Sun ONE logo     Previous      Contents      Index      Next     
Sun ONE Message Queue, Version 3.0.1 Administrator's Guide



Appendix B   HTTP/HTTPS Support (Enterprise Edition)

The Sun™ ONE Message Queue (MQ) Enterprise Edition (see "Product Editions") includes support for both HTTP and HTTPS connections. (HTTPS is a secure connection over HTTP, using the Secure Socket Layer standard.) This support allows client applications to communicate with the broker using the HTTP protocol instead of direct TCP connections. This appendix describes the architecture used to implement this support and explains the setup work needed to allow clients to use HTTP-based connections for MQ messaging.

HTTP/HTTPS Support Architecture

MQ messaging can be run on top of HTTP/HTTPS connections. Because HTTP/HTTPS connections are normally allowed through firewalls, this allows client applications to be separated from a broker by a firewall.

Figure B-1 shows the main components involved in providing HTTP/HTTPS support.

  • On the client side, an HTTP transport driver encapsulates the MQ message into an HTTP request and makes sure that these requests are sent to the Web server in the correct sequence.
  • The JMS client can use an HTTP proxy server to communicate with the broker if necessary. The proxy's address is specified using command line options when starting the client. See "Using an HTTP Proxy" for more information.
  • An HTTP or HTTPS tunnel servlet (both bundled with MQ) is loaded in the web server and used to pull JMS messages out of client HTTP requests before forwarding them to the broker. The HTTP/HTTPS tunnel servlet also sends broker messages back to the client in response to HTTP requests made by the client. A single HTTP/HTTPS tunnel servlet can be used to access multiple brokers.

Figure B-1    HTTP/HTTPS Support Architecture
Diagram showing how an http proxy and http tunnel servlet enable messages to go through firewalls. Figure explained in text.

  • On the broker side, the httpjms or httpsjms connection service unwraps and demultiplexes incoming messages from the corresponding tunnel servlet.
  • If the Web server fails and is restarted, all connections are restored and there is no effect on clients. If the broker fails and is restarted, an exception is thrown and clients must re-establish their connections. In the unlikely case that both the Web server and the broker fail, and the broker is not restarted, the Web server will restore client connections and continue waiting for a broker connection— without notifying clients. To avoid this situation, always restart the broker.

As you can see from Figure B-1, the architecture for HTTP and HTTPS support are very similar. The main difference is that, in the case of HTTPS (httpsjms connection service), the tunnel servlet has a secure connection to both the client application and broker.

The secure connection to the broker is provided through an SSL-enabled tunnel servlet—MQ's HTTPS tunnel servlet—which passes a self-signed certificate to any broker requesting a connection. The certificate is used by the broker to set up an encrypted connection to the HTTPS tunnel servlet. Once this connection is established, a secure connection between a client application and the tunnel servlet can be negotiated by the client application and the web server.

Implementing HTTP Support

The following sections describe the steps you need to take to implement HTTP support.

To implement HTTP support

  1. Deploy the HTTP tunnel servlet on a web server.
  2. Configure the broker's httpjms connection service and start the broker.
  3. Configure an HTTP connection.

Step 1. Deploying the HTTP Tunnel Servlet on a Web Server

There are two general ways you can deploy the HTTP tunnel servlet on a web server:

  • deploying it as a jar file—for web servers that support Servlet 2.1 or earlier
  • deploying it as a web archive (WAR) file—for web servers that support Servlet 2.2 or later

Deploying as a Jar File

Deploying the MQ tunnel servlet consists of making the appropriate jar files accessible to the host web server and configuring that web server to load the servlet on startup.

The tunnel servlet jar file (imqservlet.jar) contains all the classes needed by the HTTP tunnel servlet and is located in the following directory:

IMQ_HOME/lib (/usr/share/lib/imq on Solaris)

Any web server with servlet 2.x support can be used to load this servlet. The servlet class name is:

com.sun.messaging.jmq.transport.
httptunnel.servlet.HttpTunnelServlet

The web server must be able to see the imqservlet.jar file. If you are planning to run the web server and the broker on different hosts, you should place a copy of the imqservlet.jar file in a location where the web server can access it.

You also need to configure the web server to load this servlet on startup (see "Example: Deploying the HTTP Tunnel Servlet").

