7.2 Configuring JMS over SSL in Connect (WebSphere)

IMPORTANT: The WebSphere user should be part of the Connect group and have access to write to the $KCHOME directory

Required Jars for JMS Configuration

In order to cofnigure JMS using TIBCO, you will require the following jars:

  • com.ibm.jaxws.thinclient_7.0.0.jar

  • com.ibm.mq.commonservices.jar

  • com.ibm.mq.headers.jar

  • com.ibm.mq.jar

  • com.ibm.mq.jmqi.jar

  • com.ibm.mq.jmqi.remote.jar

  • com.ibm.mq.jmqi.system.jar

  • com.ibm.mqjms.jar

  • com.ibm.msg.client.commonservices.j2se.jar

  • com.ibm.msg.client.commonservices.jar

  • com.ibm.msg.client.jms.internal.jar

  • com.ibm.msg.client.jms.jar

  • com.ibm.msg.client.provider.jar

  • com.ibm.msg.client.wmq.common.jar

  • com.ibm.msg.client.wmq.factories.jar

  • com.ibm.msg.client.wmq.jar

  • com.ibm.ws.admin.client_7.0.0.jar

  • com.ibm.ws.orb_7.0.0.jar

  • com.ibm.ws.runtime.jar

  • com.ibm.ws.wlm.jar

  • dhbcore.jar

  • ibmkeycert.jar

  • ibmpkcs.jar


These jars should be provided to you from your MQ team.

Configuring JMS in WebSphere


Perform the following steps in WebSphere:

  1. Login to theWebSphere administrative console

  2. Navigate to Security - Global Security

  3. Expand the RMI/IIOP Security section

    1. Click CSIv2 inbound communications

      1. Select SSL-Required on CSIv2 Transport Layer - Transport

      2. Click OK

      3. Save the configuration

    2. Click CSIv2 outbound communications

      1. Select SSL-Required on CSIv2 Transport Layer - Transport

      2. Click OK

      3. Save the configuration

  4. Restart the WebSphere Application Server

Setting Up the JMS Environment

Perform the following steps to configure the environment:

  1. Copy the following files from WAS install folder:

    • ssl.client.props (from WebSphere\AppServer\profiles\AppSrv01\properties\)

    • sas.client.props (from WebSphere\AppServer\profiles\AppSrv01\properties\)

  2. Create a jks keystore key.jks

  3. Create a jks truststore trust.jks

  4. Extract certificate from key.p12 (from WebSphere\AppServer\profiles\AppSrv01\etc\) and import it in key.jksNote: The keystore password is located in ssl.client.props -> com.ibm.ssl.keyStorePassword. The password is encoded if starts with {xor}.

    For example: com.ibm.ssl.keyStorePassword={xor}CDo9Hgw= or com.ibm.ssl.keyStorePassword=WebAS

  5. Extract certificate from trust.p12 (from WebSphere\AppServer\profiles\AppSrv01\etc\) and import it in trust.jksNote: The keystore password is located in ssl.client.props -> com.ibm.ssl.trustStorePassword. The passwordis encoded if starts with {xor}.

    For example: com.ibm.ssl.trustStorePassword ={xor}CDo9Hgw= or com.ibm.ssl.trustStorePassword =WebAS

Configuring the Inside Nodes in Connect

To configure the inside nodes in Connect:

  1. Copy the files to the inside node(s)

  2. Perform the command edit ssl.client.props and ensure the following properties match the following settings:

    • com.ibm.ssl.defaultAlias=DefaultSSLSettings


    • com.ibm.ssl.alias=DefaultSSLSettings

    • com.ibm.ssl.protocol=SSL

    • com.ibm.ssl.securityLevel=HIGH

    • com.ibm.ssl.trustManager= SunX509

    • com.ibm.ssl.keyManager= SunX509

    • com.ibm.ssl.contextProvider= SunJSSE

    • com.ibm.ssl.enableSignerExchangePrompt=gui


    • com.ibm.ssl.keyStoreName=ClientDefaultKeyStore

    • com.ibm.ssl.keyStore=c:/ssl/key.jks (Note: Change this with the path to key.jks file copied to the node)

    • com.ibm.ssl.keyStorePassword=WebAS (Note: Change this with the password of the keystore on WAS)

    • com.ibm.ssl.keyStoreType= JKS

    • com.ibm.ssl.keyStoreProvider= SUN

    • com.ibm.ssl.keyStoreFileBased=true


    • com.ibm.ssl.trustStoreName=ClientDefaultTrustStore

    • com.ibm.ssl.trustStore=c:/ssl/trust. jks (Note: Change this with the path to trust.jks file copied to the node)

    • com.ibm.ssl.trustStorePassword=WebAS (Note: Change this with the password of the truststore on WAS)

    • com.ibm.ssl.trustStoreType= JKS

    • com.ibm.ssl.trustStoreProvider= SUN

    • com.ibm.ssl.trustStoreFileBased=true

    • com.ibm.ssl.trustStoreReadOnly=false

  3. Perform the command edit sas.client.props and ensure the following properties match the following settings:

    • com.ibm.CORBA.securityEnabled=true

    • com.ibm.CORBA.loginSource=none

    • com.ibm.CSI.performTransportAssocSSLTLSRequired=true

    • com.ibm.ssl.alias=DefaultSSLSettings

  4. Perform the command copy orb.properties from IBM JRE to kc/java/lib/ in the Connect nodeNote: If you are using JRE for Connect in another location, copy the orb.properties file into

    that location ../jre/lib

  5. Perform the command edit runvm.sh and runmonitor.sh:

    1. Add in same line after -Dcom.kana.connect.NodeName=%CONNECT_NODENAME%:

      Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props"

  6. Restart the CRMMonitor/connect service

  7. Start Connection Factory in the Connect Admin console

Troubleshooting JMS Configuration

If you run into problems configuring JMS:

  1. You may choose to add trace option to java processes
    Edit runvm.sh and runmonitor.sh and add in the same line after -Dcom.kana.connect.NodeName=%CONNECT_NODENAME%:

    • Dcom.ibm.CORBA.Debug=true

    • Dcom.ibm.CORBA.CommTrace=true

    • Dcom.ibm.CORBA.Debug.Output=client.log

  2. Restart the CRMMonitor/connect service

  3. Check logs for errors or information:

    • client.log

    • EventLoader log

    • orbtrace files, FFDC folder and files, mqlog files