JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Configuring Oracle Java CAPS for SSL Support     Java CAPS Documentation
search filter icon
search icon

Document Information

Configuring Java CAPS for SSL Support

Secure Sockets Layer (SSL) Overview

Public Keys, Private Keys, and Certificates

Keytool Program

OpenSSL Project

SSL and Adapters

KeyStores and TrustStores

Generating a KeyStore and TrustStore

Creating a KeyStore in JKS Format

Creating a KeyStore in PKCS12 Format

Creating a TrustStore

Configuring a Oracle Java CAPS JMS IQ Manager to Use SSL

Configuring the Message Server URL

To Configure the Message Server URL

External JMS Clients

Changing the Self-Signed Server Certificate

To Change the Self-Signed Server Certificate

Configuring the Repository to Use SSL

Generating a Key Pair and a Self-Signed Certificate

To Generate a Key Pair and a Self-Signed Certificate

Obtaining a Signed Certificate

To Obtain a Digitally Signed Certificate from a Certificate Authority

To Obtain a Self-Signed Certificate from a Local Keystore

Importing the Certificate

To Import the Certificate

Configuring the server.xml File

To Configure the server.xml File

Testing the New SSL Connection

To Test the New SSL Connection

Configuring Enterprise Manager to Use SSL

Creating the Keystore and Trust Store

To Create the Keystore and Trust Store

Importing the Domain Certificate

To Import the Domain Certificate

Enabling Security on the Application Server

To Enable Security on the Application Server

Logging In to Enterprise Manager

To Log In to Enterprise Manager

Using SSL With the WebSphere MQ Adapter

Creating a Certification Authority

To Create a Certification Authority

To Issue a Certificate to a Queue Manager

To Issue a Certificate to Java CAPS

Using the OpenSSL Utility for the LDAP and HTTPS Adapters

Creating a Sample CA Certificate

To Create a Sample CA Certificate

Signing Certificates With Your Own CA

To Create a CSR with keytool and Generate a Signed Certificate for the Certificate Signing Request

Windows OpenSSL.cnf File Example

Index

Configuring a Oracle Java CAPS JMS IQ Manager to Use SSL

Oracle Java CAPS JMS IQ Manager provides a self-signed server certificate. You can set the authentication mode to Authenticate or TrustAll.

The default mode is TrustAll. You can replace the Oracle Java CAPS JMS IQ Manager’s self-signed server certificate with your own server certificate.

Configuring the Message Server URL

You can configure SSL for the Oracle Java CAPS JMS IQ Manager by editing an Environment property.

To Configure the Message Server URL

  1. In the Services window of the NetBeans IDE, expand the CAPS Environment in which the JMS IQ Manager is located.
  2. Right-click the JMS IQ Manager and choose Properties.

    The Properties dialog box appears.


    image:Screen capture of the Properties dialog box.
  3. Ensure that the Oracle Java CAPS JMS IQ Manager URL property begins with stcmss and includes the SSL port number of the JMS IQ Manager. For example:
    stcmss://localhost:18008
  4. If you want clients to authenticate the server certificate that the message server sends, then append the string com.stc.jms.ssl.authenticationmode=Authenticate to the Oracle Java CAPS JMS IQ Manager URL property. For example:
    stcmss://localhost:18008?com.stc.jms.ssl.authenticationmode=Authenticate
  5. If you want clients to always trust the message server that they connect to, then append the string com.stc.jms.ssl.authenticationmode=TrustAll to the Oracle Java CAPS JMS IQ Manager URL property. For example:
    stcmss://localhost:18008?com.stc.jms.ssl.authenticationmode=TrustAll
  6. Click OK.

External JMS Clients

By default, JMS clients that are deployed inside the GlassFish Application Server use the default keystore and trust store. External JMS clients must set the following properties in the connection factory:

Changing the Self-Signed Server Certificate

You can replace the Oracle Java CAPS JMS IQ Manager’s self-signed server certificate with your own server certificate.

This procedure makes the following assumptions:

To Change the Self-Signed Server Certificate

  1. Import your server certificate into the default trust store of the GlassFish Application Server. The trust store is located in the JavaCAPS-install-dir/appserver/domains/domain-name/config directory.
    keytool -import -alias stcmscert -file mycacert.pem -keystore cacerts.jks

    For the -alias option, you can use any value.

  2. Convert your server certificate and private key from PEM format to PKCS #12 format. You can use the pkcs12 command of the openssl command-line tool to export a file that contains both the server certificate and the private key.
    openssl pkcs12 -export -in mycacert.pem -inkey mycakey.pem -out mycert.p12
    -name "stcmscert"
  3. Make the following changes to the files:
    1. Change the name of the server certificate file from mycacert.pem to stcmscert.pem.
    2. Change the name of the private key file from mycakey.pem to stcmskey.pem.
    3. (UNIX only) Copy the stcmscert.pem file to a new file called stcmscert.cer.
    4. (Windows only) Change the name of the PKCS #12 file from mycert.p12 to stcmscert.cer.
  4. Copy the stcmscert.pem, stcmskey.pem, and stcmscert.cer files into the JavaCAPS-install-dir/appserver/addons/stcms/templates directory.
  5. If you already created an instance, then you must also copy the stcmscert.pem, stcmskey.pem, and stcmscert.cer files into the JavaCAPS-install-dir/appserver/domains/domain-name/addons/stcms/instance-name/config directory.
  6. Open the stcms.default.Properties file in the JavaCAPS-install-dir/appserver/addons/stcms/templates directory.
  7. Add the STCMS.SSL.UserId and STCMS.SSL.Password properties.
    STCMS.SSL.UserId=mycertuserid
    STCMS.SSL.Password=mycertpassword
  8. (Windows only) Set the value of the STCMS.SSL.CertificateFileStore.Option property.
    • If you want the JMS IQ Manager to install the certificate automatically, then set the value to On.

    • If you want to install the certificate by using the certmgr tool or Internet Explorer, then set the value to Off.

  9. If you already created an instance, then copy the stcms.default.Properties file into the JavaCAPS-install-dir/appserver/domains/domain-name/addons/stcms/instance-name/config directory.
  10. If the domain is running, then restart the domain.