| Author |
Message
|
| marcot |
 Posted: Wed Oct 26, 2016 2:33 pm Post subject: Unable to connect to CMP API using SSL |
 |
|
Newbie
Joined: 26 Oct 2016
Posts: 7
|
I am no longer able to connect to the CMP API. The only recent change that I am aware of is that the brokers certificate was changed from SHA1 to SHA2. Because of this I received a new trust keystore. With the new trust keystore I don't get an authorization failed issue, instead I get a null password exception.
I'm not sure if there is something different that I need to do based on the new type of truststore, frankly i'm at a lost, and have no idea how to proceed. Any feedback would be appreciated. Thank you. |
|
| Back to top |
|
 |
| marcot |
| Posted: Wed Oct 26, 2016 4:05 pm Post subject: Unable to connect to CMP API using SSL |
|
|
Newbie
Joined: 26 Oct 2016
Posts: 7
|
Was unable to post the stacktrace before, but here it is:
Below is the stacktrace:
com.ibm.broker.config.proxy.ConfigManagerProxyLoggedException: Password must not be null
at com.ibm.broker.config.proxy.WebSocketSender.connect(WebSocketSender.java:321)
at com.ibm.broker.config.proxy.WebSocketSender.send(WebSocketSender.java:185)
at com.ibm.broker.config.proxy.SendManager.send(SendManager.java:170)
at com.ibm.broker.config.proxy.AdministeredObjectPool.registerWithBroker(AdministeredObjectPool.java:2149)
at com.ibm.broker.config.proxy.AdministeredObjectPool.registerAdministeredObject(AdministeredObjectPool.java:1964)
at com.ibm.broker.config.proxy.AdministeredObjectPool.registerAdministeredObject(AdministeredObjectPool.java:1871)
at com.ibm.broker.config.proxy.BrokerProxy.<init>(BrokerProxy.java:450)
at com.ibm.broker.config.proxy.BrokerProxy.getInstance(BrokerProxy.java:1056)
at com.acng.TestBrokerConnection.exec(TestBrokerConnection.java:34)
at com.acng.IbmUtilityClass.exec(IbmUtilityClass.java:68)
at com.acng.IbmUtilityClass.main(IbmUtilityClass.java:48)
Caused by: java.security.UnrecoverableKeyException: Password must not be null
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:132)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:903)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:296)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:108)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:90)
at org.eclipse.jetty.websocket.client.WebSocketClient.doStart(WebSocketClient.java:194)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69)
at com.ibm.broker.config.proxy.WebSocketClientManager.connect(WebSocketClientManager.java:82)
at com.ibm.broker.config.proxy.IIBCommandSocket.<init>(IIBCommandSocket.java:59)
at com.ibm.broker.config.proxy.WebSocketSender.connect(WebSocketSender.java:260)
... 10 more
Here is a sample of the broker file:
<?xml version="1.0" encoding="UTF-8"?>
<IntegrationNodeConnectionParameters Version="10.0.0.4" listenerPort="1443" useSsl="true" sslTrustStorePath="truststore.jks" userName="user" host="10.10.10.255" password="password" integrationNodeName="IBNODE" sslTrustStorePassword="password" /> |
|
| Back to top |
|
|
| Craig B |
| Posted: Thu Oct 27, 2016 6:34 am Post subject: |
|
|
Partisan
Joined: 18 Jun 2003
Posts: 316
Location: UK
|
This CMP (IAPI) exception was fixed in 10.0.0.5. Are you able to upgrade to see if it fixes your problem?
_________________
Regards
Craig |
|
| Back to top |
|
|
| marcot |
| Posted: Thu Oct 27, 2016 7:16 am Post subject: |
|
|
Newbie
Joined: 26 Oct 2016
Posts: 7
|
Thanks for your response Craig. I'm not able to upgrade at the moment. I have been doing more investigating and I realized that they jks file given to me is a keystore and not a truststore. I have requested a truststore.
Do you see any issues in using a keystore over truststore? Obviously it's not working and my knowledge of SSL is very primitive. |
|
| Back to top |
|
|
| Craig B |
| Posted: Thu Oct 27, 2016 7:29 am Post subject: |
|
|
Partisan
Joined: 18 Jun 2003
Posts: 316
Location: UK
|
You should be able to use either a keyStore or a trustStore but I believe the defect that was fixed covers your type of scenario. If you still get the same error when you get your new trust store you could try working around the issue by setting both sslTrustStorePassword and sslKeyStorePassword to the same value in your connection file.
