Transport chain security

System security for a connection between service integration and a WebSphere® MQ network is provided by the Transport Level Security (TLS) and Secure Sockets Layer (SSL) protocols.

When WebSphere Application Server uses SSL, the administrator must create an SSL repertoire, a channel and a transport chain. The transport chain must be referenced by the WebSphere MQ server through the server's transport chain attribute, and must also be a trusted transport for the service integration bus to which the WebSphere MQ server belongs. The default setting is for service integration buses to trust only the SSL transport.

Two default transport chains are created on each WebSphere MQ server: OutboundBasicWMQClient and OutboundSecureWMQClient. The OutboundSecureWMQClient transport chain uses SSL and is configured to use the server's default SSL repertoire. If you want to create your own transport chain, you must define it to every WebSphere MQ server that is a service integration bus member. Here is an example of how you might define your own transport chain using JACL:
wsadmin>set tcs [$AdminConfig list TransportChannelService]
$AdminConfig create TCPOutboundChannel $tcs "{name MyWMQChain.TCP}"  
wsadmin>set ssl
$AdminConfig create SSLOutboundChannel $tcs "{name MyWMQChain.SSL} {sslConfigAlias MyRepertoire}"] wsadmin>set rmq 
$AdminConfig create RMQOutboundChannel $tcs "{name MyWMQChain.RMQ}"
wsadmin>set tcp
 wsadmin>$AdminConfig create Chain $tcs "{name MyWMQChain} {enable true} {transportChannels {$rmq $ssl $tcp}}
This example creates a transport chain suitable for connecting a WebSphere MQ server to WebSphere MQ using SSL. The chain is called MyWMQChain, and uses an SSL repertoire called MyRepertoire.

WebSphere MQ uses a single cipher suite only for securing connections to a queue manager, although WebSphere Application Server SSL repertoires allow you to specify multiple cipher suites. Each cipher suite is tried sequentially until a successful connection is established, or until all the cipher suites have been tried. The most recent cipher suite that allowed a successful connection is cached on a WebSphere MQ server bus member basis, and is tried first on subsequent connection attempts.

When transport security is enabled, the transport chain used for connections to WebSphere MQ must be a permitted chain otherwise it is not possible to establish a connection to WebSphere MQ.




Related concepts
Learning about interoperating with WebSphere MQ using a WebSphere MQ server
Related tasks
Creating a WebSphere MQ server definition
Related reference
createSIBWMQServer command
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 4:53:43 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-base-dist&topic=cjfp0016_
File name: cjfp0016_.html