Hi,

We are using the websphere MQ resource adapter (.rar) archive installed on Jboss 5.1 application server to communicate with MQ.

In the application code we have JMS producer and consumer which are able to send/receive messages to MQ.

The next step I want to do is enable SSL on the MQ channel and configure JBoss so the messages can be sent with TLS enabled.

We also have firewalls and Load balancers sitting  in between our app server and web sphere MQ.

I looked at some articles but apparently there are several ways to use TLS for JMS communication.

I need some guidance on the following questions -

What configuration is needed in Jboss to start using TLS for send and receive messages. Where should this configuration be placed?

Do the certificates installed on Websphere MQ have to be installed on the Jboss application server?

How does it work in a clustered environment? Do the certificates have to be copied to all Jboss instances?

Do the certificates have to be installed on the Load balancers?

Typically are the ports different in an enterprise for TLS and non-TLS JMS communication? I undestand that the TLS enabled ports have to be opened in the firewalls as well.

Below is the connection factory we use for the communication.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<connection-factories>

    <tx-connection-factory>

<!-- Bind this ConnectionFactory with the JNDI name IVTCF -->

        <jndi-name>jmsGwCf</jndi-name>

        <!-- Indicate that the connection factory supports only local transactions -->

        <local-transaction/>

        <!-- Indicate that the connection factory supports XA transactions -->

        <!-- <xa-transaction/> -->

        <!-- rar-name is the actual RAR file name, in this case wmq.jmsra.rar -->

        <rar-name>wmq.jmsra.rar</rar-name>

        <!-- connection-definition is the ConnectionFactory interface

          defined in the ra.xml -->

        <connection-definition>javax.jms.ConnectionFactory</connection-definition>

        <!-- Tell JBoss not to prefix the jndi name of the CF with the java: context and thus allow it to be looked up externally-->

        <use-java-context>false</use-java-context>

<!--

            Configuration for the ConnectionFactory. This defines the channel, hostname, port,

            queueManager, and transportType properties for a client (TCP/IP) connection to WMQ

        -->

        <config-property name="channel" type="java.lang.String">SYSTEM.DEF.SVRCONN</config-property>

        <config-property name="hostName" type="java.lang.String">localhost</config-property>

        <config-property name="port" type="java.lang.String">1414</config-property>

        <config-property name="queueManager" type="java.lang.String">QM</config-property>

        <config-property name="transportType" type="java.lang.String">CLIENT</config-property>

        <!-- define security domain -->

        <security-domain-and-application>JmsXARealm</security-domain-and-application>

    </tx-connection-factory>

<!-- admin object definitions -->

  <mbean code="org.jboss.resource.deployment.AdminObject" name="jca.wmq:name=TestQueueRequest">

    <attribute name="JNDIName">

      jms/queue/TestQueueRequest

    </attribute>

    <depends optional-attribute-name="RARName">jboss.jca:service=RARDeployment,name='wmq.jmsra.rar'</depends>

    <attribute name="Type">javax.jms.Queue</attribute>

    <attribute name="Properties">baseQueueName=TestQueueRequest</attribute>

  </mbean>

  <mbean code="org.jboss.resource.deployment.AdminObject" name="jca.wmq:name=TestQueueResponse">

    <attribute name="JNDIName">

      jms/queue/TestQueueResponse

    </attribute>

    <depends optional-attribute-name="RARName">jboss.jca:service=RARDeployment,name='wmq.jmsra.rar'</depends>

    <attribute name="Type">javax.jms.Queue</attribute>

    <attribute name="Properties">baseQueueName=TestQueueResponse</attribute>

  </mbean>

</connection-factories>

<?xml version="1.0" encoding="UTF-8"?>