| Author |
Message
|
| techno |
 Posted: Thu Jul 29, 2004 2:43 pm Post subject: SSL MQ |
 |
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
I have taken a simple case where two qmgrs are existing on the same machine. Used self-signed certs and tried to connect through SSL. The last part.. I am not sure. Created certs. Added each cert to other key db.
Altered the defs of chls.(sdr and rcvr). Altered qmgr.
Chls started fine on both the ends.. How do I know that that particular chl is really using SSL?
Also, when I use Java and connecting to a qmgr through client-con, how do I use SSL here? There is no really Client-Chl defined....
Thanks for your help. |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Thu Jul 29, 2004 3:21 pm Post subject: Re: SSL MQ |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| techno wrote: |
Chls started fine on both the ends.. How do I know that that particular chl is really using SSL?
|
Look in the Software Repository here for the SSL Tutorial. It comes with a port sniffer that displays the channel traffic. It shows clearly what is coming over a channel, and whether it is encrypted or not. Its quite interesting to see even without SSL. You can see Heartbeats flowing across a channel, all the data they exchange, etc.
| techno wrote: |
Also, when I use Java and connecting to a qmgr through client-con, how do I use SSL here? There is no really Client-Chl defined....
|
Check out the Using Java Manual for the MQEnvironment class. It has SSL properties.
| Quote: |
sslCertStores*
public static java.util.Collection sslCertStores
A Collection of CertStore objects used for certificate revocation checking. Use of this variable requires a JVM at Java 2 v1.4 or later. If sslCipherSuite is set, this variable can be used to ensure that the queue manager's certificate has not become revoked. Each CertStore in the Collection represents an identical copy of the certificate revocation list (CRL). For more information on the behaviour of sslCertStores, refer to Using certificate revocation lists. If set to null (default), the certificate presented by the queue manager is not checked against any certificate revocation list. This variable is ignored if sslCipherSuite is null.
sslCipherSuite*
public static String sslCipherSuite
If set, SSL is enabled for the connection. Set the sslCipherSuite to the CipherSuite name matching the CipherSpec set on the SVRCONN channel. If set to null (default), no SSL encryption is performed.
sslPeerName*
public static String sslPeerName
A distinguished name pattern. If sslCipherSuite is set, this variable can be used to ensure the correct queue manager is used. For a description of the format for this value, see Using the distinguished name of the queue manager. If set to null (default), no checking of the queue manager's DN is performed. This variable is ignored if sslCipherSuite is null.
sslSocketFactory*
public static javax.net.ssl.SSLSocketFactory sslSocketFactory
The factory to use when connecting with SSL encryption. If sslCipherSuite is set, this variable can be used to customize all aspects of the SSL connection. For more information on constructing and customizing SSLSocketFactory instances, refer to your JSSE provider; for information regarding the use of this variable, refer to Supplying a customized SSLSocketFactory. If set to null (default) and SSL encryption is requested, the default SSLSocketFactory is used. This variable is ignored if sslCipherSuite is null.
|
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| vennela |
| Posted: Fri Jul 30, 2004 7:13 am Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
| Quote: |
Chls started fine on both the ends.. How do I know that that particular chl is really using SSL?
|
Also, if you do
on the channel, if the channels are using SSLs, SSL channel attributes will be displayed.
That is the simplest thing to check. |
|
| Back to top |
|
|
| techno |
| Posted: Fri Jul 30, 2004 12:02 pm Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
|
| Back to top |
|
|
| techno |
| Posted: Fri Jul 30, 2004 1:35 pm Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
I have tried doing this..
I changed the properties of both client and server chls(both on the server box) with SSLCIPH(RC4_MD5_US).
Now I have made the change in my client java program:
((MQQueueConnectionFactory) qConnectionFactory).setSSLCipherSuite("RC4_MD5_US") ;
I am getting exception on client java program (this is a receiver):
java.lang.NoClassDefFoundError: javax/net/ssl/HandshakeCompletedListener
I have checked on client side: jdk1.3 has even the security jars in ext.
I guess I need to have some classes on mq ssl also. (on server side there is a directory ssl on opt/mqm...
What should be done?
One more question: Am I supposed to use SSLSocketFactory?
