WebSphere WebSphere Application Server Version 6.1.x Feature Pack for Web Services Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS

Transport chain security

System security for a connection between service integration and a WebSphere MQ network is provided by the Transport Level Security (TLS) and Secure Sockets Layer (SSL) protocols.

When WebSphere Application Server uses SSL, the administrator must create an SSL repertoire, a channel and a transport chain. The transport chain must be referenced by the WebSphere MQ server through the server's transport chain attribute, and must also be a trusted transport for the service integration bus to which the WebSphere MQ server belongs. The default setting is for service integration buses to trust only the SSL transport.

Two default transport chains are created on each WebSphere MQ server: OutboundBasicWMQClient and OutboundSecureWMQClient. The OutboundSecureWMQClient transport chain uses SSL and is configured to use the server’s default SSL repertoire. If you want to create your own transport chain, you must define it to every WebSphere MQ server that is a service integration bus member. Here is an example of how you might define your own transport chain using JACL:
wsadmin>set tcs [$AdminConfig list TransportChannelService]
$AdminConfig create TCPOutboundChannel $tcs "{name MyWMQChain.TCP}"  
wsadmin>set ssl
$AdminConfig create SSLOutboundChannel $tcs "{name MyWMQChain.SSL} {sslConfigAlias MyRepertoire}"] wsadmin>set rmq 
$AdminConfig create RMQOutboundChannel $tcs "{name MyWMQChain.RMQ}"
wsadmin>set tcp
 wsadmin>$AdminConfig create Chain $tcs "{name MyWMQChain} {enable true} {transportChannels {$rmq $ssl $tcp}}
This example creates a transport chain suitable for connecting a WebSphere MQ server to WebSphere MQ using SSL. The chain is called MyWMQChain, and uses an SSL repertoire called MyRepertoire.

WebSphere MQ uses a single cipher suite only for securing connections to a queue manager, although WebSphere Application Server SSL repertoires allow you to specify multiple cipher suites. Each cipher suite is tried sequentially until a successful connection is established, or until all the cipher suites have been tried. The most recent cipher suite that allowed a successful connection is cached on a WebSphere MQ server bus member basis, and is tried first on subsequent connection attempts.

When transport security is enabled, the transport chain used for connections to WebSphere MQ must be a permitted chain otherwise it is not possible to establish a connection to WebSphere MQ.

Related tasks
Creating a WebSphere MQ server definition
Related reference
createSIBWMQServer command

Concept topic

Terms of use | Feedback


Timestamp icon Last updated: 27 November 2008
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.pmc.wsfep.multiplatform.doc/concepts/cjfp0016_.html

Copyright IBM Corporation 2004, 2008. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)