ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SSL connection with IntegrationNodeProxy

Post new topic  Reply to topic
 SSL connection with IntegrationNodeProxy « View previous topic :: View next topic » 
Author Message
vasilev
PostPosted: Tue Jan 23, 2024 5:59 am    Post subject: SSL connection with IntegrationNodeProxy Reply with quote

Acolyte

Joined: 31 Oct 2014
Posts: 71
Location: Germany

Hello,
I am getting error while connecting to Integration server with SSL:

PKIX path building failed - unable to find valid certification path to requested target.

Code:

String SSLKEY = "/usr/lib/jvm/default-java/lib/security/cacerts";
String brokerSSLPass = "..";
useSSL = true;
System.setProperty("javax.net.ssl.trustStore", SSLKEY);
System.setProperty("javax.net.ssl.trustStorePassword", brokerSSLPass);

IntegrationNodeProxy aceNode = null;
aceNode = new IntegrationNodeProxy(brokerhost, brokerport, brokeruser, brokerpass, useSSL);
IntegrationServerProxy aceServer = aceNode.getIntegrationServerByName(aceServerName);


am I missing something ?

thank you
_________________
Regards
V.Vasilev
Back to top
View user's profile Send private message Visit poster's website
AndreasMartens
PostPosted: Thu Jan 25, 2024 5:49 am    Post subject: bit more information please! Reply with quote

Acolyte

Joined: 30 Jan 2006
Posts: 65
Location: Hursley, UK

A little more information would be good:
1. Can you confirm which JRE you're using?
2. Can you run with IBM_JAVA_OPTIONS="-Djavax.net.debug=ssl:handshake" (assuming you're using IBM Java 8 )

The main reason for the error is that the Certificate exposed by the ACE Node hasn't been included in your cacerts file. running:

Code:
keytool -list -keystore /usr/lib/jvm/default-java/lib/security/cacerts


would show if it's in there.[/code]

Does openssl give the expected cert?

Code:
 openssl s_client -connect brokerhost:brokerport -prexit
Back to top
View user's profile Send private message MSN Messenger
vasilev
PostPosted: Mon Jan 29, 2024 2:25 am    Post subject: Reply with quote

Acolyte

Joined: 31 Oct 2014
Posts: 71
Location: Germany

sorry for the late reply.
in the docker image i have installed - openjdk 17.0.9, debian 12

I have imported the root in a new keystore and tried again.
this is the error:

Code:
Exception:com.ibm.integration.admin.proxy.IntegrationAdminException: Caught exception in getIntegrationServers Exception:java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)\n\tat com.ibm.integration.admin.proxy.IntegrationNodeProxy.getIntegrationServers(IntegrationNodeProxy.java:287)\n\tat com.ibm.integration.admin.proxy.IntegrationNodeProxy.getIntegrationServerNames(IntegrationNodeProxy.java:257)\n\tat com.ibm.integration.admin.proxy.IntegrationNodeProxy.getIntegrationServerByName(IntegrationNodeProxy.java:317)\n\tat ace_functions.DeployBar(ace_functions.java:46)\n\tat main(ace_main.java:90)\n\tat java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)\n\tat java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:568)\n\tat org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:61)\n"]}


ssl debug:

Code:

javax.net.ssl - SSLCipher.java:466|jdk.tls.keyLimits: AES/GCM/NoPadding KeyUpdate 2^37.. KETUPDATE - 137..


this is the code:


...

Code:

if (jsonargs.has("ssl")) {
         useSSL = true;
         System.setProperty("javax.net.ssl.trustStore", ".../truststore.jks");
         System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
         System.setProperty("jdk.tls.client.protocols", "TLSv1.3,TLSv1.1,TLSv1.2");
         System.setProperty("https.protocols", "TLSv1.3,TLSv1.1,TLSv1.2");
      }

...
            IntegrationServerProxy aceServer = aceNode.getIntegrationServerByName(aceServerName);

_________________
Regards
V.Vasilev
Back to top
View user's profile Send private message Visit poster's website
vasilev
PostPosted: Tue Jan 30, 2024 10:46 am    Post subject: Reply with quote

Acolyte

Joined: 31 Oct 2014
Posts: 71
Location: Germany

i have added keystore as well. all is fine.

Code:
System.setProperty("javax.net.ssl.trustStore", "/truststore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStore", "/truststore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("jdk.tls.client.protocols", "TLSv1.2,TLSv1.3");
System.setProperty("https.protocols", "TLSv1.2,TLSv1.3");

_________________
Regards
V.Vasilev
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SSL connection with IntegrationNodeProxy
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.