| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Unable to Conenct to QMGR with SSL enabled |
« View previous topic :: View next topic » |
| Author |
Message
|
| gyadavil |
 Posted: Wed Apr 25, 2007 7:58 pm Post subject: Unable to Conenct to QMGR with SSL enabled |
 |
|
Acolyte
Joined: 01 Feb 2005
Posts: 62
|
====My Apologies for posting the same question in other forum. By mistake I submitted my question there =====================
Hello
I am getting the following error when I try to connect to QMGR once we enabled the SSL.
main, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
Following tasks has been performed.
1. Created Key repository under
/var/mqm/qmgrs/qmgr/ssl/key.kdb
2. Set the property SSLKEYR(/var/mqm/qmgrs/SWGMQ07DEV/ssl/DSW_SWGMQ07DEVKeystore)
3. Created one self signed certificate on server
4. Extracted self signed certificate
5. Set the channel property CipherSpec and SSLCAUTH
SSLCAUTH(OPTIONAL) SSLCIPH(RC4_MD5_US)
Client Side
1. Created a jks key db
2. Added the self signed certificated created on server side
3. execute the program with following code in place
MQQueueConnectionFactory mqcf = new MQQueueConnectionFactory();
mqcf.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
mqcf.setHostName("swgmq07.rochny.ibm.com");
mqcf.setPort(1415);
mqcf.setChannel("CSDW.SVRCONN");
mqcf.setQueueManager("SWGMQ07DEV");
System.setProperty("javax.net.ssl.trustStore","C:\\IBM\\SSL\\gowri_jks.jks");
System.setProperty("javax.net.ssl.trustStorePassword","password");
System.setProperty("javax.net.ssl.keyStore","C:\\IBM\\SSL\\gowri_jks.jks");
System.out.println("before key password");
mqcf.setSSLCipherSuite("SSL_RSA_WITH_RC4_128_MD5");
Can someone help me out what is missing here.
===
I figured out the qm setting for key repo is pointing to wrong location.
I corrected it but I am getting the following error
AMQ9631
There is a mismatch between the CipherSpecs on the local and remote ends of
channel 'CSDW.SVRCONN'. The channel will not run until this mismatch is
resolved. The CipherSpec required in the local channel definition is
'RC4_MD5_US'. The name of the CipherSpec negotiated during the SSL handshake is
'RC4_MD5_US'. A code is displayed if the name of the negotiated CipherSpec
cannot be determined.
But I have CipherSuite on Channel is set to RC4_MD5_US
and my java program uses
mqcf.setSSLCipherSuite("SSL_RSA_WITH_RC4_128_MD5");
as per the docs. Not sure why I am getting this error
====================
main, WRITE: SSLv3 Handshake, length = 45
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1 ALERT: fatal, description = handshake_failure
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
null
javax.jms.JMSException: MQJMS2005: failed to create MQQueueManager for 'swgmq07.rochny.ibm.com:SWGMQ07DEV'
at com.ibm.mq.jms.services.ConfigEnvironment.newException(ConfigEnvironment.java:586)
at com.ibm.mq.jms.MQConnection.createQM(MQConnection.java:2110)
at com.ibm.mq.jms.MQConnection.createQMNonXA(MQConnection.java:1532)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:150)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:185)
at Test.main(Test.java:49)
MQJE001: Completion Code 2, Reason 2397
============================== |
|
| Back to top |
|
 |
| marcin.kasinski |
| Posted: Wed Apr 25, 2007 10:35 pm Post subject: Re: Unable to Conenct to QMGR with SSL enabled |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| gyadavil wrote: |
But I have CipherSuite on Channel is set to RC4_MD5_US
and my java program uses
mqcf.setSSLCipherSuite("SSL_RSA_WITH_RC4_128_MD5");
as per the docs. Not sure why I am getting this error
|
First thing :
CipherSuite on both sides should be the same.
