Configure secure connection of HTTPS and consume HTTPS Services/API in broker and EG level on IBM ACE 12

Adil Abdullah
6 min readAug 10, 2022

What to cover:

1. Create JKS file using Keyman tool.

2. Generate self signed certificate on JKS file using same tool.

3. Configure JKS file path on broker or EG level conf.yaml file.

4. Stop and then start broker/EG for changing come into effect.

5. Test the developed service and API on browser.

Step 1:

Open IBM Keyman tool by typing on Start menu “IBM Keyman”. It comes along with installation of IBM IIB or ACE by default you no need to download o install seperatly. But version must be above 10

Step 2:

IBM Key management look like below as in screenshot. Now click on Key Database File on top menu and then click on New.

Step 3:

Now on Key database type select JKS on File Name write name of the file you want with .jks extension and last on Location select using Browse button where you want to store jks file and then click Ok to save the file.

Step 4:

Now set password for the file by default it is changeit you can set any password you want and then click Ok.

Step 5:

Now go to folder location where you store your JKS and check weather jks file is created or not on that location. In my case jks file name is Sample.JKS which is created on location whose I’ve given while creating.

Step 6:

Now again open Key management tool and open that JKS file which we’ve created and select Personal Certificate from Key Database content dropdown and then click on New Self-Signed.

Step 7:

After click on New Self Signed on last step now input all the information required as you see in screenshot. Now need to fill whole form input only those information which is written on text not on screenshot and then click Ok.

Key Label: Name of certificate what ever you want to give

Key Size: It should be select as 2048

Common Name: Name of your system or server

Organization: Name of your organization

Organizational Unit: Department of your organization

Locality: City name where you live

State/Province: Name of stat where your city exist

Zipcode: zip code your area

Country: Select country from dropdown where you live.

Step 8:

After filling all the information in last step your self signed certificate will be created in this step as seen on below screenshot. In my case it is named as test-cert under Personal Certificate section.

Step 9:

Now come toward broker/EG level part. Go to broker or EG directory in your system and locate node.conf.yaml for broker or server.conf.yaml for execution group. In Windows OS broker or execution group directory exist in following location if not set during creation otherwise if you set another during creation time then go on that location.


Path: C:\ProgramData\IBM\MQSI\components\<broker-name>

File: node.conf.yaml

Execution Group (EG):

Path: C:\ProgramData\IBM\MQSI\components\<broker-name>\servers\execution-group name>

File: server.conf.yaml

Step 10:

Copy and paste below yaml content on conf.yaml file between security tag and below MQTT tag. In below content the file path mention is my given path in your case it should be your given path and password also would be which you have set.


brokerKeystoreType: ‘JKS’ # Key store type

brokerKeystoreFile: ‘D:\Config\TestNode.jks’ # Location of the broker key store

brokerKeystorePass: ‘changeit’

#’brokerKeystore::password’ # Resource alias containing the key store password

brokerTruststoreType: ‘JKS’ # Trust store type

brokerTruststoreFile: ‘D:\Config\TestNode.jks’ # Location of the broker trust store

brokerTruststorePass: ‘changeit’ # Resource alias containing the trust store password

#brokerCRLFileList: ‘’

#brokerEnableCRLDP: ‘’

allowSSLv3: ‘true’

#allowSNI: ‘’

#reenableTransportAlgorithms: ‘’

#reenableCertificateAlgorithms: ‘’

#mqCCDT: ‘’

#httpConnectorPortRange: ‘’

#httpsConnectorPortRange: ‘’

#brokerKerberosConfigFile: ‘’

#brokerKerberosKeytabFile: ‘’

#mqKeyRepository: ‘’

As you see in below screenshot just copy and paste and then saved the file. Be careful when you put the section on conf file there must not be any extra spaces, tab or spelling otherwise it won’t work or changes will not be effected.

Step 11:

In this step just take any sample rest API which is HTTPS configured means TLS/SSL secure connection. Execute URL on browser and check their TLS/SSL version through browser.

Step 12:

Click on lock icon which is shown on left side or URL. Click on it and check certificate details.

Step 13:

Select Details tab and click Ok.

Step 14:

Click Copy to File and click on Ok.

Step 15:

Just click on Next.

Step 16:

Check on first option of DER encoded and then click Next.

Step 17:

Browse the location where you want to save the file and click on Next.

Step 18:

Certificate file will be extract at the location which I’ve given. You can check on the location which you’ve given weather its created or not.

Step 19:

Now again come toward Keyman tool and select Signer Certificate from Key database content dropdown menu and then click on Add button.

Step 20:

Browse the location where you’ve saved the certificate extract from rest API through browser and click Ok.

Step 21:

Now input certificate label name what ever you want to give for that certificate for identification and click Ok.

Step 22:

This is last step as extracted certificate are now added on our JKS file as shown in below screenshot with the label name which we’ve given in last step.



Adil Abdullah

Currently working as Full stack Java developer at Contour Software at their Easit AB division part of Jonas group. Working on Java and IBM stack.