Securing JMS communications in Liberty by using SSL

You can configure the transportSecurity-1.0 feature to enable secure communication between the two Liberty servers.

Before you begin

To secure JMS communications by using SSL, you must configure the SSL feature by providing SSL certificate-related configurations. For more information, see Enabling SSL communication in Liberty.

Procedure

  1. Configure SSL on the server.
    • Service integration bus has the following default SSL configuration.
      <wasJmsEndpoint
	host="*"
	wasJmsSSLPort="7286" >
<wasJmsEndpoint/>

      Service integration bus inbound uses the <keyStore> element as the default SSL configuration. See Enabling SSL communication in Liberty for detailed information.

    • To modify the configuration to point to a different SSL configuration other than the default, refer to the following example.
      <keyStore id="customKeyStore" location="key.jks" type="JKS" password="{xor}NDombm1s" />

	<ssl id="CustomSslNewOptions" keyStoreRef="customKeyStore"/>

	<wasJmsEndpoint
		host="*"
		wasJmsSSLPort="7286">
	<sslOptions sslRef="CustomSslNewOptions" />
	</wasJmsEndpoint>
    • If the <wasJmsEndpoint> configuration is successful, then the service integration bus successfully bounds to port 7286 for secure communications. The JMS client can connect to the messaging engine in a secure way by using SSL.
  2. Configuring the client.
    • By default, service integration bus creates an outbound chain that is called < BootstrapSecureMessaging>. This chain uses the <keyStore> element as a default configuration.
      <wasJmsOutbound id="BootstrapSecureMessaging"
	useSSL="true">
</wasJmsOutbound>
    • To change the default SSL configuration to point to some other configuration, refer to the following example:
      <keyStore id="customKeyStore" location="key.jks" type="JKS" password="{xor}NDombm1s" />

	<ssl id="CustomSslNewOptions" keyStoreRef="customKeyStore"/>

<wasJmsOutbound id="BootstrapSecureMessaging"
		useSSL="true">
<sslOptions sslRef="CustomSslNewOptions" />
</wasJmsOutbound>
    • To connect a messaging engine by using the secure communication, specify a secure chain in the <remoteServerAddress> element in the connection factory. 
      <jmsQueueConnectionFactory jndiName="jndi_JMS_BASE_QCF">
	<properties.wasJms
remoteServerAddress="localhost:7286:BootstrapSecureMessaging" />
</jmsQueueConnectionFactory>
    • You can also create a custom outbound chain and use it to connect to the messaging engine.
      <keyStore id="customKeyStore" location="key.jks" type="JKS" password="{xor}NDombm1s" />
	<ssl id="CustomSslNewOptions" keyStoreRef="customKeyStore"/>

<wasJmsOutbound id="jmsSecureCustomChain"
	useSSL="true">
	<sslOptions sslRef="CustomSslNewOptions" />
</wasJmsOutbound>
    Now the <jmsSecureCustomChain> element is enabled successfully. It uses <CustomSslNewOptions> element for SSL keystore configuration.