_________________
Marcin |
|
| Back to top |
|
|
| BenR |
| Posted: Wed Apr 25, 2007 10:53 pm Post subject: |
|
|
Acolyte
Joined: 31 Jan 2006
Posts: 60
Location: Hursley, UK
|
|
| Back to top |
|
|
| gyadavil |
| Posted: Thu Apr 26, 2007 11:17 am Post subject: |
|
|
Acolyte
Joined: 01 Feb 2005
Posts: 62
|
[quote="BenR"]Have you tried this
http://www-128.ibm.com/developerworks/websphere/library/techarticles/0510_fehners/0510_fehners.html[/quote]
Yes. But still the error message is same
main, WRITE: SSLv3 Handshake, length = 45
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1 ALERT: fatal, description = handshake_failure
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
null
javax.jms.JMSException: MQJMS2005: failed to create MQQueueManager for 'swgmq07.rochny.ibm.com:SWGMQ07DEV'
at com.ibm.mq.jms.services.ConfigEnvironment.newException(ConfigEnvironment.java:586)
at com.ibm.mq.jms.MQConnection.createQM(MQConnection.java:2110)
at com.ibm.mq.jms.MQConnection.createQMNonXA(MQConnection.java:1532)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:150)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:185)
at Test.main(Test.java:53)
MQJE001: Completion Code 2, Reason 2397
My key database on server is of type cms and here we are trying to create a jks. Does it matter ?? |
|
| Back to top |
|
|
| gyadavil |
| Posted: Thu Apr 26, 2007 11:19 am Post subject: Re: Unable to Conenct to QMGR with SSL enabled |
|
|
Acolyte
Joined: 01 Feb 2005
Posts: 62
|
[quote="marcin.kasinski"][quote="gyadavil"]
But I have CipherSuite on Channel is set to RC4_MD5_US
and my java program uses
mqcf.setSSLCipherSuite("SSL_RSA_WITH_RC4_128_MD5");
as per the docs. Not sure why I am getting this error
[/quote]
First thing :
CipherSuite on both sides should be the same.[/quote]
CipherSpec Equivalent CipherSuite
NULL_MD5 SSL_RSA_WITH_NULL_MD5
NULL_SHA SSL_RSA_WITH_NULL_SHA
RC4_MD5_EXPORT SSL_RSA_EXPORT_WITH_RC4_40_MD5
RC4_MD5_US SSL_RSA_WITH_RC4_128_MD5
I have the correct matching cipherspec in my program and in the channel. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu Apr 26, 2007 11:21 am Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
Please show your new code and MQ logs.
_________________
Marcin |
|
| Back to top |
|
|
| gyadavil |
| Posted: Thu Apr 26, 2007 1:07 pm Post subject: |
|
|
Acolyte
Joined: 01 Feb 2005
Posts: 62
|
[quote="marcin.kasinski"]Please show your new code and MQ logs.[/quote]
MQ Log
==========
04/26/07 15:15:07 - Process(75832.1) User(mqm) Program(amqcrsta_nd)
AMQ9660: SSL key repository: password stash file absent or unusable.
EXPLANATION:
The SSL key repository cannot be used because MQ cannot obtain a password to
access it. Reasons giving rise to this error include:
(a) the key database file and password stash file are not present in the
location configured for the key repository,
(b) the key database file exists in the correct place but that no password
stash file has been created for it,
(c) the files are present in the correct place but the userid under which MQ is
running does not have permission to read them,
(d) one or both of the files are corrupt.
The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.
ACTION:
Ensure that the key repository variable is set to where the key database file
is. Ensure that a password stash file has been associated with the key database
file in the same directory, and that the userid under which MQ is running has
read access to both files. If both are already present and readable in the
correct place, delete and recreate them. Restart the channel.
====================
04/26/07 14:04:24 - Process(61214.1) User(mqm) Program(runmqchl_nd)
AMQ9001: Channel 'SWGMQ07DEV.SWGMQ07QM' ended normally.
EXPLANATION:
Channel 'SWGMQ07DEV.SWGMQ07QM' ended normally.
ACTION:
None.
====================
04/26/07 02:28:09 - Process(81434.1) User(mqm) Program(amqcrsta_nd)
AMQ9639: Remote channel 'CSDW.SVRCONN' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'CSDW.SVRCONN' did not specify a CipherSpec when the local
channel expected one to be specified. The channel did not start.