It is also recommended that you disable your web server's access logging feature in order to improve performance.

Deploying as a Web Archive File

Deploying the HTTP tunnel servlet as a WAR file consists of using the deployment mechanism provided by the web server. The HTTP tunnel servlet WAR file (imqhttp.war) is located in the following directory:

IMQ_HOME/lib (/usr/share/lib/imq on Solaris)

The WAR file includes a deployment descriptor that contains the basic configuration information needed by the web server to load and run the servlet.

Step 2. Configuring the httpjms Connection Service

HTTP support is not enabled by default for an MQ 3.0.1 broker, so you need to reconfigure the broker to enable the httpjms connection service. Once reconfigured, the broker can be started as outlined in "Starting a Broker".

To enable the httpjms connection service

  1. Open the broker's instance configuration file at the following location:
  2. IMQ_VARHOME/instances/brokerName/props/config.properties
    (/var/imq/instances/brokerName/props/config.properties on Solaris)

    where brokerName is the name of the broker instance.

  3. Add the httpjms value to the imq.service.activelist property:
  4. imq.service.activelist=jms,admin,httpjms

At startup, the broker looks for a web server and HTTP tunnel servlet running on its host machine. To access a remote tunnel servlet, however, you can reconfigure the servletHost and servletPort connection service properties.

You can also reconfigure the pullPeriod property to improve performance. The httpjms connection service configuration properties are detailed in Table B-1.

Table B-1    httpjms Connection Service Properties 

Property Name

Description

imq.httpjms.http.
servletHost

 

Change this value, if necessary, to specify the name of the host (hostname or IP address) on which the HTTP tunnel servlet is running. (This can be a remote host or a specific hostname on a local host.) Default: localhost

 
imq.httpjms.http.
servletPort

 

Change this value to specify the port number that the broker uses to access the HTTP tunnel servlet. (If the default port is changed on the Web server, then you must change this property accordingly.) Default: 7675

 
imq.httpjms.http.
pullPeriod

 

Specifies the interval, in seconds, between HTTP requests made by each client to pull messages from the broker. If the value is zero or negative, the client keeps one HTTP request pending at all times, ready to pull messages as fast as possible. With a large number of clients, this can be a heavy drain on web server resources and the server may become unresponsive. In such cases, you should set the pullPeriod property to a positive number of seconds. This sets the time the client's HTTP transport driver waits before making subsequent pull requests. Setting the value to a positive number conserves web server resources at the expense of the response times observed by clients. Default: -1

 

Step 3. Configuring an HTTP Connection

A client application must use an appropriately configured connection factory administered object to make an HTTP connection to a broker. This section discusses HTTP connection configuration issues.

Setting Connection Factory Attributes

To implement HTTP support, you set the following connection factory attributes (see "Connection Factory Administered Objects"):

  • Set the imqConnectionType attribute to HTTP
  • Set the imqConnectionURL to the HTTP tunnel servlet URL
  • http://hostName:port/imq/tunnel

You can set connection factory attributes in one of the following ways:

  • Using the -o option to the imqobjmgr command that creates the connection factory administered object (see "Adding a Connection Factory"), or set the attribute when creating the connection factory administered object using the Administration Console (imqadmin).
  • Using the -D option to the command that launches the client application (see the MQ Developer's Guide).
  • Using a JMS API call to set the attributes of a connection factory after you create it programmatically in client application code (see the MQ Developer's Guide).

Using a Single Servlet to Access Multiple Brokers

You do not need to configure multiple web servers and servlet instances if you are running multiple brokers. You can share a single web server and HTTP tunnel servlet instance among concurrently running brokers. In order to do this, you must configure the imqConnectionURL connection factory attribute as shown below:

http://hostName:port/imq/tunnel?ServerName=hostName:brokerName

Where hostName is the broker host name and brokerName is the name of the specific broker instance you want your client to access.

To check that you have entered the correct strings for hostName and brokerName, generate a status report for the HTTP tunnel servlet by accessing the servlet URL from a browser. The report lists all brokers being accessed by the servlet:


HTTP tunnel servlet ready.
Servlet Start Time : Thu May 30 01:08:18 PDT 2002
Accepting TCP connections from brokers on port : 7675
Total available brokers = 2
Broker List :
   jpgserv:broker2
   cochin:broker1

Using an HTTP Proxy

If you are using an HTTP proxy to access the HTTP tunnel servlet:

  • Set http.proxyHost system property to the proxy server host name.
  • Set http.proxyPort system property to the proxy server port number.

