Step 1. Generating a Self-signed Certificate for the HTTPS Tunnel Servlet

Message Queue’s SSL support is oriented toward securing on-the-wire data with the assumption that the client is communicating with a known and trusted server. Therefore, SSL is implemented using only self-signed server certificates.In the httpsjms connection service architecture, the HTTPS tunnel servlet plays the role of server to both broker and application client.

Run the keytool utility to generate a self-signed certificate for the tunnel servlet. Enter the following at the command prompt:

JRE_HOME/bin/keytool -servlet keyStoreLocation

The utility will prompt you for the information it needs. (On Unix systems you may need to run keytool as the superuser (root) in order to have permission to create the key store.)

First, keytool prompts you for a key store password, and then it prompts you for some organizational information, and then it prompts you for confirmation. After it receives the confirmation, it pauses while it generates a key pair. It then asks you for a password to lock the particular key pair (key password); you should enter Return in response to this prompt: this makes the key password the same as the key store password.

Remember the password you provide: you must provide this password later to the tunnel servlet so it can open the key store.

The JDK keytool utility generates a self-signed certificate and places it in Message Queue’s key store file located as specified in the keyStoreLocation argument.

The HTTPS tunnel servlet must be able to see the key store. Make sure you move/copy the generated key store located in keyStoreLocation to a location accessible by the HTTPS tunnel servlet (see Step 3. Deploying the HTTPS Tunnel Servlet).