ACTION:
Change the remote channel 'CSDW.SVRCONN' to specify a CipherSpec so that both
ends of the channel have matching CipherSpecs.
====================Channel
RMQSC >DISPLAY CHANNEL (CSDW.SVRCONN)
1 : DISPLAY CHANNEL (CSDW.SVRCONN)
AMQ8414: Display Channel details.
CHANNEL(CSDW.SVRCONN) CHLTYPE(SVRCONN)
ALTDATE(2007-04-26) ALTTIME(00.58.2
COMPHDR(NONE) COMPMSG(NONE)
DESCR( ) HBINT(300)
KAINT(AUTO) MAXMSGL(104857600)
MCAUSER(purnimak) MONCHL(OFF)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SSLCAUTH(OPTIONAL) SSLCIPH(RC4_MD5_US)
SSLPEER(CN=DSW Middleware,O=IBM,OU=GeT,C=US)
TRPTYPE(TCP)
=====================Queue Manager
RMQSC >dis qmgr
2 : dis qmgr
AMQ8408: Display Queue Manager details.
QMNAME(SWGMQ07DEV) ACCTCONO(DISABLED)
ACCTINT(1800) ACCTMQI(OFF)
ACCTQ(OFF) ACTIVREC(MSG)
ALTDATE(2007-04-26) ALTTIME(11.22.15)
AUTHOREV(DISABLED) CCSID(1208)
CHAD(DISABLED) CHADEV(DISABLED)
CHADEXIT( ) CHLEV(ENABLED)
CLWLDATA( ) CLWLEXIT( )
CLWLLEN(100) CLWLMRUC(999999999)
CLWLUSEQ(LOCAL) CMDLEVEL(600)
COMMANDQ(SYSTEM.ADMIN.COMMAND.QUEUE) CRDATE(2006-03-17)
CRTIME(10.26.29) DEADQ(SYSTEM.DEAD.LETTER.QUEUE)
DEFXMITQ( ) DESCR( )
DISTL(YES) INHIBTEV(DISABLED)
IPADDRV(IPV4) LOCALEV(DISABLED)
LOGGEREV(DISABLED) MAXHANDS(256)
MAXMSGL(104857600) MAXPRTY(9)
MAXUMSGS(10000) MONACLS(QMGR)
MONCHL(OFF) MONQ(OFF)
PERFMEV(DISABLED) PLATFORM(UNIX)
QMID(SWGMQ07DEV_2006-03-17_10.26.29) REMOTEEV(DISABLED)
REPOS( ) REPOSNL( )
ROUTEREC(MSG) SCHINIT(QMGR)
SCMDSERV(MANUAL) SSLCRLNL( )
SSLCRYP( ) SSLEV(ENABLED)
SSLFIPS(NO)
SSLKEYR(/var/mqm/qmgrs/SWGMQ07DEV/ssl)
SSLRKEYC(0) STATACLS(QMGR)
STATCHL(OFF) STATINT(1800)
STATMQI(OFF) STATQ(OFF)
STRSTPEV(ENABLED) SYNCPT
TRIGINT(999999999)
=====================Key repo directory
@swgmq07:/var/mqm/qmgrs/SWGMQ07DEV/ssl/> ls -ltr
total 280
-rwxr-xr-x 1 mqm mqm 129 Apr 18 17:38 DSW_SWGMQ07DEVKeystore.sth
-rwxr-xr-x 1 mqm mqm 756 Apr 23 16:56 cert_csdw.arm
-rwxr-xr-x 1 mqm mqm 80 Apr 25 17:45 DSW_SWGMQ07DEVKeystore.rdb
-rwxr-xr-x 1 mqm mqm 125080 Apr 25 17:45 DSW_SWGMQ07DEVKeystore.kdb
-rwxr-xr-x 1 mqm mqm 80 Apr 25 17:45 DSW_SWGMQ07DEVKeystore.crl
=====================
My Code
import com.ibm.mq.jms.*;
import javax.jms.*;
import com.ibm.jsse.IBMJSSEProvider;
import java.security.*;
public class Test {
public static void main(String[] args) {
MQQueueConnectionFactory mqcf = new MQQueueConnectionFactory();
try {
mqcf.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
mqcf.setHostName("swgmq07.rochny.ibm.com");
mqcf.setPort(1415);
mqcf.setChannel("CSDW.SVRCONN");
mqcf.setQueueManager("SWGMQ07DEV");
System.out.println("Initializing SSL...");