You can set these properties using the -D option to the command that launches the client application.

Example: Deploying the HTTP Tunnel Servlet

This section describes how you deploy the HTTP tunnel servlet both as a jar file and as a WAR file on the Sun ONE WEB Server. The approach you use depends on the version of Sun ONE Web Server: If it does not support Servlet 2.2 or later, it will not be able to handle WAR file deployment.

Deploying as a Jar File

The instructions below refer to deployment on Sun ONE Web Server, FastTrack Edition 4.1 using the browser-based administration GUI. This procedure consists of the following general steps:

  1. add a servlet
  2. configure the servlet virtual path
  3. load the servlet
  4. disable the servlet access log

These steps are described in the following subsections. You can verify successful HTTP tunnel servlet deployment by accessing the servlet URL using a web browser. It should display status information.

Adding a Servlet

To add a tunnel servlet

  1. Select the Servlets tab.
  2. Choose Configure Servlet Attributes.
  3. Specify a name for the tunnel servlet in the Servlet Name field.
  4. Set the Servlet Code (class name) field to the following value:
  5. com.sun.messaging.jmq.transport.
    httptunnel.servlet.HttpTunnelServlet

  6. Enter the complete path to the imqservlet.jar in the Servlet Classpath field. For example:
  7. IMQ_HOME/lib/imqservlet.jar
    (/usr/share/lib/imq/imqservlet.jar on Solaris)

  8. In the Servlet args field, enter any optional arguments, as shown in Table B-2:
  9. Table B-2    Servlet Arguments for Deploying HTTP Tunnel Servlet Jar File

    Argument

    Default Value

    Reference

    servletHost

     

    all hosts

     

    See Table B-1

     

    servletPort

     

    7675

     

    See Table B-1

     

    If using both arguments, separate them with a comma:

    servletPort=portnumber, servletHost=...

    The serverHost and serverPort argument apply only to communication between the Web Server and broker, and are set only if the default values are problematic. However, in that case, you also have to set the broker configuration properties accordingly (see Table B-1), for example:

    imq.httpjms.http.servletPort

Configuring a Servlet Virtual Path (Servlet URL)

To configure a virtual path (servlet URL) for a tunnel servlet

  1. Select the Servlets tab.
  2. Choose Configure Servlet Virtual Path Translation.
  3. Set the Virtual Path field.
  4. For example, if you want the URL to be http://hostName:port/imq/tunnel, enter the following string in the Virtual Path field.

    /imq/tunnel

  5. Set the Servlet Name field to the same value as in Step 3 in "Adding a Servlet".

Loading a Servlet

To load the tunnel servlet at web server startup

  1. Select the Servlets tab.
  2. Choose Configure Global Attributes.
  3. In the Startup Servlets field, enter the same servlet name value as in Step 3 in "Adding a Servlet".

Disabling a Server Access Log

You do not have to disable the server access log, but you will obtain better performance if you do.

To disable the server access log

  1. Select the Status tab.
  2. Choose the Log Preferences Page.
  3. Use the Log client accesses control to disable logging

Deploying as a WAR File

The instructions below refer to deployment on Sun ONE Web Server 6.0 Service
Pack 2. You can verify successful HTTP tunnel servlet deployment by accessing the servlet URL using a web browser. It should display status information.

To deploy the http tunnel servlet as a WAR file

  1. In the browser-based administration GUI, select the Virtual Server Class tab and select Manage Classes.
  2. Select the appropriate virtual server class name (e.g. defaultclass) and click the Manage button.
  3. Select Manage Virtual Servers.
  4. Select an appropriate virtual server name and click the Manage button.
  5. Select the Web Applications tab.
  6. Click on Deploy Web Application.
  7. Select the appropriate values for the WAR File On and WAR File Path fields so as to point to the imqhttp.war file. It can be found in the following directory:
  8. IMQ_HOME/lib (/usr/share/lib/imq on Solaris)

  9. Enter "/imq" (without the quotes) in the Application URI field.
  10. Enter the installation directory path (typically somewhere under the Sun ONE Web Server installation root) where the servlet should be deployed.
  11. Click OK.
  12. Restart the web server instance.

