| Author |
Message
|
| _Angus_ |
 Posted: Tue Jul 08, 2008 5:07 am Post subject: HTTPRequest node |
 |
|
Acolyte
Joined: 25 Apr 2005
Posts: 54
Location: Edinburgh
|
Hi guys,
I'm trying to get fairly basically HTTPRequest node to work (WMB v6) using HTTPS. The certificate I need is imported into the cacerts file but I'm not entirely sure the Broker is picking it up.
I know how to tell the Broker to use different keystores for an HTTPS listener, is it this same method to tell to use a different keystore other than the default cacerts one for HTTPS requests?
Whatever I do the Broker always gives me unknown certificate as an error when I try to post despite the correct certificate being in the keystore. I can only assume it's looking somewhere else but not sure how to prove it or how to debug the HTTPS connection in a little more detail.
Any help would be much appreciated 
Angus
_________________
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Angus Cooke ~ AngusSoft
Integration Development Tools
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* |
|
| Back to top |
|
 |
| sridhsri |
| Posted: Tue Jul 08, 2008 5:47 am Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
I'll tell you how I did it and perhaps you can use some of the steps
I created a one-way SSL.
1) Created JKS using tool shipped with MQ
2) Created self signed certificate
3)
mqsichangeproperties broker -b httplistener -o HTTPListener -n enableSSLConnector -v true
mqsichangeproperties broker -b httplistener -o HTTPSConnector -n keystoreFile -v C:\key.jks
mqsichangeproperties broker -b httplistener -o HTTPSConnector -n keystorePass -v test123
mqsichangeproperties broker -b httplistener -o HTTPSConnector -n port -v 7083
then, restart broker
4) test your setup but entering the URL on your browser with https. The browser should ask you if you want to accept the certificate. |
|
| Back to top |
|
|
| _Angus_ |
| Posted: Tue Jul 08, 2008 6:35 am Post subject: |
|
|
Acolyte
Joined: 25 Apr 2005
Posts: 54
Location: Edinburgh
|
Thanks for the info but yes, I know all that and have quite successfully played around with an HTTPS listener in the Broker. The question I'm asking is about making HTTPS requests out of the Broker to an external web service... (using the HTTPRequest node)
_________________
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Angus Cooke ~ AngusSoft
Integration Development Tools
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* |
|
| Back to top |
|
|
| sridhsri |
| Posted: Tue Jul 08, 2008 6:41 am Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
| Then shouldn't you be importing broker's certificate into the keystore that resides in the external web service ? |
|
| Back to top |
|
|
| _Angus_ |
| Posted: Tue Jul 08, 2008 7:14 am Post subject: |
|
|
Acolyte
Joined: 25 Apr 2005
Posts: 54
Location: Edinburgh
|
I didn't create the certificate. As I said in my original question I've already imported the certificate the web service wants to use (self signed and created by the web service) into the Broker keystore (cacerts).
_________________
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Angus Cooke ~ AngusSoft
Integration Development Tools
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* |
|
| Back to top |
|
|
| sridhsri |
| Posted: Tue Jul 08, 2008 7:25 am Post subject: |
|
|
Master
Joined: 19 Jun 2008
Posts: 297
|
| Shouldn't it be other way around. Shouldn't you import the certificate created in broker's cacert and import it into the external web service's cacert ? |
|
| Back to top |
|
|
| ImSoTired |
| Posted: Tue Jul 08, 2008 8:27 am Post subject: |
|
|
Novice
Joined: 17 Apr 2007
Posts: 20
Location: Lima, Perú
|
Hey _Angus_,
In v6.0, the cacerts file is the only place where the broker keeps the list of CA's, and it's here where you have import the certificate of the service. With the mqsichangeproperties you only can set the path of the keystore for the httplistener (just one keystore).
To enable the HTTPRequest node for SSL with Server Authentication (the receiver of the requests will present personal certificates to the Broker and the Broker will validate them with the signer’s certificates stored in the cacerts keystore) you must to add signer’s (or trusted) certificates to the cacerts keystore.
To enable the HTTPRequest node for SSL with Mutual Authentication (the receiver and the sender of the requests need to present personal certificates to each other and each end will validate using the local copies of the signer’s certificates) you must do the following steps (Note: This configuration is not officially supported in WebSphere Message Broker v6.0):
1. Create a keystore for the HTTPRequest node.
2. Import the Personal Certificate for the HTTPRequest node (the broker's certificate).
3. Import all the Server Signer Certificates into the cacerts keystore.
4. Define the following environment variable for the broker:
IBM_JAVA_OPTIONS=-Djavax.net.ssl.keyStore=<keystore_path>/<keystore_filename> -Djavax.net.ssl.keyStorePassword=<keystore_password>
5. Modify the mqsiprofile file to set the environment variable
IBM_JAVA_OPTIONS.
The keystore for the HTTPRequest node only can have a one personal certificate. The broker will send this certificate whenever a message flow with a httprequest node invokes a web service with SSL with Mutual Authentication.
Greetings. |
|
| Back to top |
|
|
| _Angus_ |
| Posted: Tue Jul 08, 2008 9:54 am Post subject: |
|
|
Acolyte
Joined: 25 Apr 2005
Posts: 54
Location: Edinburgh
|
Many thanks ImSoTired, that answers all my questions
_________________
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Angus Cooke ~ AngusSoft
Integration Development Tools
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* |
|
| Back to top |
|
|
|
|