_________________
Regards
Craig |
|
| Back to top |
|
|
| marcot |
| Posted: Thu Oct 27, 2016 8:06 am Post subject: |
|
|
Newbie
Joined: 26 Oct 2016
Posts: 7
|
Interesting, so i updated my broker file to reflect the path of the keystore and the password using sslKeyStorePath and sslKeyStorePassword. It appears to be properly extracting the information, but now it's unable to connect to the broker as if the broker is down, yet it is up.
Please see stacktrace:
com.ibm.broker.config.proxy.ConfigManagerProxyLoggedException: The Integration Node could not be reached. Please check that the Integration Node has been started and check that the Web Admin Listener has started.
at com.ibm.broker.config.proxy.WebSocketSender.connect(WebSocketSender.java:321)
at com.ibm.broker.config.proxy.WebSocketSender.send(WebSocketSender.java:185)
at com.ibm.broker.config.proxy.SendManager.send(SendManager.java:170)
at com.ibm.broker.config.proxy.AdministeredObjectPool.registerWithBroker(AdministeredObjectPool.java:2149)
at com.ibm.broker.config.proxy.AdministeredObjectPool.registerAdministeredObject(AdministeredObjectPool.java:1964)
at com.ibm.broker.config.proxy.AdministeredObjectPool.registerAdministeredObject(AdministeredObjectPool.java:1871)
at com.ibm.broker.config.proxy.BrokerProxy.<init>(BrokerProxy.java:450)
at com.ibm.broker.config.proxy.BrokerProxy.getInstance(BrokerProxy.java:1056)
at com.acng.TestBrokerConnection.exec(TestBrokerConnection.java:34)
at com.acng.IbmUtilityClass.exec(IbmUtilityClass.java:68)
at com.acng.IbmUtilityClass.main(IbmUtilityClass.java:48)
Caused by: com.ibm.broker.config.proxy.ConfigManagerProxyRequestTimeoutException: The Integration Node could not be reached. Please check that the Integration Node has been started and check that the Web Admin Listener has started.
at com.ibm.broker.config.proxy.WebSocketSender.connect(WebSocketSender.java:312)
... 10 more
Could it present this message on an authentication failure?
FYI - the admin port is open. I'm able to successfully telnet to it. |
|
| Back to top |
|
|
| Craig B |
| Posted: Thu Oct 27, 2016 8:16 am Post subject: |
|
|
Partisan
Joined: 18 Jun 2003
Posts: 316
Location: UK
|
This new exception will be encountered if the WebSocketSender cannot establish a connection the WebAdmin listener running on the broker. In your broker connection file you have specified an IP Address of 10.10.10.255 and 1443. Is this the correct hostname where your broker is running and is port 1443 your web admin listener? If so, have you enabled SSL on the webAdmin listener? Do you have any firewalls to which you would have to authorise your application?
_________________
Regards
Craig |
|
| Back to top |
|
|
| marcot |
| Posted: Thu Oct 27, 2016 8:30 am Post subject: |
|
|
Newbie
Joined: 26 Oct 2016
Posts: 7
|
| Yes, i have the correct host IP and port specified. This was working before I had to update the truststore to use the keystore. The only change recently made was the new keystore being generated. So the web admin port is enabled and setup with SSL. Firewall rule is still in place since i can successfully connect to that port using telnet. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Oct 27, 2016 8:35 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The truststore is never the keystore.
The truststore contains the certificates of other clients/machines/etc.
The keystore contains the certificate of the server. So the keystore of the webadmin listener contains the certificate that represents the webadmin.
The truststore of the webadmin listener contains the certificates/ca's that the webadmin is supposed to... you know... trust. So if some client or etc. comes to connect, and it's signed by something in the truststore, then it's okay.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| marcot |
| Posted: Thu Oct 27, 2016 9:04 am Post subject: |
|
|
Newbie
Joined: 26 Oct 2016
Posts: 7
|
OK, I now understand the difference between the keystore and truststore. Should one be used over the other to connect to the web admin? I just received the new truststore.jks file and it's giving me the same exception that I posted above. I changed my broker file to use sslTrustStorePath and sslTrustStorePassword appropriately.
If i get this message, does it truly mean the node is unreachable or could it throw this exception in the scenario of an incorrect certificate stored in the truststore? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Oct 27, 2016 9:05 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You need both a keystore and a truststore on the webadmin side.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| marcot |
| Posted: Thu Oct 27, 2016 9:42 am Post subject: |
|
|
Newbie
Joined: 26 Oct 2016
Posts: 7
|
| Is there a separate key/trust store that needs to be setup specifically for the webadmin? As in multiple places on the broker? |
|
| Back to top |
|
|
|
|