The servlet is now available at the following address:

http://hostName:port/imq/tunnel

Clients can now use this URL to connect to the message service using an HTTP connection.

Implementing HTTPS Support

The following sections describe the steps you need to take to implement HTTPS support. They are similar to those in "Implementing HTTP Support" with the addition of steps needed to generate and access SSL certificates.

To implement HTTPS support

  1. Generate a self-signed certificate for the HTTPS tunnel servlet.
  2. Deploy the HTTPS tunnel servlet on a web server.
  3. Configure the broker's httpsjms connection service and start the broker.
  4. Configure an HTTPS connection.

Each of these steps is discussed in more detail in the sections that follow.

Step 1. Generating a Self-signed Certificate for the HTTPS Tunnel Servlet

SSL Support in MQ 3.0.1 is oriented toward securing on-the-wire data with the assumption that the client is communicating with a known and trusted server. Therefore in MQ 3.0.1, SSL is implemented using only self-signed server certificates. In the httpsjms connection service architecture, the HTTPS tunnel servlet plays the role of server to both broker and application client.

Run the imqkeytool utility to generate a self-signed certificate for the tunnel servlet. Enter the following at the command prompt:

imqkeytool -servlet keystore_location

The utility will prompt you for the information it needs. (On Unix systems you may need to run imqkeytool as the superuser (root) in order to have permission to create the keystore.)

First, imqkeytool prompts you for a keystore password, then it prompts you for some organizational information, and then it prompts you for confirmation. After it receives the confirmation, it pauses while it generates a key pair. It then asks you for a password to lock the particular key pair (key password); you should enter Return in response to this prompt: this makes the key password the same as the keystore password.



Note

Remember the password you provide—you will need to provide this password later to the tunnel servlet so it can open the keystore.



Running imqkeytool runs the JDK keytool utility to generate a self-signed certificate and to place it in MQ's keystore file located as specified in the keystore_location argument. (The keystore is in the same keystore format as that supported by the JDK1.2 keytool.)



Note

The HTTPS tunnel servlet must be able to see the keystore. Make sure you move/copy the generated keystore located in keystore_location to a location accessible by the HTTPS tunnel servlet (see "Step 2. Deploying the HTTPS Tunnel Servlet on a Web Server").



Step 2. Deploying the HTTPS Tunnel Servlet on a Web Server

There are two general ways you can deploy the HTTPS tunnel servlet on a web server:

  • deploying it as a jar file—for web servers that support Servlet 2.1 or earlier
  • deploying it as a web archive (WAR) file—for web servers that support Servlet 2.2 or later

In either case, you should make sure that encryption is activated for the web server, enabling end to end secure communication between the client and broker.

Deploying as a Jar File

Deploying the MQ tunnel servlet consists of making the appropriate jar files accessible to the host web server and configuring that web server to load the servlet on startup.

The tunnel servlet jar file (imqservlet.jar) contains all the classes needed by the HTTPS tunnel servlet and is located in the following directory:

IMQ_HOME/lib (/usr/share/lib/imq on Solaris)

Any web server with servlet 2.x support can be used to load this servlet. The servlet class name is:

com.sun.messaging.jmq.transport.
httptunnel.servlet.HttpsTunnelServlet
.

The web server must be able to see the imqservlet.jar file. If you are planning to run the web server and the broker on different hosts, you should place a copy of the imqservlet.jar file in a location where the web server can access it.

You also need to configure the web server to load this servlet on startup (see "Example: Deploying the HTTPS Tunnel Servlet").

Make sure that the JSSE jar files are in the classpath for running servlets in the web server. Check the web server's documentation for how to do this.

An important aspect of configuring the web server is specifying the location and password of the self-signed certificate to be used by the HTTPS tunnel servlet to establish a secure connection with a broker. You have to place the keystore created in "Step 1. Generating a Self-signed Certificate for the HTTPS Tunnel Servlet" in a location accessible by the HTTPS tunnel servlet.

It is also recommended that you disable your web server's access logging feature in order to improve performance.

