH com.kana.connect.server.CRM -vmid $1 -disableConsoleOutput

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk