Integration Server 10.15 | Integration Server Administrator's Guide | Configuring Integration Server for JMS Messaging | Working with JNDI Providers | Including SSL Configuration Information in the JNDI Provider Alias
 
Including SSL Configuration Information in the JNDI Provider Alias
When the JMS provider requires a one or two-way SSL connection with the JMS client, you must configure SSL certificate information on Integration Server. Many JMS providers have a set of properties that the JMS client uses to pass on the certificate details needed to establish an SSL connection with the JMS provider. Although these properties can be added to the jndi.properties file, you can include these details in the JNDI provider alias instead. This approach is only applicable when the JNDI provider and JMS provider use the same set of certifcates such as when using Universal Messaging as the JMS and JNDI providers.
Including the SSL configuration in the JNDI provider alias, does the following:
*Secures the connection between Integration Server and the JNDI provider.
*Adds certificate information to the JNDI context. Integration Server passes the SSL certificate information into the JNDI context when the context is created.
When Universal Messaging is the JMS provider and the JNDI provider is on the same realm or cluster as Universal Messaging, the JMS connection factory can access the certificate information when creating the connection to the JMS provider. Other JMS providers may use the certificate information in the JNDI context in a similar fashion. Refer to the JMS provider documentation for more information.
SSL certificate information can be set using the javax.net.ssl properties for the Integration Server JVM and can be set securely using the JVM Keystore Alias and JVM Truststore Alias fields on the Security > Certificates page in Integration Server Administrator. However, providing truststore and keystore information in the JNDI provider alias is a also secure way of providing certificate information. Additionally, including certificate information in the alias allows the use of different certificates for establishing connections to JMS providers. Some organizations maintain multiple keystores and truststores for different applications or different departments.
Note:
Some JMS providers require that the SSL settings of the JVM for the JMS client must be used to establish the SSL connection. For these JMS providers, any information provided in the JNDI provider alias will be ignored. Refer to your JMS provider documentation for more information.
Adding SSL certificate information to the JNDI provider alias consists of the following basic steps:
1. Determine if the JMS provider supports including SSL certificate information in the JNDI provider properties or if the JMS provider requires that the truststore and keystore information be set using the javax.net.ssl properties in the JMS client JVM. If the JMS provider requires that the JVM properties be used, adding truststore and keystore information to the JNDI provider alias will have no effect.
2. Determine if one-way SSL or two-way SSL is required.
3. Make sure that a truststore alias exists for the truststore that contains the Certificate Authority (CA) certificates for the JNDI and JMS provider.
This step is required for one-way SSL and two-way SSL. For more information about truststores and truststore aliases, see Using Keystores and Truststores with Integration Server .
4. If two-way SSL is required, make sure that a keystore alias exists for the keystore that contains the client certificates to use to connect to the JNDI and JMS providers.
5. Exchange key and certificate information with the JNDI and JMS providers.
Integration Server must have copies of the JNDI and JMS providers' public key and signing CA certificates. This is required for one-way or two-way SSL. For two-way SSL, you must give the JNDI and JMS providers the public key and CA certificate that will be used to establish a secure connection with the JNDI provider and JMS provider.
6. Identify the JMS provider-specific properties that must be populated in the JNDI context. For example, the properties for Universal Messaging are:
nirvana.ssl.keystore.path
nirvana.ssl.keystore.pass
nirvana.ssl.keystore.cert
nirvana.ssl.truststore.path
nirvana.ssl.truststore.pass
nirvana.ssl.protocol
7. In the JNDI provider alias, select Use SSL.
8. Use the following table to provide truststore and key alias information along with the JNDI property names obtained from the JMS provider.
Under Settings
Under JNDI Property Names
In Truststore Alias, select the truststore alias you created in step 3. This is required for one-way or two-way SSL.
Provide values for the following properties:
*Truststore Property Name
*Truststore Password Property Name
In Keystore Alias, select the keystore alias you created in step 4. This is required for two-way SSL.
Provide value for the following properties:
*Keystore Property Name
*Keystore Password Property Name
Optionally, provide values for Keystore Format Property Name.
In Key Alias, select the key alias you created in step 4.
Optionally, provide a value for Private Key Property Name.
This property is optional when using Universal Messaging as the JMS provider.