Implementing SSL on broker(Broker as consumer and provider) using ikeycmd

Assuming we have provider flow and consumer flow .

·We need to create key store and trust store for the broker ,Key store contains private key and public key .

·   We will be adding signer certificates in the trust store  of those who are trying to connect and then we need to add  both to the broker registry.

·For creating key store and trust store, we can use ikeyman tool or ikeycmd.

1)First create a key store using command :

ikeycmd -keydb -create -db C:\Users\bandaru\Documents\SSL\KEYSTORE\brokerkeystore.jks -pw sarasu10 -type jks

2)We need to create a certificate using :

ikeycmd -cert -create  -db C:\Users\bandaru\Documents\SSL\KEYSTORE\brokerkeystore.jks -pw sarasu10 -label IIBCert -dn  "CN=MB7Broker.Server,O=EidikoSystems,OU=OffShore,L=Hyderabad,C=IN"

3)We can check the certificate details using

 ikeycmd -cert -details -db /tmp/mb7brokerkeystore1.jks -label IIBCert

4)Now, we need to extract the certificate to get '.arm' file which will be shared with the clients if any. They will import this certificate in their trust store

ikeycmd -cert -extract -db C:\Users\bandaru\Documents\SSL\KEYSTORE\brokerkeystore.jks  -pw sarasu10 -label IIBCert -target C:\Users\bandaru\Documents\SSL\KEYSTORE\MyCert.arm -format ascii

5)Create a Trust store to store the others certificates if any.

ikeycmd -keydb -create -db C:\Users\bandaru\Documents\SSL\TRUSTSTORE\brokerkeystore.jks -pw sarasu10 -type jks

 

6)We need to add others  '.arm' to the trust store who are trying to connect in a secure way

 ikeycmd -cert -add -db C:\Users\bandaru\Documents\SSL\TRUSTSTORE\brokertruststore.jks -label IIBCert -file C:\Users\bandaru\Documents\SSL\KEYSTORE\MyCert.arm -format ascii

7) Add Key store and trust store to the Broker registry.

mqsichangeproperties BRKR -o BrokerRegistry -n brokerKeystoreFile -v   C:\Users\bandaru\Documents\SSL\KEYSTORE\brokerkeystore.jks

 mqsichangeproperties BRKR -o BrokerRegistry -n brokerTruststoreFile -v   C:\Users\bandaru\Documents\SSL\TRUSTSTORE\brokertruststore.jks

8)We can check the broker key store and broker trust store details of a broker using

mqsireportproperties BRKR -o BrokerRegistry -r

9)Now we need to use the mqsisetdbparms command to associate a specific user ID and password  with the resources that are accessed by the broker

mqsisetdbparms BRKR -n brokerKeystore::password -u ignore -p sarasu10

mqsisetdbparms BRKR -n brokerTruststore::password -u ignore -p sarasu10

10)Once done , we need to restart the broker.

mqsistop  <Broker name>

mqsistart  <Broker name>

11) In order to work with SSL we need to change the following properties

mqsichangeproperties BRKR -b httplistener -o HTTPListener -n enableSSLConnector -v true

mqsichangeproperties BRKR -b httplistener -o HTTPSConnector -n port -v 7443

12) Once change the properties check them using the following command whether they effected to the Broker or not.

mqsireportproperties BRKR(broker name) -e EG(execution group name) -o HTTPSConnector -r

Note1:  To connect to an SSL service from a SOAPRequest or SOAPAsyncRequest node(client side), you must configure a https:// url in the "Web service URL" box on the node

Note2:When using SOAP Input node message flow(Provider flow), the https listener at execution group level is used. The default https listener is 7843 that goes in the listening mode once the SOAP Input node message flow is deployed to the execution group.

Note3:Select the "Use HTTPS" option on the SOAP Input node in the message flow.