In the previous post we discussed about creating a basic connection with a queue manager.In this we'll focus on how we can add SSL support to the connection.First thing you need to do is to create a key repository for the queue manager.You can do this using the standard key management tool provided by the the IBM WebSphere MQ.
In the second window make sure to tick the "stash password to a file" field.Next you need to add a certificate to this key database file.Select Personal Certificate section and click New Self Signed certificate.You ''ll be directed to the following window.
The Key Label you enter needs in the future so make sure to insert a specific Key Label in the relevant field.Next thing need to do is create a Key Store file.Go to "Create a New Key Database File" and select DB-Type as jks.
Now go to Signer certificate section and add the certificate you created to the key store file.Now copy the .kdb and .sth files to the SSL folder in your WebSphere MQ installation path.Now all we have to do is add few code lines to our code.First we'll create a SSLContext object.
Class.forName("com.sun.net.ssl.internal.ssl.Provider");
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream("path_to_key_store_file"), "key_store_password".toCharArray());
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("path_to_key_store_file"), "key_store_password".toCharArray());
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
keyManagerFactory.init(keyStore, "key_store_password".toCharArray());
SSLContext sslContext = SSLContext.getInstance("SSLv3");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(),null);
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream("path_to_key_store_file"), "key_store_password".toCharArray());
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("path_to_key_store_file"), "key_store_password".toCharArray());
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
keyManagerFactory.init(keyStore, "key_store_password".toCharArray());
SSLContext sslContext = SSLContext.getInstance("SSLv3");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(),null);
Before testing the SSL connection you need to configure the channel you are using with a specific cipher suite.A list of cipher suites and their java mappings(with FIPS property) can be found here. We'll modify the MQEnvironment with our new variables.
MQEnvironment.put(CMQC.SSL_CIPHER_SUITE_PROPERTY, "CIPHER_SUITE");
MQEnvironment.put(CMQC.SSL_SOCKET_FACTORY_PROPERTY, sslContext.getSocketFactory());
MQEnvironment.put(CMQC.SSL_FIPS_REQUIRED_PROPERTY, BOOLEAN_FIPS_PROPERTY);
MQEnvironment.put(CMQC.SSL_SOCKET_FACTORY_PROPERTY, sslContext.getSocketFactory());
MQEnvironment.put(CMQC.SSL_FIPS_REQUIRED_PROPERTY, BOOLEAN_FIPS_PROPERTY);
That's it..!!!!
Nicely written :)
ReplyDelete