Author |
Message
|
mca |
Posted: Tue Jan 15, 2013 3:10 pm Post subject: Implementing Broker SSL |
|
|
Disciple
Joined: 09 Mar 2005 Posts: 196
|
We wanted to secure our Broker. I created a key store on my Linux machine and created a self-signed certificate. Configured my broker to use that certificate. I followed this document and did everything successfully.
http://www.ibm.com/developerworks/websphere/library/techarticles/1205_bhat/1205_bhat.html
While testing, the Broker is accepting non-secure connections from client and also accepting secure (after they import our certificate). Not sure if SSL is really working and our security purpose is not solved.
Can someone please guide me on how to restrict Broker to refuse non-SSL requests from anywhere? |
|
Back to top |
|
 |
marko.pitkanen |
Posted: Tue Jan 15, 2013 10:58 pm Post subject: |
|
|
 Chevalier
Joined: 23 Jul 2008 Posts: 440 Location: Jamsa, Finland
|
Hi mca,
Can you describe with more details what is your purpose?
--
Marko |
|
Back to top |
|
 |
fjb_saper |
Posted: Tue Jan 15, 2013 11:44 pm Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
MQ security needs to happen before the message ever hits the input queue.
For HTTP and SOAP nodes you need to specify on the node (either by changing the source or using the bar override before deployment) that you require an SSL connection. (One way SSL)
To implement 2 way SSL you need to specify a security policy and have the other party's SSL cert in the certstore.
Have fun  _________________ MQ & Broker admin |
|
Back to top |
|
 |
mca |
Posted: Wed Jan 16, 2013 4:39 am Post subject: |
|
|
Disciple
Joined: 09 Mar 2005 Posts: 196
|
Thanks fib_saper
To answer Marko, we are doing a POC for an upcoming project. Datapower is gateway and MB does the back end processing. Everything is webservice request, no MQ Queues used here.
I created a keystore, generated an self-signed certificate and associated Broker to it as per instructions in article above. Deployed a sample message flow on MB EG with SOAP Input node and loaded that WSDL in Datapower. Using Curl/Soap UI when we send a test message from DP to Broker, Broker is doing the processing before DP imported our certificate.
The way i thought it would work is Broker should reject incoming message until datapower imports our certificate, so broker only accepts SSL client requests. |
|
Back to top |
|
 |
fjb_saper |
Posted: Wed Jan 16, 2013 5:49 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
mca wrote: |
Thanks fib_saper
To answer Marko, we are doing a POC for an upcoming project. Datapower is gateway and MB does the back end processing. Everything is webservice request, no MQ Queues used here.
I created a keystore, generated an self-signed certificate and associated Broker to it as per instructions in article above. Deployed a sample message flow on MB EG with SOAP Input node and loaded that WSDL in Datapower. Using Curl/Soap UI when we send a test message from DP to Broker, Broker is doing the processing before DP imported our certificate.
The way i thought it would work is Broker should reject incoming message until datapower imports our certificate, so broker only accepts SSL client requests. |
Did you set the SOAP input node to only accept SSL?
Did you remove the old flow from all EGs and replace it with the new one only accepting SSL?
Did you set up a network sniffer to verify DP did not use SSL?  _________________ MQ & Broker admin |
|
Back to top |
|
 |
mca |
Posted: Wed Jan 16, 2013 6:29 am Post subject: |
|
|
Disciple
Joined: 09 Mar 2005 Posts: 196
|
We now changed the SOAP Input Node of message flow to "Use HTTPS" (if this is the correct option), cleared the execution group and redeployed the message flow. To unit test this using SOAP UI, we placed the Broker server certificate and placed it under
C:\Program Files\SmartBear\soapUI-4.5.1\jre\lib\security
We tried sending sample message and it errored out with the following exception.
Wed Jan 16 09:21:02 EST 2013:ERROR:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:131)
Any suggestions on why Broker closed on this handshake? |
|
Back to top |
|
 |
lancelotlinc |
Posted: Wed Jan 16, 2013 6:30 am Post subject: |
|
|
 Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
mca wrote: |
We now changed the SOAP Input Node of message flow to "Use HTTPS" (if this is the correct option), cleared the execution group and redeployed the message flow. To unit test this using SOAP UI, we placed the Broker server certificate and placed it under
C:\Program Files\SmartBear\soapUI-4.5.1\jre\lib\security
We tried sending sample message and it errored out with the following exception.
Wed Jan 16 09:21:02 EST 2013:ERROR:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:131)
Any suggestions on why Broker closed on this handshake? |
You may not have placed the WMB's certificate in the right location for WMB. Search the InfoCentre using Google. You may not have specified the correct password for the keystore.
