Connect - MQ support with Certificates and Chipher suites
My application is using Pega 7.1.6 version and we have requirement to connect to MQ passing the certificates ( SSL/TLS) and use the chipersuites while sending the message to MQ. I see we have an option in Pega 7.2.2 MQ Server rule form to mention the Cipher suites and Key/Trust store.
How do we achieve in the versions less than Pega 7.2.2. When I looked into some forums , it says we need to configure at app server level. Below is the PDN link for you reference.Our app server is IBM web sphere
1) I understood sslFipsRequired is a flag which will enable the MQ Queue Manger to use a SSL connection with Cipher Suite , but how can I mention the truststore or keystore name. Pega 7.2.2 has the option to mention the Keystore and truststore references
2) Regarding the cipher suite , do I need to install any jar files for Pega 7.1.6 application on Pega side?
3) Do we also need to mention the CipherSpec in the code as well?
I am not IBM websphere expert , so I trying to understand more details.
We recently had the same requirement with Pega 7.1.8. To summarize, what Sudhakar mentioned is the correct approach, however, if you want to make sure that Pega's MQ features work in all cases, you will have to modify all MQ related activities with the same change (specifically MQEnvironment.sslCipherSuite = "<Cipher Suite>"';). Activities which are used to browse messages, put, test, etc... Here's a full list:
Additionally, if you want to NOT hardcode the cipher, you can customize the MQServer ruleform and add your own properties. Note that if you choose to do it this way, you will enable support of multiple ciphers for different MQ servers. It may or may not be relevant in your case.
Finally, if you need to actually READ from MQ queue, then you need to request HFIX-38202 (for 7.1.8) or have it backported. This one specifically addresses a java MQListener class to support sslciphersuite (configured via DSS). Otherwise you will need to test MQ connection via MQ Server / Listener instance before starting listeners (still a mystery why this actually works).
Depending on which IBM MQ Server version you are using, you may need to add 2 JVM params for Pega :