Deploying as a Web Archive File

Deploying the HTTPS tunnel servlet as a WAR file consists of using the deployment mechanism provided by the web server. The HTTPS tunnel servlet WAR file (imqhttps.war) is located in the following directory:

IMQ_HOME/lib (/usr/share/lib/imq on Solaris)

The WAR file includes a deployment descriptor that contains the basic configuration information needed by the web server to load and run the servlet.

However, the deployment descriptor of the imqhttps.war file cannot know where you have placed the keystore file needed by the tunnel servlet (see "Step 1. Generating a Self-signed Certificate for the HTTPS Tunnel Servlet"). This requires you to edit the tunnel servlet's deployment descriptor (an XML file) to specify the keystore location before deploying the imqhttps.war file.

Step 3. Configuring the httpsjms Connection Service

HTTPS support is not enabled by default for an MQ 3.0.1 broker, so you need to reconfigure the broker to enable the httpsjms connection service. Once reconfigured, the broker can be started as outlined in "Starting a Broker".

To enable the httpsjms connection service

  1. Open the broker's instance configuration file at the following location:
  2. IMQ_VARHOME/instances/brokerName/props/config.properties
    (/var/imq/instances/brokerName/props/config.properties on Solaris)

    where brokerName is the name of the broker instance.

  3. Add the httpsjms value to the imq.service.activelist property:
  4. imq.service.activelist=jms,admin,httpsjms

At startup, the broker looks for a web server and HTTPS tunnel servlet running on its host machine. To access a remote tunnel servlet, however, you can reconfigure the servletHost and servletPort connection service properties.

You can also reconfigure the pullPeriod property to improve performance. The httpsjms connection service configuration properties are detailed in Table B-3.

Table B-3    httpsjms Connection Service Properties 

Property Name

Description

imq.httpsjms.https.
servletHost

 

Change this value, if necessary, to specify the name of the host (hostname or IP address) on which the HTTPS tunnel servlet is running. (This can be a remote host or a specific hostname on a local host.) Default: localhost

 
imq.httpsjms.https.
servletPort

 

Change this value to specify the port number that the broker uses to access the HTTPS tunnel servlet. (If the default port is changed on the Web server, then you must change this property accordingly.) Default: 7674

 
imq.httpsjms.https.
pullPeriod

 

Specifies the interval, in seconds, between HTTP requests made by each client to pull messages from the broker. If the value is zero or negative, the client keeps one HTTP request pending at all times, ready to pull messages as fast as possible. With a large number of clients, this can be a heavy drain on web server resources and the server may become unresponsive. In such cases, you should set the pullPeriod property to a positive number of seconds. This sets the time the client's HTTP transport driver waits before making subsequent pull requests. Setting the value to a positive number conserves web server resources at the expense of the response times observed by clients. Default: -1

 

Step 4. Configuring an HTTPS Connection

A client application must use an appropriately configured connection factory administered object to make an HTTPS connection to a broker.

However, the client must also have access to SSL libraries provided by the Java Secure Socket Extension (JSSE) and must also have a root certificate. The SSL libraries are bundled with JDK 1.4. If you have an earlier JDK version, see "Configuring JSSE," otherwise proceed to "Importing a Root Certificate."

Once these issues are resolved, you can proceed to configuring the HTTPS connection.

Configuring JSSE

To configure JSSE

  1. Copy the JSSE jar files to the JRE_HOME/lib/ext directory.
  2. jsse.jar, jnet.jar, jcert.jar

  3. Statically add the JSSE security provider by adding
  4. security.provider.n=com.sun.net.ssl.internal.ssl.Provider

    to the JRE_HOME/lib/security/java.security file (where n is the next available priority number for security provider package).

  5. If not using JDK1.4, you need to set the following JSSE property using the -D option to the command that launches the client application:
  6. java.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol

Importing a Root Certificate

If the root certificate of the CA who signed your web server's certificate is not in the trust database by default or if you are using a proprietary web server certificate, you have to add that certificate to the trust database. If this is the case, follow the instruction below, otherwise go to "Setting Connection Factory Attributes".

Assuming that the certificate is saved in cert_file and that trust_store_file is your keystore, run the following command:

JRE_HOME/bin/keytool -import -trustcacerts
-alias alias_for_certificate -file cert_file
-keystore trust_store_file

Answer YES to the question: Trust this certificate?

You also need to specify the following JSSE properties using the -D option to the command that launches the client application:

javax.net.ssl.trustStore=trust_store_file

javax.net.ssl.trustStorePassword=trust_store_passwd

Setting Connection Factory Attributes

To implement HTTPS support, you set the following connection factory attributes (see "Connection Factory Administered Objects"):

  • Set the imqConnectionType attribute to HTTP
  • The secure connection to the broker is achieved through deploying and connecting through the HTTPS tunnel servlet rather than the HTTP tunnel servlet. Both use the same connection type, however.

  • Set the imqConnectionURL to the HTTPS tunnel servlet URL
  • https://hostName:port/imq/tunnel

You can set connection factory attributes in one of the following ways:

  • Using the -o option to the imqobjmgr command that creates the connection factory administered object (see "Adding a Connection Factory"), or set the attribute when creating the connection factory administered object using the Administration Console (imqadmin).
  • Using the -D option to the command that launches the client application (see the MQ Developer's Guide).
  • Using a JMS API call to set the attributes of a connection factory after you create it programmatically in client application code (see the MQ Developer's Guide).

Using a Single Servlet to Access Multiple Brokers

You do not need to configure multiple web servers and servlet instances if you are running multiple brokers. You can share a single web server and HTTPS tunnel servlet instance among concurrently running brokers. In order to do this, you must configure the imqConnectionURL connection factory attribute as shown below:

https://hostName:port/imq/tunnel?ServerName=hostName:brokerName

Where hostName is the broker host name and brokerName is the name of the specific broker instance you want your client to access.

To check that you have entered the correct strings for hostName and brokerName, generate a status report for the HTTPS tunnel servlet by accessing the servlet URL from a browser. The report lists all brokers being accessed by the servlet:


HTTPS tunnel servlet ready.
Servlet Start Time : Thu May 30 01:08:18 PDT 2002
Accepting TCP connections from brokers on port : 7674
Total available brokers = 2
Broker List :
   jpgserv:broker2
   cochin:broker1

Using an HTTP Proxy

If you are using an HTTP proxy to access the HTTPS tunnel servlet:

  • Set http.proxyHost system property to the proxy server host name.
  • Set http.proxyPort system property to the proxy server port number.

You can set these properties using the -D option to the command that launches the client application.

Example: Deploying the HTTPS Tunnel Servlet

This section describes how you deploy the HTTPS tunnel servlet both as a jar file and as a WAR file on the Sun ONE Web Server. The approach you use depends on the version of Sun ONE Web Server: If it does not support Servlet 2.2 or later, it will not be able to handle WAR file deployment.

Deploying as a Jar File

The instructions below refer to deployment on Sun ONE Web Server, FastTrack Edition 4.1 using the browser-based administration GUI. This procedure consists of the following general steps:

  1. add a servlet
  2. configure the servlet virtual path
  3. load the servlet
  4. disable the servlet access log

These steps are described in the following subsections. You can verify successful HTTP tunnel servlet deployment by accessing the servlet URL using a web browser. It should display status information.

Adding a Servlet

To add a tunnel servlet

  1. Select the Servlets tab.
  2. Choose Configure Servlet Attributes.
  3. Specify a name for the tunnel servlet in the Servlet Name field.
  4. Set the Servlet Code (class name) field to the following value:
  5. com.sun.messaging.jmq.transport.
    httptunnel.servlet.HttpsTunnelServlet

  6. Enter the complete path to the imqservlet.jar in the Servlet Classpath field. For example:
  7. IMQ_HOME/lib/imqservlet.jar
    (/usr/share/lib/imq/imqservlet.jar on Solaris)

  8. In the Servlet args field, enter required and optional arguments, as shown in Table B-4.
  9. Table B-4    Servlet Arguments for Deploying HTTPS Tunnel Servlet Jar File

    Argument

    Default Value

    Required?

    See Also

    keystoreLocation
     

    none

     

    Yes

     

    Table 8-8

     
    keystorePassword
     

    none

     

    Yes

     

    Table 8-8

     
    serverHost
     

    all hosts

     

    No

     

    Table B-3

     
    serverPort
     

    7674

     

    No

     

    Table B-3

     

    Separate the arguments with a comma, for example:

    keystoreLocation=keystore_location,keystorePassword=keystore_password, servletPort=portnumber

    The serverHost and serverPort argument apply only to communication between the Web Server and broker, and are set only if the default values are problematic. However, in that case, you also have to set the broker configuration properties accordingly (see Table B-3), for example:

    imq.httpsjms.https.servletPort

Configuring a Servlet Virtual Path (Servlet URL)

To configure a virtual path (servlet URL) for a tunnel servlet

  1. Select the Servlets tab.
  2. Choose Configure Servlet Virtual Path Translation.
  3. Set the Virtual Path field.
  4. For example, if you want the URL to be http://hostName:port/imq/tunnel, enter the following string in the Virtual Path field.

    /imq/tunnel

  5. Set the Servlet Name field to the same value as in Step 3 in "Adding a Servlet".

Loading a Servlet

To load the tunnel servlet at web server startup

  1. Select the Servlets tab.
  2. Choose Configure Global Attributes.
  3. In the Startup Servlets field, enter the same servlet name value as in Step 3 in "Adding a Servlet".

Disabling a Server Access Log

You do not have to disable the server access log, but you will obtain better performance if you do.

To disable the server access log

  1. Select the Status tab.
  2. Choose the Log Preferences Page.
  3. Use the Log client accesses control to disable logging

Deploying as a WAR File

The instructions below refer to deployment on Sun ONE Web Server 6.0 Service
Pack 2. You can verify successful HTTPS tunnel servlet deployment by accessing the servlet URL using a web browser. It should display status information.

Before deploying the HTTPS tunnel servlet, make sure that JSSE jar files are included in the web server's classpath. The simplest way to do this is to copy the jsse.jar, jnet.jar, and jcert.jar to IWS60_TOPDIR/bin/https/jre/lib/ext.

Also, before deploying the HTTPS tunnel servlet, you have to modify its deployment descriptor to point to the location where you have placed the keystore file and to specify the keystore password.

To modify the HTTPS tunnel servlet WAR file

  1. Copy the WAR file to a temporary directory.
  2. $ cp IMQ_HOME/lib/imqhttps.war /tmp
    ($ cp /usr/share/lib/imq/imqhttps.war /tmp on Solaris)

  3. Make the temporary directory your current directory.
  4. $ cd /tmp

  5. Extract the contents of the WAR file.
  6. $ jar xvf imqhttps.war

  7. List the WAR file's deployment descriptor.
  8. $ ls -l WEB-INF/web.xml

  9. Edit the web.xml file to provide correct values for the keystoreLocation and keystorePassword arguments (as well as serverPort and serverHost arguments, if necessary).
  10. Re-assemble the contents of the WAR file.
  11. $ jar uvf imqhttps.war WEB-INF/web.xml

You are now ready to use the modified imqhttps.war file to deploy the HTTPS tunnel servlet. (If you are concerned about exposure of the keystore password, you can use file system permissions to restrict access to the imqhttps.war file.)

To deploy the https tunnel servlet as a WAR file

  1. In the browser-based administration GUI, select the Virtual Server Class tab. Click Manage Classes.
  2. Select the appropriate virtual server class name (e.g. defaultclass) and click the Manage button.
  3. Select Manage Virtual Servers.
  4. Select an appropriate virtual server name and click the Manage button.
  5. Select the Web Applications tab.
  6. Click on Deploy Web Application.
  7. Select the appropriate values for the WAR File On and WAR File Path fields so as to point to the modified imqhttps.war file (see "To modify the HTTPS tunnel servlet WAR file".)
  8. Enter "/imq" (without the quotes) in the Application URI field.
  9. Enter the installation directory path (typically somewhere under the Sun ONE Web Server installation root) where the servlet should be deployed.
  10. Click OK.
  11. Restart the web server instance.

The servlet is now available at the following address:

https://hostName:port/imq/tunnel

Clients can now use this URL to connect to the message service using a secure HTTPS connection.


Previous      Contents      Index      Next     
Copyright 2002 Sun Microsystems, Inc. All rights reserved.


Part Number 817-0354-10