Also, SoapUI does not require SSL certs to post an HTTPS payload. Be sure you specify HTTPS in the URL.
Also, check to be sure the EG was cycled, and the HTTPS port opened vs. the HTTP port. The port numbers are not the same. _________________ http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Last edited by lancelotlinc on Wed Jan 16, 2013 6:40 am; edited 2 times in total |
|
Back to top |
|
 |
mca |
Posted: Wed Jan 16, 2013 6:35 am Post subject: |
|
|
Disciple
Joined: 09 Mar 2005 Posts: 196
|
In the Broker logs, it says below exception:
Jan 16 09:20:15 <HostName> WebSphere Broker v8000[9193]: (<BrokerName>.<EGName>)[4]BIP3135S: An exception occurred while starting the servlet engine connector. Exception text is java.io.IOException: K
eystore was tampered with, or password was incorrect : <BrokerName>.a8846840-3c01-0000-0080-e6045172450c: /build/S000_P/src/DataFlowEngine/NativeTrace/ImbNativeTrace.cpp: 717: TomcatInstanceManager::st
artTomcatIfNecessary: :
Will Broker server need to provide the password to its clients? |
|
Back to top |
|
 |
Vitor |
Posted: Wed Jan 16, 2013 6:45 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
mca wrote: |
Will Broker server need to provide the password to its clients? |
It's a bit anti-pattern if SSL requires a password to be sent to all the clients using it so the supplied certificate can be used.
That error sounds rather like the broker's keystore / truststore is in the wrong format and/or the password supplied to broker so it can open it's keystore/truststore and verify the certificate it's just been passed is the wrong password. _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
mca |
Posted: Wed Jan 16, 2013 1:02 pm Post subject: |
|
|
Disciple
Joined: 09 Mar 2005 Posts: 196
|
To make a fresh start, i deleted my earlier Keystore and Broker and started from scratch using this online document.
http://www.ibm.com/developerworks/websphere/library/techarticles/1205_bhat/1205_bhat.html
Here are the steps done:
# Create Broker
mqsicreatebroker BROKER1 -q QM1
#Start Broker
mqsistart BROKER1
# Generate a Keystore
cd /opt/ibm/mqsi/8.0.0.0/jre16/lib/security/
keytool -genkey -alias BROKER1 -keystore BROKER1.jks -keysize 2048
# Enable SSL on Broker
mqsichangeproperties BROKER1 -b httplistener -o HTTPListener -n enableSSLConnector -v true
# Modify Broker Properties to point to keystore file:
mqsichangeproperties BROKER1 -b httplistener -o HTTPSConnector -n keystoreFile -v /opt/ibm/mqsi/8.0.0.0/jre16/lib/security/BROKER1.jks
# Add Broker Keystore file to Broker registry:
mqsichangeproperties BROKER1 -o BrokerRegistry -n brokerKeystoreFile -v /opt/ibm/mqsi/8.0.0.0/jre16/lib/security/BROKER1.jks
# Add Broker truststore file to Broker registry:
mqsichangeproperties BROKER1 -o BrokerRegistry -n brokerTruststoreFile -v /opt/ibm/mqsi/8.0.0.0/jre16/lib/security/cacerts
# Set the registry password for keystore:
mqsisetdbparms BROKER1 -n brokerTruststore::password -u temp -p mqbrkr
# Associate the Broker with keystore password:
mqsichangeproperties BROKER1 -b httplistener -o HTTPSConnector -n keystorePass -v mqbrkr
# Associate a port for Broker to serve HTTPS requests:
mqsichangeproperties BROKER1 -b httplistener -o HTTPSConnector -n port -v 7883
# Associate a port for Broker to serve HTTP requests:
mqsichangeproperties BROKER1 -b httplistener -o HTTPConnector -n port -v 7880
Setting up ports exclusively for Execution Group
# Create an Execution Group:
mqsicreateexecutiongroup BROKER1 -e EG1
# Configure the SSL Protocol
mqsichangeproperties BROKER1 -e EG1 -o HTTPSConnector -n sslProtocol -v SSLv3
# Configure the port for SOAP over HTTP request
mqsichangeproperties BROKER1 -e EG1 -o HTTPSConnector -n explicitlySetPortNumber -v 7843
# Associate keystore file with Broker EG
mqsichangeproperties BROKER1 -e EG1 -o HTTPSConnector -n keystoreFile -v /opt/ibm/mqsi/8.0.0.0/jre16/lib/security/BROKER1.jks
# Associate the keystore type:
mqsichangeproperties BROKER1 -e EG1 -o HTTPSConnector -n keystoreType -v JKS
# Associate the keystore password:
mqsichangeproperties BROKER1 -e EG1 -o HTTPSConnector -n keystorePass -v mqbrkr
I am using a self-signed certificate for one-way SSL communication. Broker is the server. Please let me know if i am missing anything. |
|
Back to top |
|
 |
lancelotlinc |
Posted: Wed Jan 16, 2013 1:16 pm Post subject: |
|
|
 Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
|
Back to top |
|
 |
mca |
Posted: Wed Jan 16, 2013 1:53 pm Post subject: |
|
|
Disciple
Joined: 09 Mar 2005 Posts: 196
|
We haven't used ikeyman, we used keytool to generate and look at the keystore.
