Configuring a Oracle Java CAPS JMS IQ Manager to Use SSL

Oracle Java CAPS JMS IQ Manager provides a self-signed server certificate. You can set the authentication mode to Authenticate or TrustAll.

• If the mode is Authenticate, then clients authenticate the server certificate that the message server sends. The clients need to use their trust store.

• If the mode is TrustAll, then clients always trust the message server that they connect to. The clients do not need to use their trust store.

The default mode is TrustAll. You can replace the Oracle Java CAPS JMS IQ Manager’s self-signed server certificate with your own server certificate.

Configuring the Message Server URL

You can configure SSL for the Oracle Java CAPS JMS IQ Manager by editing an Environment property.

To Configure the Message Server URL

1. In the Services window of the NetBeans IDE, expand the CAPS Environment in which the JMS IQ Manager is located.
2. Right-click the JMS IQ Manager and choose Properties.

   The Properties dialog box appears.

   
   
3. Ensure that the Oracle Java CAPS JMS IQ Manager URL property begins with stcmss and includes the SSL port number of the JMS IQ Manager. For example:

   stcmss://localhost:18008

4. If you want clients to authenticate the server certificate that the message server sends, then append the string com.stc.jms.ssl.authenticationmode=Authenticate to the Oracle Java CAPS JMS IQ Manager URL property. For example:

   stcmss://localhost:18008?com.stc.jms.ssl.authenticationmode=Authenticate

5. If you want clients to always trust the message server that they connect to, then append the string com.stc.jms.ssl.authenticationmode=TrustAll to the Oracle Java CAPS JMS IQ Manager URL property. For example:

   stcmss://localhost:18008?com.stc.jms.ssl.authenticationmode=TrustAll

6. Click OK.

External JMS Clients

By default, JMS clients that are deployed inside the GlassFish Application Server use the default keystore and trust store. External JMS clients must set the following properties in the connection factory:

• com.stc.jms.ssl.authenticationmode

• javax.net.ssl.trustStore

Changing the Self-Signed Server Certificate

You can replace the Oracle Java CAPS JMS IQ Manager’s self-signed server certificate with your own server certificate.

This procedure makes the following assumptions:

• You have a server certificate in PEM format. The file name is mycacert.pem. The common name of the owner and issuer is mycertuserid. The password is mycertpassword.

• You have a private key in PEM format. The file name is mycakey.pem.

To Change the Self-Signed Server Certificate

1. Import your server certificate into the default trust store of the GlassFish Application Server. The trust store is located in the JavaCAPS-install-dir/appserver/domains/domain-name/config directory.

   keytool -import -alias stcmscert -file mycacert.pem -keystore cacerts.jks

   For the -alias option, you can use any value.

2. Convert your server certificate and private key from PEM format to PKCS #12 format. You can use the pkcs12 command of the openssl command-line tool to export a file that contains both the server certificate and the private key.

   openssl pkcs12 -export -in mycacert.pem -inkey mycakey.pem -out mycert.p12
   -name "stcmscert"

3. Make the following changes to the files:
   1. Change the name of the server certificate file from mycacert.pem to stcmscert.pem.
   2. Change the name of the private key file from mycakey.pem to stcmskey.pem.
   3. (UNIX only) Copy the stcmscert.pem file to a new file called stcmscert.cer.
   4. (Windows only) Change the name of the PKCS #12 file from mycert.p12 to stcmscert.cer.
4. Copy the stcmscert.pem, stcmskey.pem, and stcmscert.cer files into the JavaCAPS-install-dir/appserver/addons/stcms/templates directory.
5. If you already created an instance, then you must also copy the stcmscert.pem, stcmskey.pem, and stcmscert.cer files into the JavaCAPS-install-dir/appserver/domains/domain-name/addons/stcms/instance-name/config directory.
6. Open the stcms.default.Properties file in the JavaCAPS-install-dir/appserver/addons/stcms/templates directory.
7. Add the STCMS.SSL.UserId and STCMS.SSL.Password properties.

   STCMS.SSL.UserId=mycertuserid
   STCMS.SSL.Password=mycertpassword

8. (Windows only) Set the value of the STCMS.SSL.CertificateFileStore.Option property.

   • If you want the JMS IQ Manager to install the certificate automatically, then set the value to On.

   • If you want to install the certificate by using the certmgr tool or Internet Explorer, then set the value to Off.

9. If you already created an instance, then copy the stcms.default.Properties file into the JavaCAPS-install-dir/appserver/domains/domain-name/addons/stcms/instance-name/config directory.
10. If the domain is running, then restart the domain.