| Author |
Message
|
| chrisgclark |
 Posted: Tue Jun 02, 2009 7:58 am Post subject: SSLHandshakeException... End user tried to act as a CA |
 |
|
Apprentice
Joined: 26 Mar 2009
Posts: 35
|
Hi,
I have a Java base MQ program that sends MQ messages to a remote qmgr with SSL on the channel. I'm getting these following SSL error...
| Code: |
com.ibm.mq.MQException: MQJE001: Completion code 2, Reason 2397
.
.
.
Caused by: javax.net.ssl.SSLHandShakeException: com.ibm.jsse2.util.h: End user tried to act as a CA.
.
.
.
Caused by: com.ibm.jsse2.util.h: End user tried to act as a CA
.
.
.
|
We've actually solved the above problem, but I thought I'd post in case anyone else comes across the same thing...
Its not caused by SSL problems (e.g invalid certificate, bad channel definitions, SSL system parameters not set in java program), but instead by the JAVA_HOME. If I use JAVA_HOME as /usr/java5/bin I get the above error. If I use JAVA_HOME as /usr/java5_64/bin the above error goes away. Therefore problem with 32bit Java5, but solved with 64bit Java5.
Hope this info will help someone.  |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Jun 02, 2009 3:12 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Quote: |
| Caused by: com.ibm.jsse2.util.h |
looks like your crypto library was 64 bit...
Java should be able to use either a 64 bit crypto library (java 64 bits) or a 32 bit crypto library (java 32 bits)...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| chrisgclark |
| Posted: Thu Jun 04, 2009 1:03 am Post subject: |
|
|
Apprentice
Joined: 26 Mar 2009
Posts: 35
|
Are you saying that com.ibm.jsse2.util.h is 64 bit and com.ibm.jsse.util.h is 32 bit? I have had a good search with Google and was unable to find an answer.
Thanks |
|
| Back to top |
|
|
| crossland |
| Posted: Thu Jun 04, 2009 7:04 am Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
| Quote: |
| looks like your crypto library was 64 bit... |
Why do you say that? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jun 04, 2009 8:20 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| crossland wrote: |
| Quote: |
| looks like your crypto library was 64 bit... |
Why do you say that? |
Well, let's be honest, it could be something with the level of the xlc.route.Bnd...
But if it works in one (java64) and not in the other (java 32 bit) and has a call to JNI bets are that the 32 bit native being called does not work...
If you wrote the JNI call yourself you might need to check if the java is 32 or 64 bits and code differently according to the result.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| crossland |
| Posted: Mon Jun 08, 2009 12:23 am Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
| fjb_saper wrote: |
| crossland wrote: |
| Quote: |
| looks like your crypto library was 64 bit... |
Why do you say that? |
Well, let's be honest, it could be something with the level of the xlc.route.Bnd...
But if it works in one (java64) and not in the other (java 32 bit) and has a call to JNI bets are that the 32 bit native being called does not work...
If you wrote the JNI call yourself you might need to check if the java is 32 or 64 bits and code differently according to the result.
Have fun |
As we are connecting as a client (rather than using Bindings), would JNI be an issue? If not, are there any other suggestions for components that could cause this problem? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jun 08, 2009 12:52 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Do you have a security exit in your client?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| crossland |
| Posted: Mon Jun 08, 2009 11:56 pm Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
| No, we are not using an exit. |
|
| Back to top |
|
|
| crossland |
| Posted: Tue Jun 16, 2009 1:19 am Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
This was fixed by changing java/jre/lib/security/java.security
ssl.TrustManagerFactory.algorithm from IbmX509 to PKIX
Has anyone else encountered this? |
|
| Back to top |
|
|
|
|
