How To Secure a JMS connection in SAP PI with TLS 1.2 to IBM MQ
There are plenty resources on this topic, but this post based on my experience intend to allow SAP Customers that are still using SAP PI as the top integration solution in their landscape, to allow to secure their integration scenaries between an SAP system like CRM (Customer Relationship Management), ERP (Enterprise Resource Planning), SOLMAN (Solution Manager) between antohers and the IBM MQ system.
The goal of this post is to allow you to setup a TLS connection between an an IBM MQ system version 7.5 or upper and a SAP PI system running over Netweaver(NW) 7.4 or upper using a communication channel type JMS versión 1.x or 2.x.
- The JMS drivers are already deployed at the Netweaver System.
- The JVM is already updated to the last version available.
- The Netweaver components are already updated to the last version available.
1. Oracle usually is the provider of the Java Virtual Machine (JVM) used at Operating System level where the Netweaver is installed, since MQ System use the IBM JVM, this could create the issue “2393 MQRC_SSL_INITIALIZATION_ERROR / MQRC_UNSUPPORTED_CIPHER” once the channel wll be started. In order to prevent that Cipher Suite Mapping should be disable, this will be achieved following steps described at Note 2218025.
1.1. Please logon to the NWA and once there, please locate the Configuration Tab -> infrastructure -> Java System Properties
1.2. Once there, the node Z* should be selected and navigate to the tab System VM Parameters, there add the following parameter.
2. Adjust the allowed security protocols that could be used to stablish a handshake at the system; in order to do this must follow the same steps defined at point 1.1, once there add the following parameter:
jdk.tls.client.protocols = TLSv1,TLSv1.1,TLSv1.2
Be aware that this is just an illustrative example.
3. In order to prevent the issue “error connecting due to missing class com.ibm.mq.jms.MQQueueConenctionFactory“, the SAP Note 1751177 should be applied, this will allow to preload the related classes of MQ Driver
3.1 Please login into NWA and go through this path Java System Properties → Applications, once there please be aware to select the property com.sap.aii.adapter.jms.app application and modify the property value.
Set the “preloadClasses” property as: com.ibm.mq.MQEnvironment,com.ibm.mq.internal.MQCommonServices,com.ibm.mq.jms.MQQueueConnectionFactory,com.ibm.mq.jms.MQTopicConnectionFactory.
5. Create or Modify the communication channel using the integration builder tool or through NWDS
Be aware to create the communication Channel at the Integration directory as JMS 1.X under NW 7.4 or 2.x under NW7.5
Then at the option Enable Security, mark useSSL and select OTHER in the SSL Cipher Suite dropdown, next be aware to write the ciphersuite that will be used in the other cipher suite text field.
In summary, securing our internal connections will allow us to protect the data, our most valuable assets inside the companies and this post will help you to enable secure connections from your NW PI/PO systems to external servers.
I hope this article was valuable and i appreciate your feedback, comments or suggestions, please feel ree to reache out me if you have any further question
- Error while connecting to WMQ sever using SSL security
- MQRC_SSL_INITIALIZATION_ERROR on JMS channel MQ