To make HTTP/HTTPS connections to a broker, a client application needs an appropriately configured connection factory administered object. Before configuring the connection factory, clients wishing to use secure HTTPS connections must also have access to SSL libraries provided by the Java Secure Socket Extension (JSSE) and must obtain a trusted root certificate.
If the root certificate of the certification authority (CA) that signed your application server’s (or Web server’s) certificate is not in the trust store by default, or if you are using a proprietary application server or Web server certificate, you must install the root certificate in the trust store. (This step is not needed for ordinary, non-secure HTTP connections, or if the CA’s root certificate is already in the trust store by default.)
Import the root certificate.
Execute the command
JRE_HOME/bin/keytool -import -trustcacerts -alias certAlias -file certFile -keystore trustStoreFile
where certFile is the file containing the root certificate, certAlias is the alias representing the certificate, and trustStoreFile is the file containing your trust store.
Confirm that you trust the certificate.
Answer YES to the question Trust this certificate?
Identify the trust store to the client application.
In the command that launches the client application, use the -D option to specify the following properties:
javax.net.ssl.trustStore=trustStoreFile javax.net.ssl.trustStorePassword=trustStorePassword
To enable HTTP/HTTPS support, you need to set the connection factory’s imqAddressList attribute to the URL of the HTTP/HTTPS tunnel servlet. The URL has the form
http://hostName:portNumber/contextRoot/tunnel
or
https://hostName:portNumber/contextRoot/tunnel
where hostName:portNumber is the host name and port number of the application server or Web server hosting the tunnel servlet and contextRoot is the context root directory you specified when deploying the tunnel servlet on the server, as described above under Step 4 (HTTP and HTTPS): Deploying the Tunnel Servlet.
You can set the imqAddressList attribute in any of the following ways:
Use the -o option to the imqobjmgr command that creates the connection factory administered object (see Adding a Connection Factory).
Set the attribute when creating the connection factory administered object using the Administration Console (imqadmin).
Use the -D option to the command that launches the client application.
Use an API call to set the attributes of the connection factory after you create it programmatically in client application code (see the Message Queue Developer’s Guide for Java Clients).
It is not necessary to configure multiple application or Web servers and tunnel servlets in order to access multiple brokers; you can share a single server instance and tunnel servlet among them. To do this, you must configure the imqAddressList connection factory attribute as follows:
http://hostName:portNumber/contextRoot/tunnel?ServerName=brokerHostName:instanceName
or
https://hostName:portNumber/contextRoot/tunnel?ServerName=brokerHostName:instanceName
where brokerHostName is the broker instance host name and instanceName is the name of the specific broker instance you want your client to access.
To check that you have entered the correct values for brokerHostName and instanceName, generate a status report for the HTTP/HTTPS tunnel servlet by accessing the servlet URL from a browser:
http://localhost:8080/imqhttp/tunnel
The report lists all brokers being accessed by the servlet, as shown in Example C–1.
|
To use an HTTP proxy to access the HTTPS tunnel servlet, set the system properties http.proxyHost and http.proxyPort to the proxy server’s host name and port number. You can set these properties using the -D option to the command that launches the client application.