Enabling SSL for JMS communication between WM Broker/JMS & Siebel CRM Application

Hi all,

In order to give the right context, I would like to summarize the problem in following parts
Background, Requirement, Approach Taken, Questions/Queries.

Background:
We have interfaces between Siebel & external systems where we are leveraging webMethods. Since asynchronous communication is required we are exposing webMethods broker as JMS provider to Siebel so that Siebel can directly post messages to WM JMS Queue.At this point, all interfaces are from Siebel to WM.

We are using WM 8.1 version.

Requirement:

Currently the communication is not secured & we have been asked to make it secure by enabling SSL.

Approach Taken:

1.We got a certificate from certificate Authority for our server where Broker is installed.
2.Using the certificate & Trusted root certificates, we created a JKS Keystore & JKS trustore file
3.Converted the JKS Keystore to PKCS Format using following command
keytool-importkeystore -srckeystore KS.jks -destkeystore KS.pkcs-srcstoretype JKS -deststoretype PKCS12

4.Converted the JKS Trustore to PEM format.
5.Logged in MWS,Navigated to Settings Page, added the Keystore & Trustore
6.Assigned the identity in MWS
7.Navigated to Broker Server, configured the Broker Server to use same Keystore & Trustore.
8.Got a message displayed that Broker is SSL Enabled.
9.Created a client group called Siebel & enabled the DN usernames & authenticator names.
10.Provided the client group access to JMS Naming documents & our custom documents.
11.Enabled SSL encryption for Connection Factory & Subscriber.

Questions/Queries:
1.Are steps 1 to 11 enough to enable SSL for Broker for our requirement ?
2.Documentation says, once SSL is configured base port-2( i.e 6849 - 2 = 6847) is automatically assigned as SSL Port. Is this true ? Do we need to do any extra step to enable this ? What is provider url format in this scenario ?

3.Currently I am able to provide access to only one Distinguished Name for which we have the certificate & its the certificate of the server where we have Web Methods installed, how to provide access to Siebel ?
Is there a way we can consume the public key of Siebel server , add Siebel DN to Broker ACL & provide the required access to documents ?

4.Lastly, if anybody has implemented SSL for JMS communication between Siebel & WM , can you let us know if this is even possible.Does Siebel have restrictions ?

Thanks a lot for reading it through…Appreciate if you can provide answer to our quereis…

Cheers,
WM Rocks…

We had a similar requirement to enable SSL based communication between Siebel (8.x) and WM (8.1.2) Broker (JMS Provider). We raised a ticket with Oracle and no luck. Did anyone succeeded to configure SSL between Siebel and WM (8.1.2)?

Appreciate your time in advance.

We’ve enabled SSL for our Siebel 8 to webMethods 8 JMS integration. So yes it is doable.

Your steps 1-10 are correct. But for step 11, Siebel can only specify username and passwords in it’s connection settings, it doesn’t know about the keystore/truststore. So you have to add both PKCS12 keystore and JKS truststore into the ConnectionFactory, which can be accomplished via the command line:


bind qcf SiebelQueueConnectionFactory with brokerHost=$server brokerName=$broker group=$clientGroup useXA=false clientId=Siebel sslKeystore=$keystore sslKeystoreType=PKCS12 sslTruststore=$truststore sslTrustStoreType=JKS sslEncrypted=false

Hope this helps! Good luck

remove my duplicate post

We are using a similar approach for our JMS Communication, but the Partner systems are not using Siebel.

Please check if the client group has been configured to use ACLs too.

Additionally the client groups “admin” and “IntegrationServer” should be also configured using ACLs.

On top of that there will be the possibility to enable transport encryption if needed.

Who is the JMS-Provider (the Broker or Siebel)?
Which JNDI-Provider are you using?
See “Naming Directories” in the Messaging Section in MWS.

We currently prefer WmJMSNaming for JNDI (only allowed when the Broker is the JMS-Provider) when we are to be the JNDI-Provider/JMS-Provider. But unfortunately the JBoss (using the Resource-Adapter from the JMS-API of webMethods) has problems accessing the ssl-secured/encrypted JNDI-Provider in wM 7.1.2. Hopefully this will work in wM 9.5.

Hi cheswe,

We had the same Requirement,

We have interfaces between .net(c#)/java & webMethods. they are publishing/subscribing messages from webMethods broker JMS queue.

We are using WM 9.6 version.

Requirement:

Currently the SSL is not enabled . have to enable the secure connection ASAP.

Our Broker is SSL Enabled.
Created a client group called ABC-JMS & enabled the DN usernames (we have included webMethods broker DN names and .net team DN names to client group)

Now .net application team is trying to connect to broker by the below method.

ConnectionFactory.CreateConnetion(), with out SSL enabled they are able to connect .

But with certificate they are getting the below error,

Message = [BDN.11.1036] Broker error : 13
Source=webMethods.Msg
StackTrace:
at webMethods.Msg.Protocol.BrokerProtocol.connect(string clientID,Exception Listener exception listener )
at webMethods.Msg.Impl.connectionFactory.createconnection(string clientcertDistingiushedName,string AccessLabelHint)
at webMethods.Msg.Impl.connectionFactory.createconnection(string servercertDistinguisehd Name ,string clientcertDistingiushedName,string AccessLabelHint)

Please let me know how you have resolved the issues?

If SIEBEL is the Publisher , you should be importing Public certificate of WM side into the JVM which Siebel is using, so that SIEBEL can send Messages to Broker over SSL;