Sun Java System Message Queue 3.7 UR1 Administration Guide

Configuring the Message Queue Client Runtime to Require Signed Certificates

You must now configure the Message Queue client runtime to require signed certificates, and ensure that it trusts the certification authority that signed the certificate.

ProcedureTo Configure the Client Runtime to Require Signed Certificates

  1. Set the connection factory's imqSSLIsHostTrusted attribute to false.

    By default, the imqSSLIsHostTrusted attribute of the connection factory object that the client will be using to establish broker connections is set to true, meaning that the client runtime will accept any certificate presented to it. You must change this value to false so that the client runtime will attempt to validate all certificates presented to it. Validation will fail if the signer of the certificate is not in the client's trust store.

  2. Verify whether the signing authority is registered in the client's trust store.

    To test whether the client will accept certificates signed by your certification authority, try to establish an SSL connection, as described above under Configuring and Running an SSL-Based Client.If the CA is in the client's trust store, the connection will succeed and you can skip the next step. If the connection fails with a certificate validation error, go on to the next step.

  3. Install the signing CA’s root certificate in the client’s trust store.

    The client searches the key store files cacerts and jssecacerts by default, so no further configuration is necessary if you install the certificate in either of those files. The following example installs a test root certificate from the Verisign certification authority from a file named testrootca.cer into the default system certificate file, cacerts.The example assumes that J2SE is installed in the directory $JAVA_HOME/usr/j2se:

    keytool -import -keystore /usr/j2se/jre/lib/security/cacerts
            -alias VerisignTestCA -file testrootca.cer -noprompt
            -trustcacerts -storepass myStorePassword

    An alternative (and recommended) option is to install the root certificate into the alternative system certificate file, jssecacerts :

    keytool -import -keystore /usr/j2se/jre/lib/security/jssecacerts
            -alias VerisignTestCA -file testrootca.cer -noprompt
            -trustcacerts -storepass myStorePassword

    A third possibility is to install the root certificate into some other key store file and configure the client to use that as its trust store.The following example installs into the file /home/smith/.keystore:

    keytool -import -keystore /home/smith/.keystore
            -alias VerisignTestCA -file testrootca.cer -noprompt
            -trustcacerts -storepass myStorePassword

    Since the client does not search this key store by default, you must explicitly provide its location to the client to use as a trust store. You do this by setting the Java system property once the client is running: