| Author |
Message
|
| murdeep |
 Posted: Tue Sep 30, 2008 1:48 pm Post subject: HTTPRequest over SSL failing |
 |
|
Master
Joined: 03 Nov 2004
Posts: 211
|
Hello, I am testing HTTPRequest node with SSL.
Machine A: BIP8996I: Version: 6005
On this machine I have a flow that is HTTPInput(SSL)->Compute->HTTPReply. The compute node reads an Oracle table and returns some rows as xml data.
I have configured the broker to support SSL on port 7092. I created a self signed cert in cacerts and recycled the broker.
If I invoke this flow via nettool I get a valid response. In other words this flow works as expected with SSL.
Machine B: BIP8996I: Version: 6101
On this machine I have a flow that is HTTPInput-->HTTPRequest(SSL)->HTTReply. The HTTRequest(SSL) is configured to invoke the flow on Machine A that I verified via nettool successfully.
I imported the signer cert from cacerts on Machine A into the cacerts on Machine B and recycled the Machine B broker.
When I invoke this flow on Machine B from nettool I get the following response:
=====
<?xml version='1.0' encoding='UTF-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>SOAP-ENV:Server</faultcode>
<faultstring>BIP3113E: Exception detected in message flow HTTP Input (broker BKR01) </faultstring>
<faultactor>HTTP:/redirectToSSL</faultactor>
<detail><text>Exception. BIP2230E: Error detected whilst processing a message in node 'redirectToHTTPS.HTTP Request'. : F:\build\S610_P\src\WebServices\WSLibrary\ImbWSRequestNode.cpp: 914: ImbWSRequestNode::evaluate: ComIbmWSRequestNode: testFlow#FCMComposite_1_3
BIP3162S: An HTTP error occurred. The HTTP Request-Line was: ''POST /selectFromOracleTableSSL HTTP/1.0
: F:\build\S610_P\src\WebServices\WSLibrary\ImbWSRequestNode.cpp: 828: ImbWSRequestNode::evaluate: :
BIP3152S: Socket error detected whilst invoking Web service located at host 'saturn', port 7092, path '/selectFromOracleTableSSL'. : F:\build\S610_P\src\WebServices\WSLibrary\ImbWSRequest.cpp: 556: ImbWSRequest::makeWSRequest: :
BIP3165S: An error occurred whilst performing an SSL socket operation. Operation: 'createSocket'. Error Text: 'java.net.SocketException: Unconnected sockets not implemented'. : F:\build\S610_P\src\WebServices\WSLibrary\ImbSocket.cpp: 2127: ImbSocketJNIManager::handleGeneralJavaException: : </text></detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
=====
So I have an SSL error.
If I expose the flow on Machine A as HTTPInput->Compute->HTTPReply and configure the flow on Machine B as HTTPInput-->HTTPRequest->HTTRereply (in other words no SSL) it works as expected.
My instinct tells me that this is a cert store issue but I am not sure how to troubleshoot this.
Any comments appreciated. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Sep 30, 2008 6:45 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Quote: |
| java.net.SocketException: Unconnected sockets not implemented'. |
This would tell me that it is not an SSL problem but more a library/firewall problem ? Or classpath? Do you have all the SSL libraries you need on the classpath? Why does the system think your socket is unconnected? Could it be a firewall problem that only allows packets through one way? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| murdeep |
| Posted: Wed Oct 01, 2008 1:39 pm Post subject: |
|
|
Master
Joined: 03 Nov 2004
Posts: 211
|
Ok, after double checking everything I noticed the following.
On my V6101 machine in the broker registry I saw that the brokerTruststoreFile and brokerTruststorePass were not set. Having done some JAVA MQ SSL I thought that this looked odd since I always have set both keystore and truststore parms.
So I set these using the following:
mqsichangeproperties BKR1 -o BrokerRegistry -n brokerTruststoreFile -v cacerts
mqsisetdbparms BKR1 -n brokerTruststore::password -u temp -p pwdValue
This was in additional to the other registry settings for brokerKeystoreFile and brokerKeystorePass.
I then restarted the broker and I invoked the V6005 flow over HTTPS from the V6101 flow successfully.
To verify I then changed the truststore pwd and received the BIP3165S error listed above.
Anyone care to comment? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 01, 2008 1:45 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
So what you're telling me is that the socket is considered unconnected if you are missing the cert...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| murdeep |
| Posted: Wed Oct 01, 2008 2:43 pm Post subject: |
|
|
Master
Joined: 03 Nov 2004
Posts: 211
|
The error message is:
| Quote: |
| An error occurred whilst performing an SSL socket operation. Operation: 'createSocket'. |
So if the broker can't get the cert or if the cert is not in the keystore then the broker can't create the socket and I guess that means it's unconnected.
Bottom line is I had to configure both keystore and truststore parms. |
|
| Back to top |
|
|
|
|
