test

Sun GlassFish Message Queue 4.4 Developer's Guide for C Clients

Configuring the Client for Secure Communication

By default the MQ_SSL_BROKER_IS_TRUSTED property is set to true, and this means that the Message Queue client runtime will accept any certificate that is presented to it. The following procedure explains what you must do to establish a secure connection.

ProcedureTo Establish a Secure Connection

  1. Set the MQ_CONNECTION_TYPE_PROPERTY to SSL .

  2. If you want the runtime to check the broker’s certificate, set the MQ_SSL_BROKER_IS_TRUSTED property to false. Otherwise, you can leave it to its default (true) value.

  3. Generate the NSS files certN.db, keyN.db, and secmod.db using the certificate database tool certutil.

    You can find this tool at the following location, depending on the installation method:

    • IPS image: mqInstallHome/nss/bin

    • Solaris SVR4 packages: /usr/sfw/bin

    • Linux rpm packages: /opt/sun/private/bin

    For directions and an example of using this tool, see

    http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html

  4. Note the path name of the directory that contains the NSS files you generated in Configuring the Client for Secure Communication.

  5. If you have set the MQ_SSL_BROKER_IS_TRUSTED property to false, use the certutil tool to import the root certificate of the authority certifying the broker into the database files you generated in Configuring the Client for Secure Communication .

    Make sure that the MQ_BROKER_HOST_PROPERTY value is set to the same value as the (CN) common name in the broker’s certificate.

  6. If you have set the MQ_SSL_BROKER_IS_TRUSTED property to false, you have the option of enabling broker fingerprint-based verification in case authorization fails. For details, see Verification Using Fingerprints.

  7. Call the function MQInitializeSSL once (and only once) before creating the connection, and pass the name of the directory that contains the NSS files you generated in Configuring the Client for Secure Communication. If the broker is trusted, these files can be empty.

    You must call this function before you create any connection to the broker, including connections that do not use SSL.