Wednesday, June 24, 2015

Enable Mutual SSL with WSO2 ESB and IBM MQ

This article will explain how to connect to an SSL enabled channel in MQ using WSO2 ESB. Here I’m using ESB version 4.8.1 and MQ versions. Java version java 1.7.0-60 or above.

  • First we have to import the MQ certificate to WSO2 ESB’s client trust store. You can import the certificate using the following command in keytool.
    • ./keytool -import -file PATH_TO_MQ_CERTIFICATE/USU08QM2.cer -alias ALIAS_NAME_OF_MQ_CERTIFICATE -keystore PATH_TO_CLIENT_TRUST_STORE/client-truststore.jks -storepass password

  • Then you have to export the certificate from wso2carbon.jks and import that to MQ keystore in MQ server. To export the certificate from wso2carbon.jks use the following command in keytool.

    •  ./keytool -export -keystore PATH_TO_KEY_STORE/wso2carbon.jks -storepass KEY_SOTRE_PASSWORD -alias ALIAS_NAME_OF_WSO2_KEY_STORE -file PATH_TO_STORE_THE_CERTIFICATE/wso2esb.cer
  •  Then this certificate should be should be imported to MQ JKS using the command listed in step 1.

  • Then you have to specify the matching cipher suite for ESB. In IBM MQ when SSL is enabled, they specify a cipher spec to the channel. You have to find the matching cipher suite for that cipher spec and specify it in ESB as an environment variable. Cipher spec to cipher suite mapping can be found in here. Environment variable can be set in ESB by setting the following propery in file.
  • Note:Here I have specified the cipher suite as SSL_RSA_WITH_3DES_EDE_CBC_SHA. The matching cipher spec for this cipher suite is TLS_RSA_WITH_3DES_EDE_CBC_SHA.
  • Next you have to copy MQ jta.jar to ESB_HOME/repository/components/lib folder. (Remove the old jar files if there are any existing ones). Make sure you copy MQ jar files. The client jars in [1] is not working with SSL. Therefore you have to create a new OSGI bundle with new MQ client jars. To do that you can clone the wmq-client- project from here and copy following jar files to lib folder in wmq-client- Then build the project.
    • fscontext.jar
    • jms.jar
    • providerutil.jar
  • Note: Copy the wmq-client- file in target directory to ESB_HOME/repository/components/dropins folder. Remove if there are any old jar files.
  • Remove following line from <ESB_4.8.1_Home>\repository\conf\etc\launch.ini
    • javax.jms,\
  • Regenerate .bindings file with following property.
    • Provider Version : 8

Then restart the server and then you are ready to go with SSL. !!!


No comments:

Post a Comment