Securing JMS message-driven-channel-adapter

[paul.mckenzie]

I am using a message-driven-channel-adapter to read messages off MQ queue, and this has been working fine in development. Now, in preparation for the first production release, I have to read a secured queue instead.

What do I need to do?

I think I need to make sure the following are set as system properties, but with what values?


javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword


I get the connectionFactory from jndi and it has the SSLCipherSuite set.

I have been given a clear text password and a JKS file that contains both the keystore and the truststore

What do I need to do next?

[srikondoji]

I spent few hours just yesterday sorting this out.
This is what you need to do
1) Use keytool to generate a truststore. Follow those steps and also remember the truststore password, coz you will need this.

2) Grab binary der format certificate from your bus administrator.

3) Use keytool to import that certificate into your truststore.

4) You can ignore keystore, if you don't want mutual authetication.

5) To begin with set these system properties. If everything works, you can set them in your application startup script like catalina.bat
Djavax.net.ssl.trustStoreType=BKS
javax.net.debug=ssl
javax.net.ssl.trustStore=c:\keystore (this, you need it from step 1)
javax.net.ssl.trustStorePassword=<<password>> (again from step 1)


6) The remaining stuff is configuring your connection factory with username/password

Hope this is clear.