System.setProperty("javax.net.ssl.trustStore","C:\\IBM\\SSL\\trustStore.jks");
System.setProperty("javax.net.ssl.trustStorePassword","password");
System.out.println("Before keystore");
System.setProperty("java.protocol.handler.pkgs", "com.ibm.net.ssl.internal.www.protocol");
Security.addProvider(new IBMJSSEProvider());
System.out.println("before cipher suite..."+System.getProperty("javax.net.ssl.keyStore"));
mqcf.setSSLFipsRequired(false);
mqcf.setSSLCipherSuite("SSL_RSA_WITH_RC4_128_MD5");
QueueConnection mqqc = mqcf.createQueueConnection("test","testing");
System.out.println("After Queue Connection");
mqqc.start();
QueueSession session = null;
session = mqqc.createQueueSession(false,Session.AUTO_ACKNOWLEDGE);
javax.jms.Queue queue = session.createQueue("PUBSUB.PUB.QUEUE");
TextMessage outMessage = session.createTextMessage();
outMessage.setText("This is a test message");
QueueSender queueSender = session.createSender(queue);
queueSender.send(outMessage);
mqqc.stop();
System.out.println("End of Program");
}
catch (JMSException e) {
// TODO Auto-generated catch block
e.printStackTrace();
System.out.println(e.getCause());
System.err.println(e.getLinkedException().getMessage());
}
catch (Exception x) {
System.out.println(x.getCause());
}
}
} |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu Apr 26, 2007 10:14 pm Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
First think I see is that you should change QMGR SSLKEYR.
It points to keystore file without extension.
| gyadavil wrote: |
RMQSC >dis qmgr
2 : dis qmgr
AMQ8408: Display Queue Manager details.
QMNAME(SWGMQ07DEV) ACCTCONO(DISABLED)
ACCTINT(1800) ACCTMQI(OFF)
ACCTQ(OFF) ACTIVREC(MSG)
ALTDATE(2007-04-26) ALTTIME(11.22.15)
AUTHOREV(DISABLED) CCSID(1208)
CHAD(DISABLED) CHADEV(DISABLED)
CHADEXIT( ) CHLEV(ENABLED)
CLWLDATA( ) CLWLEXIT( )
CLWLLEN(100) CLWLMRUC(999999999)
CLWLUSEQ(LOCAL) CMDLEVEL(600)
COMMANDQ(SYSTEM.ADMIN.COMMAND.QUEUE) CRDATE(2006-03-17)
CRTIME(10.26.29) DEADQ(SYSTEM.DEAD.LETTER.QUEUE)
DEFXMITQ( ) DESCR( )
DISTL(YES) INHIBTEV(DISABLED)
IPADDRV(IPV4) LOCALEV(DISABLED)
LOGGEREV(DISABLED) MAXHANDS(256)
MAXMSGL(104857600) MAXPRTY(9)
MAXUMSGS(10000) MONACLS(QMGR)
MONCHL(OFF) MONQ(OFF)
PERFMEV(DISABLED) PLATFORM(UNIX)
QMID(SWGMQ07DEV_2006-03-17_10.26.29) REMOTEEV(DISABLED)
REPOS( ) REPOSNL( )
ROUTEREC(MSG) SCHINIT(QMGR)
SCMDSERV(MANUAL) SSLCRLNL( )
SSLCRYP( ) SSLEV(ENABLED)
SSLFIPS(NO)
SSLKEYR(/var/mqm/qmgrs/SWGMQ07DEV/ssl/DSW_SWGMQ07DEVKeystore)
SSLRKEYC(0) STATACLS(QMGR)
STATCHL(OFF) STATINT(1800)
STATMQI(OFF) STATQ(OFF)
STRSTPEV(ENABLED) SYNCPT
TRIGINT(999999999)
|
_________________
Marcin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
