Cipher Suite for Websphere MQ

Cipher Suite for Websphere MQ - 7.3

Talend ESB Service Developer Guide

Version

7.3

Language

English

Product

Talend Data Fabric

Talend Data Services Platform

Talend ESB

Talend MDM Platform

Talend Open Studio for ESB

Talend Real-Time Big Data Platform

Module

Talend ESB

Talend Runtime

Content

Design and Development

Installation and Upgrade

Last publication date

2023-04-17

When a Websphere MQ client wants to connect through an SSL-secured channel, it needs to set up its JSSE security (keystore and truststore parameters), and it needs to define a cipher suite for the connection which matches the Websphere MQ server-side cipher spec.

The easiest way of setting up the ciphersuite is by enhancing the value of jndiConnectionFactoryName in the SOAPJMS URI. For an SSL-secured channel, it becomes:

Websphere MQ secured connection parameters

connectQueueManager(<queue_manager>)binding(client)clientChannel(<channel_name>)clie
ntConnection(<mq_host_name>:<mq_port>)sslCipherSuite(<cipher_suite>)

Where:

For sslCipherSuite, (<cipher_suite>) is the cipher suite value, for example: SSL_RSA_WITH_DES_CBC_SHA.

See below further SSL settings which can be added as connection parameters:

For sslPeerName, (<peer_name>) is the expected distinguished name of the subject in the certificate presented by the MQ server. If this parameter is set, a secured connection will only be opened if the subject value in the SSL certificate presented by the Websphere MQ server equals the value of peer_name.
For sslKeyStore, (<local_key_store_path>) is the file path to the Java key store for client-side SSL keys. This value is usually not set in the connection parameters, but in System property javax.net.ssl.keyStore.
For sslKeyStorePassword, (<password>) is the acces password for the SSL key store. This value is usually not set in the connection parameters, but in System property javax.net.ssl.keyStorePassword.
For sslTrustStore, (<local_key_store_path>) is the file path to the Java key store for server certificates. This value is usually not set in the connection parameters, but in System property javax.net.ssl.trustStore.
For sslTrustStorePassword, (<password>) is the access password to the SSL trust store. This value is usually not set in the connection parameters, but in System property javax.net.ssl.trustStorePassword.
For sslKeyResetCount, (<byte_count>) is the number of bytes which can be sent until an SSL key re-negotiation must occur. The default value is 0, it means "unlimited".
For sslFipsRequired, (yes) or (no) restricts the use of CipherSuite. When set to no, the default, any CipherSuite that is not supported by FIPS can be used. When set to yes, only a CipherSuite supported by FIPS can be used.
For sslLDAPCRLServers, (<server_list>) is a list of LDAP servers to be checked when searching for certificate revocation lists. If not set, there is no certificate checking for revocation.

Below is an example of an SSL-secured connection to a Webpshere MQ queue called "test.queue" with broker running on examplehost port 1414. The channel EXAMPLE.SECURED.SVRCONN, queue manager QMGR, and cipher suite SSL_RSA_WITH_DES_CBC_SHA are used to connect to the queue.

Websphere MQ secured connection URI

jms:queue:test.queue?jndiInitialContextFactory=org.talend.esb.jms.wmq.Nojndi&jndiConnectionFactoryName=
connectQueueManager(QMGR)binding(client)clientChannel(EXAMPE.SECURED.SVRCONN)clientC
onnection(examplehost:1414)sslCipherSuite(SSL_RSA_WITH_DES_CBC_SHA)&jndiURL=wmq://queue

When setting the cipher suite in the SOAPJMS URI is not possible or desired, it can also be setup locally. The local setup of the cipherSuite connection parameter for Websphere MQ is a responsibility of a custom code of a client or service. To specify a cipher suite for connection, the CipherSuite name should be set in the custom code sslCipherSuite field in the MQEnvironment class. This should be done before setting up the connection to the message broker. For example, to use the SSL_RSA_WITH_DES_CBC_SHA cipher suite, the following Java code should be executed before connecting to the message broker:

MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_DES_CBC_SHA";

When using CXF with Spring configuration, this could be done, for example, in the afterPropertiesSet() method of the implementor class.

For example, if you use a class named LibraryServerImpl, which implements the functionality of a some service. In the Spring configuration file, this may look like:

Setting CipherSuite for WS MQ Spring configuration

<bean id="libraryServerImpl" class="org.talend.services.demos.server.LibraryServerImpl"/>

<jaxws:endpoint xmlns:library="http://services.talend.org/demos/Library/1.0"
        id="LibraryProviderJMS"
        address="jms:queue:testQueue?jndiInitialContextFactory=com.ibm.mq.jms.context.WMQInitialContextFactory&amp;jndiCo
nnectionFactoryName=QCF1&amp;jndiURL=example.com:1414/VERYSECURE.CHANNEL.SVRCONN"
        serviceName="library:LibraryProvider" endpointName="library:LibraryJmsPort"
        implementor="#libraryServerImpl">
</jaxws:endpoint>

And the LibraryServerImpl class looks like the following:

Set cipher suite in afterPropertiesSet() method of the implementing class

public class LibraryServerImpl implements Library, InitializingBean {
    ...
    Service implementing code here
    ...

    @Override
    public void afterPropertiesSet() throws Exception {
        // Set up ciphersuite for connection
        MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_DES_CBC_SHA";
    }
}

But of course, setting up cipher suite could be done in other ways, but it should be done before setting up connection to the Websphere MQ broker.