| Author |
Message
|
| archana123 |
 Posted: Mon Aug 31, 2015 11:41 am Post subject: Isssue with IIB HTTPS flow |
 |
|
Novice
Joined: 21 Jul 2015
Posts: 14
|
I am a newbie. I was trying to push few messages to the http flow using a java code(This is to push multiple datas..as part of my testing).
So when I try with HTTP flow, my IIB data flow was able to pick the messages posted from the java code and returned a success status.
But when I deployed the code with HTTPS enabled, messages were not getting picked(using the java code). I also tried to give full permission to the KeyStore and TrustStore files. But it was of no luck.
Can anyone help me with it? |
|
| Back to top |
|
 |
| inMo |
| Posted: Mon Aug 31, 2015 12:05 pm Post subject: |
|
|
Master
Joined: 27 Jun 2009
Posts: 216
Location: NY
|
| What URL is your Java code pointing to for http? Same question for https. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Aug 31, 2015 12:29 pm Post subject: Re: Isssue with IIB HTTPS flow |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| archana123 wrote: |
| I also tried to give full permission to the KeyStore and TrustStore files. |
Are you sure these files contain the correct certificate(s) you need for an SSL connection?
Is there any exception either in the HTTPS client or the broker log?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| archana123 |
| Posted: Mon Aug 31, 2015 12:45 pm Post subject: |
|
|
Novice
Joined: 21 Jul 2015
Posts: 14
|
|
| Back to top |
|
|
| archana123 |
| Posted: Mon Aug 31, 2015 12:48 pm Post subject: |
|
|
Novice
Joined: 21 Jul 2015
Posts: 14
|
Hi Vitor,
[code]
Are you sure these files contain the correct certificate(s) you need for an SSL connection?
[/code]
Yes, it contains the correct certificates I need for the connection.
[code]Is there any exception either in the HTTPS client or the broker log?
[/code]
I could not find any exception in the logs. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Aug 31, 2015 2:49 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| archana123 wrote: |
| Yes, it contains the correct certificates I need for the connection. |
How have you verified this?
| archana123 wrote: |
| I could not find any exception in the logs. |
Take a user trace. If that shows something reaching your flow, you have a flow problem. If nothing's reaching your flow, your SSL config is wrong.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| archana123 |
| Posted: Mon Aug 31, 2015 5:18 pm Post subject: |
|
|
Novice
Joined: 21 Jul 2015
Posts: 14
|
Hi Vitor,
Since I did not get any errors explicitly I wrote a java code to check it.
Please find the below code:
| Code: |
public String sendPost(final String httpsEndpointUrl, final String messageToPost) throws Exception {
String result = null;
SSLContext sslContext = SSLContext.getInstance("SSL");
// set up a TrustManager that trusts everything
sslContext.init(null, new TrustManager[] { new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
System.out.println("getAcceptedIssuers =============");
return null;
}
public void checkClientTrusted(X509Certificate[] certs,
String authType) {
System.out.println("checkClientTrusted =============");
}
public void checkServerTrusted(X509Certificate[] certs,
String authType) {
System.out.println("checkServerTrusted =============");
}
} }, new SecureRandom());
CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(new SSLSocketFactory(sslContext)).build();
HttpPost httpPost = new HttpPost(httpsEndpointUrl);
ByteArrayEntity postDataEntity = new ByteArrayEntity(messageToPost.getBytes());
postDataEntity.setContentType("application/json");
postDataEntity.setContentEncoding("UTF-8");
httpPost.setEntity(postDataEntity);
CloseableHttpResponse response = httpclient.execute(httpPost);
try {
HttpEntity entity = response.getEntity();
result = EntityUtils.toString(entity);
EntityUtils.consume(entity);
} finally {
response.close();
}
return result;
}
|
Now it throws an error
javax.net.ssl.SSLException: Certificate for <IP> doesn't match common name of the certificate subject: <MyIntegrationNodeName>
But while configuring the SSL and downloading certificates, I had downloaded all the possible self signed certificates in my environment.
Please help.
 |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Sep 01, 2015 4:30 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| archana123 wrote: |
| Since I did not get any errors explicitly I wrote a java code to check it. |
As regular forum members will tell you, this might as well be written in Klingon for all it conveys to me. In fact, I might do slightly better if it was in Klingon. I'm sure it's very nice.
| archana123 wrote: |
javax.net.ssl.SSLException: Certificate for <IP> doesn't match common name of the certificate subject: <MyIntegrationNodeName>
|
Well that looks like the sort of SSL error I was asking about above.
| archana123 wrote: |
| But while configuring the SSL and downloading certificates, I had downloaded all the possible self signed certificates in my environment. |
If you're using self signed certificates, why would you need more than one? Or need to download them? By definition, you're creating and signing the certificates yourself - the clue's in the name!
And according to both broker and your Java, that's still not enough.
| archana123 wrote: |
| Please help. |
Don't download "all the possible" certificates - use the right ones. You're not going to fix this by ramming every possible certificate into the store. Indeed, if I had to theorize I'd suspect that you have more than one personal cert in the key store and the "wrong" one is being picked up.
Think about what you need, think about what you're doing and follow the instructions in the broker documentation for setting up a self signed public key infrastructure. If there's anyone on your site who has experience with SSL, reach out to them. The important point here is to have a working SSL config so even if they don't know broker they can get you sorted with key & trust store which you can then supply to the broker.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Sep 01, 2015 5:14 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
It's really not clear why you need to use Java code to talk HTTP/HTTPS at all.
You also have to take entirely separate steps to add the certificates where Java code can find them than you do to add it where the HTTP nodes can find them. Unless I remember wrong.
"To push multiple data" through HTTP is as easy as creating more than one output message. If you need to manage data returned from one request for use in another, there are many very easy ways to do this - a SHARED row, for example.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Sep 01, 2015 5:30 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| It's really not clear why you need to use Java code to talk HTTP/HTTPS at all. |
I think the OP was trying to check the SSL set up.
| mqjeff wrote: |
| You also have to take entirely separate steps to add the certificates where Java code can find them than you do to add it where the HTTP nodes can find them. Unless I remember wrong. |
I was wondering about that - wouldn't the code look in the SSL associated with the JVM? But I decided not to look more stupid than is unavoidable.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Sep 01, 2015 5:34 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| But I decided not to look more stupid than is unavoidable. |
It's good to save these things up for MQTC.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Sep 01, 2015 5:48 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| Vitor wrote: |
| But I decided not to look more stupid than is unavoidable. |
It's good to save these things up for MQTC. |
When I can blame the booze?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 01, 2015 8:09 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| archana123 wrote: |
Now it throws an error
javax.net.ssl.SSLException: Certificate for <IP> doesn't match common name of the certificate subject: <MyIntegrationNodeName>
But while configuring the SSL and downloading certificates, I had downloaded all the possible self signed certificates in my environment.
Please help.
|
You really need to talk to an SSL expert at your site.
For HTTPS the common name has to be the hostname of the machine targeted (or any alias if it is proxied)...
I'd say your SSL cert is not adequate for the usage you are trying to make of it.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
