| Author |
Message
|
| venumadhavp |
 Posted: Wed Jul 25, 2012 6:38 am Post subject: SSL Over TCP IP issue |
 |
|
Newbie
Joined: 25 Jul 2012
Posts: 5
|
Hi,
I am having a mutual SSL configuration issue with TCP IP Nodes on Broker. The below are the steps that I have followed
1) Imported the certificate procured into key store
2) Imported the server public key certificate into trust store
3) Since both client cert and public cert are from same CA, I have imported the CA and the certificate chain onto both keystore and the truststore
4) Configured the Broker SSL keystore and truststore with the jks files
5) Created a configurable TCPIP Client service and set the SSLProtocol, SSLCiphers, HOST and PORT parameters
6) Set the configurable service on the TCPIP Cilent Output Node on the message flow
Despite of all the configurations, I am getting the below exception
3544 - SSL error, java.io.IOException: Error during SSL handshake
Can anyone please assist. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Jul 25, 2012 6:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Does the server trust the client cert? Does it trust the CA and signer chain?
Is there any more information about what the error during handshake is?
Are you sure you're talking to the ssl port on the server? |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Jul 25, 2012 6:49 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
A truststore can only have one CA. Use ikeyman and create a brand new truststore from scratch using the CA. Then import the SSL certs. Replace the existing truststore file with your newly created one. Reboot.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jul 25, 2012 7:16 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| lancelotlinc wrote: |
| A truststore can only have one CA. |
Can you cite a reference? |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Jul 25, 2012 8:04 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
I am not able to find a reference to that rule. I will keep looking.
From my experience using WMB 7, when I started with a truststore that had a root ca and I tried to add a second root ca, to support new ssl certs I wanted to use, I would get a certificate chaining error.
Since I did not care about the original root ca, I used iKeyman to create a brand new truststore file with the root ca and my ssl certs, then I did not receive any more certificate chaining errors.
WMB seems to use Java Cryptography Architecture (JCA) Reference implementation in its SSL operations.
http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html
No where in that guide that I can find does it say you can only have one root ca. I suspect maybe this is an implementation bug rather than an intentional rule.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jul 25, 2012 8:10 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| lancelotlinc wrote: |
| No where in that guide that I can find does it say you can only have one root ca. I suspect maybe this is an implementation bug rather than an intentional rule. |
It may simply have been a conflict between intermediate signers. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Jul 25, 2012 8:14 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Very true. I didn't have timeline to fiddle with it, after spending three or four days trying to get it to work correctly. ikeyman and other SSL tooling is not as mature as we need them to be to make implementations swifter.
The good part is, I got it working and WMB is doing its thing in Production. Since I am in the development side, the sys-admin side is responsible for truststores and keystores in Prod.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| AndreasMartens |
| Posted: Fri Aug 10, 2012 6:00 am Post subject: Multiple root certs are fine. |
|
|
Acolyte
Joined: 30 Jan 2006
Posts: 65
Location: Hursley, UK
|
Hi,
I wouldn't worry about multiple root certificates, I run with them frequently. Alas there are about 314 other things that may have gone wrong.
I don't know if you're on Windows or Unix, but set:
IMB_JAVA_OPTIONS=-Djavax.net.debug=all
in the environment of your broker.. restart and re-run your test. Then look in the stdout/stderr or console.txt to see if it's being a little bit more helpful about the error.
Failing that, do:
openssl s_client -connect host:port -prexit
and see if it's using an obscure cipher suite...
cheers,
Andreas |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Fri Aug 10, 2012 8:17 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
About this time last year I was working on a project where were were connecting to Nominet in order to do Domain Name renewals. We found that Broker 7 could not handle the cipher suite needed so we put a little bit of Java in front of broker just to handle the SSL work.
This could be the issue. We couldn't raise a PMR as the company had decided to do away with maintenance for all WebSphere products.
{I'm no longer working for them btw}
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
|
|