keytool -list -keystore BROKER1.jks
Enter keystore password:
Keystore type: jks
Keystore provider: IBMJCE
Your keystore contains 1 entry
BROKER1, Jan 16, 2013, keyEntry,
Certificate fingerprint (MD5): 3F:11:C4:BE:B0:02:34:3F:DC:B7:AA:6D:37:5E:94:36
keytool -list -keystore BROKER1.jks -alias BROKER1
Enter keystore password:
PDLNX11M0002_BRKR1, Jan 16, 2013, keyEntry,
Certificate fingerprint (MD5): 3F:11:C4:BE:B0:02:34:3F:DC:B7:AA:6D:37:5E:94:36 |
|
Back to top |
|
 |
marko.pitkanen |
Posted: Wed Jan 16, 2013 10:02 pm Post subject: |
|
|
 Chevalier
Joined: 23 Jul 2008 Posts: 440 Location: Jamsa, Finland
|
Hi mca,
It seems that you are using version 8 broker. Have you read what they say at the InfoCenter about implementing SSL Auth? Especially setting up PKI.
Do I miss something, but have you generated self signed certificate, exported it from keystore and imported it into truststore?
I have always used gsk7cmd to manage certificate stores.
--
Marko |
|
Back to top |
|
 |
lancelotlinc |
Posted: Thu Jan 17, 2013 5:42 am Post subject: |
|
|
 Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
mca wrote: |
We haven't used ikeyman, we used keytool to generate and look at the keystore. |
1. Open a WMB command prompt.
2. Type ikeyman{enter}.
3. From the 'Key Database File' menu, select open.
ARE YOU ABLE TO SUCCESSFULLY LOAD THE KEYSTORE?
This will tell you whether or not you have specified the correct password in the WMB configurable service. _________________ http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
Back to top |
|
 |
AndreasMartens |
Posted: Wed Jan 23, 2013 8:58 am Post subject: FUD |
|
|
 Acolyte
Joined: 30 Jan 2006 Posts: 65 Location: Hursley, UK
|
My money's on the missing mqsisetdbparms command...
We're talking SOAP here, so I'm going to assume the OP is using the eg-based listener, and not the broker-wide listener. This means we can ignore any settings on the brokers httplistener and on the registry.
For inbound SOAP requests, they're going to be serviced by the execution group listener, so let's have a quick look at the eg settings, run:
Code: |
mqsireportproperties BROKER1 -e EG1 -o ComIbmJVMManager -a |
you'll see some interesting properties there!
Let's set some:
Code: |
mqsichangeproperties BROKER1 -e EG1 -o ComIbmJVMManager -n
keystoreFile,keystorePass,truststoreFile,truststorePass -v /opt/ibm/mqsi/8.0.0.0/jre16/lib/security/BROKER1.jks,EG1Keystore::pass,/opt/ibm/mqsi/8.0.0.0/jre16/lib/security/BROKER1.jks,EG1Truststore::pass |
The eagle-eyed of you will notice a couple "Bad" things there:
1. we're using the same store for keystore and truststore. These should be separated; use the keystore to hold your private keys, and the truststore to hold the certificates of systems you trust.
2. The store is in the installation tree of broker, this will cause problems during uninstall / upgrade of the product. Keep them outside the install tree, somewhere under /var/mqsi is better.
Then set the associated passwords:
mqsisetdbparms BROKER1 -n EG1Keystore::pass -u ignore -p mqbrkr
mqsisetdbparms BROKER1 -n EG1Truststore::pass -u ignore -p mqbrkr
actually, just follow the docs, no point in my repeating everything we've carefully added to them:
- You want to follow the "Configuring PKI at execution group level" section in "Setting up a public key infrastructure"
- Then follow the "Configure an execution group to use SSL" section in "Configuring SOAPInput and SOAPReply nodes to use SSL (HTTPS)"
that's all you need.
Remember to restart you broker. |
|
Back to top |
|
 |
|