ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SSL support for TCPIPClient nodes in 7.0.0.2

Post new topic  Reply to topic
 SSL support for TCPIPClient nodes in 7.0.0.2 « View previous topic :: View next topic » 
Author Message
gfrench
PostPosted: Thu Mar 31, 2011 7:26 am    Post subject: SSL support for TCPIPClient nodes in 7.0.0.2 Reply with quote

Acolyte

Joined: 10 Feb 2002
Posts: 71

Hi,

I've got broker 7.0.0.2 running on Windows XP,

I'm hoping to use the TCPIPClient nodes configured with SSL. I have configured a keystore and a truststore and changed the broker properties to use them.

BrokerRegistry
uuid='BrokerRegistry'
brokerKeystoreType='JKS'
brokerKeystoreFile='C:\Program Files\IBM\MQSI\7.0\BK7keystore.jks'
brokerKeystorePass='brokerKeystore::password'
brokerTruststoreType='JKS'
brokerTruststoreFile='C:\Program Fils\IBM\MQSI\7.0\BK7truststore.jks'
brokerTruststorePass='brokerTruststore::password'
httpConnectorPortRange=''
httpsConnectorPortRange=''
modeExtensions=''
operationMode='enterprise'
shortDesc=''
longDesc=''

I've created a TCPIPClient configurable service:-

MySecureConfigurableService
AlternativeAddresses=''
ExpireConnectionSec='-1'
Hostname='mySerber.abc.com'
MaxReceiveRecordBytes='100000000'
MaximumConnections='100'
MinimumConnections='0'
Port='789'
SO_KEEPALIVE='false'
SO_LINGER='false'
SO_LINGER_TIMEOUT_SEC='-1'
SO_RCVBUF='0'
SO_SNDBUF='0'
SSLCiphers=''
SSLProtocol='SSLv3'
TCP_NODELAY='false'
TrafficClass='-1'
UseUniqueConnectionPool='false'

And all was looking good. Send a message into the flow and get an exception

java.security.cert.CertificateException: No X509TrustManager implementation available

Anyone any thoughts on this ? There is not much from googling around.

Appreiciate any pointers. Thanks
Back to top
View user's profile Send private message Send e-mail Visit poster's website
lancelotlinc
PostPosted: Thu Mar 31, 2011 7:33 am    Post subject: Reply with quote

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

You may have a trust store certificate type mis-match. Please post the content of 'C:\Program Fils\IBM\MQSI\7.0\BK7truststore.jks'
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Back to top
View user's profile Send private message Send e-mail
gfrench
PostPosted: Thu Mar 31, 2011 8:34 am    Post subject: Reply with quote

Acolyte

Joined: 10 Feb 2002
Posts: 71

Certificates in database C:\Program Files\IBM\MQSI\7.0\BK7truststore.jks:
verisign class 1 public primary certification authority
verisign class 1 public primary certification authority - g2
verisign class 1 public primary certification authority - g3
verisign class 2 public primary certification authority
verisign class 2 public primary certification authority - g2
verisign class 2 public primary certification authority - g3
verisign class 3 public primary certification authority
verisign class 3 public primary certification authority - g2
verisign class 3 public primary certification authority - g3
verisign class 4 public primary certification authority - g2
verisign class 4 public primary certification authority - g3


and none in the keystore, since we should just need to authenticate the server we are talking to and not authenticate ourelves.

The server provider states :-

"The secure server provides server authentication and data encryption but does not require SSL client authentication. In order to verify the identity of the secure server you will need the 'Verisign Class 3 Public Primary Certification Authority' root certificate available free from www.verisign.com (the certificate is also distributed with most web browsers)."

Which is why I loaded the certificates into the truststore. I pressume it would work in either? I'm a little out of my depth as you may be able to tell!

Cheers
Back to top
View user's profile Send private message Send e-mail Visit poster's website
lancelotlinc
PostPosted: Thu Mar 31, 2011 8:37 am    Post subject: Reply with quote

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

Did you notice the path name is mis-spelled?

Quote:
'C:\Program Fils\IBM\MQSI\7.0\BK7truststore.jks'


Should be

Quote:
'C:\Program Files\IBM\MQSI\7.0\BK7truststore.jks'


maybe?
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Back to top
View user's profile Send private message Send e-mail
gfrench
PostPosted: Thu Mar 31, 2011 8:54 am    Post subject: Reply with quote

Acolyte

Joined: 10 Feb 2002
Posts: 71

Well spotted... Thanks, far tooooo late in the day for me. Its a long week already!
Back to top
View user's profile Send private message Send e-mail Visit poster's website
lancelotlinc
PostPosted: Thu Mar 31, 2011 8:56 am    Post subject: Reply with quote

Jedi Knight

Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA

Did that fix the problem?

Here's a nice read if you want to sleep early tonight, starting page 116:

http://www-03.ibm.com/support/techdocs/atsmastr.nsf/5cb5ed706d254a8186256c71006d2e0a/46fce4fb269f4c2b862574a500616368/$FILE/MPS_ERv2_WP101300_15dec08.pdf

Configuring a message broker to access a secure WSRR server

Provides step-by-step on setting up SSL.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SSL support for TCPIPClient nodes in 7.0.0.2
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.