Connecting to MQ Server from TIBCO ActiveMatrix Businessworks? over SSL using file based JNDI lookup

Table of Contents

• Section-I: Configuring WebSphere MQ Server
  • Installing the WebSphere MQ Server
  • Configuring the Queue Manager
  • Creating Queues under a Queue Manager
  • Creating a new Server Channel for Communicating with Queue Manager
  • Creating File-Based JNDI Bindings for MQ Server
• Section-II: Configuring TIBCO ActiveMatrix BusinessWorks? to Communicate with the MQ Server
  • Allowing ActiveMatrix BusinessWorks to Trust the Certificate Used by the MQ Server
  • Configuring ActiveMatrix BusinessWorks to Use the .bindings File Created in Section-I

Section-I: Configuring WebSphere MQ Server

Installing the WebSphere MQ Server

On Windows, the default installation is straightforward. If you choose the custom installation option make sure WebSphere MQ Explorer and JMS Messaging are selected as part of the installation. In order to install MQ Explorer, the trial version of WebSphere MQ 6.0 requires Eclipse 3.0 or greater. Once you complete the installation successfully, you can start configuring the Queue Manager.

Trial version of WebSphere MQ Server can be downloaded from - http://www.ibm.com/developerworks/downloads/ws/wmq.

Configuring the Queue Manager

• Open MQ Explorer using Start > IBM WebSphere MQ > WebSphere MQ Explorer

• Right-click on the Queue Manager folder and select New > Queue Manager

• Provide the Queue Manager name and leave the remaining entries to default values. Click Next to continue.

• To Enable SSL for the newly created Queue Manager, right-click on it to launch its Properties.

• In the Properties window, select the SSL tab and click on the ?Manage SSL Certificates? button therein to bring up a window that has the certificate list.

• Press the Add button to add the certificate you have created for the MQ Server.

• Choose ?Import from a file" and browse for a .p12(PKCS#12) file that you created for the MQ Server then click Add to add the certificate(s) to the certificate store.

• Once the certificate has been added, it should appear in the SSL Certificates Manager. Click on the imported certificate and assign it as the server certificate for the Queue Manager created earlier.

[Note: Once assigned, a check mark (?) will mark the icon adjacent to the assigned certificate indicating that it has been assigned to the Queue Manager.]

Creating Queues under a Queue Manager

• Under the Queue Manager created in the steps above, right-click on "Queues" and select New > Local Queue.

• Enter the new Queue Name, press OK and leave the remaining entries to default values.

Creating a new Server Channel for Communicating with Queue Manager

• Under the Queue Manager, go to Advanced > Channels, and then right-click and select New > Server Connection Channel.

• Provide a Channel Name (e.g. ssl.serverchannel).

• Click on the SSL tab and select the cipher suite for the server.

• If you need only one-way authentication (i.e. the JMS client will perform only server authentication), be sure to uncheck the box labeled ?Always authenticate parties initiating connection to this channel definition?.

Creating File-Based JNDI Bindings for MQ Server

The following instructions demonstrate how to create file-based JDNI bindings for the MQ Server configured in the previous example:

• On your file system, create a folder that will host the .bindings file for the JNDI look up (e.g. C:\JNDI-Directory).

• Place all .jar files under the C:\Program Files\IBM\WebSphere MQ\Java\lib folder in your system classpath

• Make the following edits to the C:\Program Files\IBM\WebSphere MQ\Java\bin\JMSAdmin.config file using Textpad or other plain text editor:

  1. Uncomment INITIAL_CONTEXT_FACTORY=com.sun.jndi.fscontext.RefFSContextFactory

  2. Modify PROVIDER_URL=file:/C:/JNDI-Directory

• Start a command prompt and go to C:\Program Files\IBM\WebSphere MQ\Java\bin.

• Execute the JMSAdmin.bat file. This should start a ?Initctx>? prompt.

• Run the following commands to generate the .bindings file in C:\JNDI-Directory:

   InitCtx> define QCF(QueueConnectionFactory) QMANAGER(qm) TRANSPORT(CLIENT) HOSTNAME(localhost) PORT(1414) CHANNEL(ssl.serverchannel) SSLCIPHERSUITE(SSL_RSA_WITH_RC4_128_MD5) InitCtx> define Q(queue.sample) QUEUE(queue.sample) QMANAGER(qm)

  [Note: Your queue manager name, queue name, connection channel name, and cipher suite may be different from those chosen for the setup above.]

  At this point, the .bindings file should be in C:\JNDI-Directory. This file will be used by all JMS clients which need connection to the server.

After completing the steps above, any Java-based client should be able to perform a JDNI-based lookup on the MQ Server using the .bindings file.

Section-II: Configuring TIBCO ActiveMatrix BusinessWorks? to Communicate with the MQ Server

Allowing ActiveMatrix BusinessWorks to Trust the Certificate Used by the MQ Server

• Go to the directory C:\TIBCO\jre\1.4.2\lib\security. This folder contains the default ?cacerts? keystore where all trusted certificates are stored. The keystore type is JKS.

• Export the certificate that you have assigned to the MQ Server in Section-I from the .p12 file to a PKCS#7-format (i.e. to a .pem file).

• Use the Java keytool command to import the certificate into the ?cacerts? keystore as shown below.

   C:\TIBCO\jre\1.4.2\lib\security>keytool -list -v -keystore cacerts -alias bwrootca Enter keystore password: changeit  Alias name: bwrootca  Creation date: Jun 6, 2006  Entry type: trustedCertEntry  Owner: CN=bwrootca, OU=bw support, O=tibco support, L=palo alto, ST=CA, C=US, EMAILADDRESS=bwrootca@tibco.com  Issuer: CN=bwrootca, OU=bw support, O=tibco support, L=palo alto, ST=CA, C=US, EMAILADDRESS=bwrootca@tibco.com  Serial number: 4332fc68  Valid from: Thu Sep 22 11:48:08 PDT 2005 until: Fri Sep 22 11:48:08 PDT 2006  Certificate fingerprints:  MD5: 42:A8:58:F0:E7:E7:97:32:34:77:BA:28:D2:62:77:97  SHA1: 90:2D:28:6E:E7:12:56:18:13:1C:2E:E6:4C:A0:65:D7:4A:EC:04:30

[Note: Unless a different one is specified during the keytool execution, the default password for the "cacerts" keystore is "changeit".]

Configuring ActiveMatrix BusinessWorks to Use the .bindings File Created in Section-I

• Create a JMS shared connection and select JNDI context factory as ?com.sun.jndi.fscontext.RefFSContextFactory? and JNDI provider URL as file://C:/JNDI-Directory

• Click on the Advanced tab of the JMS connection box and make sure that value for the ?Queue Connection Factory? matches the one you created on the MQ Server

After completing the previous step, you should be able to use this shared JMS connection in your JMS process and connect to the MQ Server using SSL.