Thanks
(Should I be moving it to MQ Java Forum? How do I do it?) |
|
| Back to top |
|
|
| techno |
| Posted: Fri Jul 30, 2004 2:01 pm Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
I guess I need to install JSSE on client side?
I did it by copying the jsse jar files to ext dir. Now I am getting 2059.  |
|
| Back to top |
|
|
| vennela |
| Posted: Sat Jul 31, 2004 1:59 pm Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
| 2059 usually means the listener is not running. On the server QMGR see if the listener is running. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Sat Jul 31, 2004 5:51 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| vennela wrote: |
| 2059 usually means the listener is not running. On the server QMGR see if the listener is running. |
It can also mean that the queue manager name is spelled wrong, or in the wrong case.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| vennela |
| Posted: Sat Jul 31, 2004 9:32 pm Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
| Quote: |
It can also mean that the queue manager name is spelled wrong, or in the wrong case.
|
Doesn' tat give 2058 instead of 2059 |
|
| Back to top |
|
|
| techno |
| Posted: Mon Aug 02, 2004 8:00 am Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
| Qmgr Listener is running. Do I have to make any changes to the program? |
|
| Back to top |
|
|
| vennela |
| Posted: Mon Aug 02, 2004 8:18 am Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
Did you specify the right port.
What kind of errors do you see on the QMGR error logs? |
|
| Back to top |
|
|
| techno |
| Posted: Mon Aug 02, 2004 8:24 am Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
I do not see any errors in qmgr error logs. If I remove SSL related stuff (from definitions and code), it is connecting to qmgr without any error.
Thanks |
|
| Back to top |
|
|
| techno |
| Posted: Mon Aug 02, 2004 8:56 am Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
I am sorry. I think I am missing something here.
I do not have keystore on client side. I will create keystore and add self-signed certificate (copied from Unix).
My client java program is on Windows. Qmgr is on HP-UX.
Above will make server authorization only. Am I correct?
If I want client to be authenticated, I need to create a certificate on Windows and add that to UX. Is that correct?
Thanks |
|
| Back to top |
|
|
| techno |
| Posted: Mon Aug 02, 2004 10:15 am Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
This is what I have done:
Java client app is on Win2k
Qmgr on HP-UX.
1. (UX) Set up repository on UX(where qmgr sits) using GUI tool gsk6ikm.
Altered qmgr keyrep attribute.
2. (UX)Created self-signed certificate in above database. (key.*)
3. (UX)Extracted certificate for above self-signed certificate (cert.arm)
4. (UX/WIN2k) Transferred cert.arm to Windows (FTPies in ascii mode)
5. (UX) altered server connection channel with SSLCIPH(RC4_MD5_US). Kept SSLCAUTH(OPTIONAL)
6. (UX) ended and started QMGR. Listener is already up and running. (shall I have to stop and start the listner?
7. (Java on Win2k) Made code changes.
((MQQueueConnectionFactory) qConnectionFactory).setSSLCipherSuite("RC4_MD5_US") ;
8. (Win2k) amqmcert -a -s cert.arm
Set MQSSLKEYR. Added ftped (from UX) certificate to the repository using amqmcert.
9. Started Client java app. Throws RC 2059.
|
|
| Back to top |
|
|
| vennela |
| Posted: Mon Aug 02, 2004 9:25 pm Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
| Code: |
((MQQueueConnectionFactory) qConnectionFactory).setSSLCipherSuite("RC4_MD5_US") ;
|
I think this should be
| Code: |
((MQQueueConnectionFactory) qConnectionFactory).setSSLCipherSuite("SSL_RSA_WITH_RC4_128_MD5") ;
|
This is just a guess because I was looking at the Using Java Manual's Appendix H and it had the following lines.
| Quote: |
In MQEnvironment.sslCipherSuite or MQC.SSL_CIPHER_SUITE_PROPERTY of WebSphere MQ base Java
Using the setSSLCipherSuite() method of MQConnectionFactory in JMS
Using the SSLCIPHERSUITE (SCPHS) property from JMSAdmin |
The table below that has a kind of one to one mapping for CipherSpec and CipherSuite. So based on your info in the prior posts I think you need to make that change. If you have the luxury of testing it let me know the results. |
|
| Back to top |
|
|
|
|
