| Author |
Message
|
| whbrownnc |
 Posted: Tue Feb 26, 2008 7:39 am Post subject: Mutual Authentication using HTTPInput Node |
 |
|
Novice
Joined: 07 May 2003
Posts: 20
Location: Charlotte, NC
|
We are desiring to support Mutual Authentication between a client and a message flow exposed as a web service in WMB v6.0.0.6. (AIX 5.3 TL10)
We have experience with the HTTPRequest Node using SSL certificates stored in the cacerts file. Also, we have configured the broker with the HTTPListener and HTTPSConnector properties (specifying location of the keystore file, being careful to avoid port conflicts, etc.)
The questions that we have are:
1. Will the HTTPInput and HTTPReply nodes support Mutual Auth?
2. If so, where do we import the Client's Public Key Certificate? Do we import it into the keystore or the cacerts file?
_________________
Thanks,
Bill Brown
Integration Hosting and Services
IBM Certified - WMQ 6.0, 2008
IBM Certified - WMB 6.0, 2008 |
|
| Back to top |
|
 |
| ImSoTired |
| Posted: Wed Mar 26, 2008 7:36 pm Post subject: |
|
|
Novice
Joined: 17 Apr 2007
Posts: 20
Location: Lima, Perú
|
Hi whbrownnc,
The WebSphere Message Broker v6.0 supports the SSL Mutual Authentication when it behaves like a server that expose a service (and when it behaves like a client too by the way).
I asume that you have turn on the SSL support in your message broker.
(For this, http://publib.boulder.ibm.com/infocenter/wmbhelp/v6r0m0/index.jsp?topic=/com.ibm.etools.mft.doc/ap12234_.htm)
Responses:
1. The HTTPSConnector have an property call clientAuth, set this property to true with the command mqsichangeproperties.
mqsichangeproperties Broker -b httplistener -o HTTPSConnector -n clientAuth -v true
2. The CA Root of your clients certificates, must be added to the cacerts keystore of the broker for an a succesful SSL handshake like an Trusted CA Root.
I hope this will help you  |
|
| Back to top |
|
|
| whbrownnc |
| Posted: Thu Mar 27, 2008 5:35 am Post subject: Excellent reply |
|
|
Novice
Joined: 07 May 2003
Posts: 20
Location: Charlotte, NC
|
Thank you for your reply. We do have our brokers configured with our cacerts and private keystores established. However, I have not enabled ClientAuth=true. We will begin to pursue this.
Again, thank you for your thoughtful reply.
_________________
Thanks,
Bill Brown
Integration Hosting and Services
IBM Certified - WMQ 6.0, 2008
IBM Certified - WMB 6.0, 2008 |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Mar 27, 2008 5:36 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Note that there is a substantial difference between SSL Mutual Authentication and SOAP/HTTP Mutual Authentication.
The later is not yet supported, afaik.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| rajparekh08 |
| Posted: Thu Dec 03, 2009 3:13 am Post subject: |
|
|
Acolyte
Joined: 21 Sep 2009
Posts: 58
Location: India- Bagalore
|
Hi
I have a similar situation.
I have achieved one way ssl authentication(server authentication).
When I hit on the link in the browser, I get the server certificate.
I now need two way authentication.
I have installed the client cert in the respecive location - "cacerts"
I have enabled client authentication.
mqsichangeproperties <brk_name> -b httplistener -o HTTPSConnector -n clientAuth -v true.
Now when i hit on the link in the browser, I get " Page not found".
When i use tools like Wfetch, I choose the certificate, but I Get the error - "could not get security handle".
And when I hit on the link from tool like nettool, I get,
"java.net.socketException. Software caused connection abort:socket error"
What do I do to resolve this error, and test the connectivity on HTTP with SSL- Mutual authentication |
|
| Back to top |
|
|
| napier |
| Posted: Thu Dec 03, 2009 11:12 am Post subject: |
|
|
Apprentice
Joined: 09 Oct 2007
Posts: 48
Location: USA
|
Create a keydatabasefile as type JKS using MQ keyman and then import the client certs in to keydatabase.
then do the following steps
mqsichangeproperties BRKR -e <Executiongroupname> -o ComIbmJVMManager -n keystoreFile -v <absolute path of created keydatabase file>
mqsichangeproperties BRKR -e <Executiongroupname> -o ComIbmJVMManager -n keystoreType -v JKS
mqsichangeproperties BRKR -e <Executiongroupname> -o ComIbmJVMManager -n keystorePass -v keystoreEG<Executiongroupname::password
mqsistop <Brokername>
mqsisetdbparms <Brokername> -n keystoreEG<Executiongroupname>::password -u <username> -p <password to keystoredatabasefile given at the time of creation> |
|
| Back to top |
|
|
| rajparekh08 |
| Posted: Thu Dec 03, 2009 8:44 pm Post subject: |
|
|
Acolyte
Joined: 21 Sep 2009
Posts: 58
Location: India- Bagalore
|
HI,
I get the following errors when i execute the mqsichangeproperties command you had asked me to try out:
BIP2087E: Broker brkonqma was unable to process the internal configuration message.
The entire internal configuration message failed to be processed successfully.
Use the messages following this message to determine the reasons for the failure. If the problem cannot be resolved after rev
iewing these messages, contact your IBM Support center. Enabling service trace may help determine the cause of the failure.
BIP4041E: Execution group 'EG1' received an invalid configuration message. See the following messages for details of the erro
r.
The message broker received an invalid configuration message and has not updated its configuration. This can arise as a resu
lt of errors in the specification of either message flows or message sets which the configuration manager was unable to detec
t. It can also result from a message flow requiring a type of node that is not supported by the broker installation, from th
e broker having become out of step with the configuration database or from other applications sending extraneous messages to
the broker's configuration queues (SYSTEM.BROKER.ADMIN.QUEUE & SYSTEM.BROKER.EXECUTIONGROUP.QUEUE).
Check the relevant message flow and message set definitions, check that all necessary user-defined extensions are installed,
perform a complete redeploy of the broker's configuration and ensure that no applications are writing to the broker's configu
ration queues.
BIP2210E: Invalid configuration message: attribute name 'keystoreFile' not valid for target object 'ComIbmJVMManager'.
The message broker received a configuration message containing the attribute name 'keystoreFile' which is not valid for the t
arget object 'ComIbmJVMManager'. This can be caused by a mismatch in levels between the Message Brokers Toolkit, the Configu
ration Manager and the Broker, or as a result of a user or third party written user-defined node where the implementation lib
rary installed at the broker does not match the node definition held at the Configuration manager and Message Brokers Toolkit
.
Ensure that the levels of code installed at the Message Brokers Toolkit, Configuration Manager and Broker are all consistent.
If they are, identify the supplier of the target object and report the problem to them. If this is IBM, contact your IBM s
upport center.
BIP8036E: Negative response received.
This command sends an internal configuration message to the broker, the response received indicated that the internal configu
ration message was unsuccessful.
Check that the WebSphere MQ transport is available. Check the system log for further information. |
|
| Back to top |
|
|
| napier |
| Posted: Fri Dec 04, 2009 11:29 am Post subject: |
|
|
Apprentice
Joined: 09 Oct 2007
Posts: 48
Location: USA
|
Let us know what you did exactly and the broker version level.
and what you tried when you get this errors? |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Fri Dec 04, 2009 11:47 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| napier wrote: |
Let us know what you did exactly and the broker version level.
and what you tried when you get this errors? |
the original poster already mentioned that they are using V6.0.0.6. (on the first line of the post.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| napier |
| Posted: Fri Dec 04, 2009 12:55 pm Post subject: |
|
|
Apprentice
Joined: 09 Oct 2007
Posts: 48
Location: USA
|
original post almost 2 years old  |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Fri Dec 04, 2009 1:29 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| napier wrote: |
| original post almost 2 years old |
Opps. Thats why I hate reopening old posts.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| rajparekh08 |
| Posted: Mon Dec 07, 2009 12:06 am Post subject: |
|
|
Acolyte
Joined: 21 Sep 2009
Posts: 58
Location: India- Bagalore
|
Hi,
I did not want to put a new post, cause when i did, i was asked to use the "search" button, hence added a reply to this post:
The MB used is 6.0.
I have server authentication running on this setup fine. I mean, when I hit on the link in a web browser, I get the certificate prompt.
Now for mutual authentication, When I hit on the link, I am suppose to get a prompt to choose the certificate for communication with the server.
But all I get is HTTP 404 error.
What more did i do after server authentication is issued the following two commands:
mqsichangeproperties broker_name -b httplistener -o HTTPSConnector -n clientAuth -v true
.
and imporing the client cerificate to the "cacerts" keystore using keytool.
But the service does not work anymore..  |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Dec 07, 2009 2:18 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| rajparekh08 wrote: |
Hi,
I did not want to put a new post, cause when i did, i was asked to use the "search" button, hence added a reply to this post:
|
A useful tip when creating a new post on a topic that is already discussed here is to reference the original topic and include the URL. That way, you won't get asked to use the search button so quickly.
You can use other links to post any useful references you have found.
This way, those that do reply can avoid giving advice that has been already covered.
This does work you know! 
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| rajparekh08 |
| Posted: Mon Dec 07, 2009 5:13 am Post subject: |
|
|
Acolyte
Joined: 21 Sep 2009
Posts: 58
Location: India- Bagalore
|
| Thanx for the tip.. Now i need a solution for the problem!!! |
|
| Back to top |
|
|
| napier |
| Posted: Mon Dec 07, 2009 7:10 am Post subject: |
|
|
Apprentice
Joined: 09 Oct 2007
Posts: 48
Location: USA
|
I am not sure whether its supported in 6.0 or not... 
Contact IBM. |
|
| Back to top |
|
|
|
|
