Configure secure connection of HTTPS and consume HTTPS Services/API in broker and EG level on IBM ACE 12
What to cover:
1. Create JKS file using Keyman tool.
2. Generate self signed certificate on JKS file using same tool.
3. Configure JKS file path on broker or EG level conf.yaml file.
4. Stop and then start broker/EG for changing come into effect.
5. Test the developed service and API on browser.
Open IBM Keyman tool by typing on Start menu “IBM Keyman”. It comes along with installation of IBM IIB or ACE by default you no need to download o install seperatly. But version must be above 10
IBM Key management look like below as in screenshot. Now click on Key Database File on top menu and then click on New.
Now on Key database type select JKS on File Name write name of the file you want with .jks extension and last on Location select using Browse button where you want to store jks file and then click Ok to save the file.
Now set password for the file by default it is changeit you can set any password you want and then click Ok.
Now go to folder location where you store your JKS and check weather jks file is created or not on that location. In my case jks file name is Sample.JKS which is created on location whose I’ve given while creating.
Now again open Key management tool and open that JKS file which we’ve created and select Personal Certificate from Key Database content dropdown and then click on New Self-Signed.
After click on New Self Signed on last step now input all the information required as you see in screenshot. Now need to fill whole form input only those information which is written on text not on screenshot and then click Ok.
Key Label: Name of certificate what ever you want to give
Key Size: It should be select as 2048
Common Name: Name of your system or server
Organization: Name of your organization
Organizational Unit: Department of your organization
Locality: City name where you live
State/Province: Name of stat where your city exist
Zipcode: zip code your area
Country: Select country from dropdown where you live.
After filling all the information in last step your self signed certificate will be created in this step as seen on below screenshot. In my case it is named as test-cert under Personal Certificate section.
Now come toward broker/EG level part. Go to broker or EG directory in your system and locate node.conf.yaml for broker or server.conf.yaml for execution group. In Windows OS broker or execution group directory exist in following location if not set during creation otherwise if you set another during creation time then go on that location.
Execution Group (EG):
Path: C:\ProgramData\IBM\MQSI\components\<broker-name>\servers\execution-group name>
Copy and paste below yaml content on conf.yaml file between security tag and below MQTT tag. In below content the file path mention is my given path in your case it should be your given path and password also would be which you have set.
brokerKeystoreType: ‘JKS’ # Key store type
brokerKeystoreFile: ‘D:\Config\TestNode.jks’ # Location of the broker key store
#’brokerKeystore::password’ # Resource alias containing the key store password
brokerTruststoreType: ‘JKS’ # Trust store type
brokerTruststoreFile: ‘D:\Config\TestNode.jks’ # Location of the broker trust store
brokerTruststorePass: ‘changeit’ # Resource alias containing the trust store password
As you see in below screenshot just copy and paste and then saved the file. Be careful when you put the section on conf file there must not be any extra spaces, tab or spelling otherwise it won’t work or changes will not be effected.
In this step just take any sample rest API which is HTTPS configured means TLS/SSL secure connection. Execute URL on browser and check their TLS/SSL version through browser.
Click on lock icon which is shown on left side or URL. Click on it and check certificate details.
Select Details tab and click Ok.
Click Copy to File and click on Ok.
Just click on Next.
Check on first option of DER encoded and then click Next.
Browse the location where you want to save the file and click on Next.
Certificate file will be extract at the location which I’ve given. You can check on the location which you’ve given weather its created or not.
Now again come toward Keyman tool and select Signer Certificate from Key database content dropdown menu and then click on Add button.
Browse the location where you’ve saved the certificate extract from rest API through browser and click Ok.
Now input certificate label name what ever you want to give for that certificate for identification and click Ok.
This is last step as extracted certificate are now added on our JKS file as shown in below screenshot with the label name which we’ve given in last step.