| Author |
Message
|
| broker_new |
 Posted: Tue Feb 24, 2009 8:19 am Post subject: HTTP Request =>disable CRL checking on Message Broker |
 |
|
Yatiri
Joined: 30 Nov 2006
Posts: 614
Location: Washington DC
|
I am experiencing a problem in calling a web service that is SSL enabled.
I've imported the certificates into the trust key store but no luck.
The web service provider suggested us to disable CRL checking on Message Broker. Anyone has any idea how do we do this.
_________________
IBM ->Let's build a smarter planet |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Feb 24, 2009 8:22 am Post subject: Re: HTTP Request =>disable CRL checking on Message Broker |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| broker_new wrote: |
| The web service provider suggested us to disable CRL checking on Message Broker. Anyone has any idea how do we do this. |
They suggest you don't check if the certificate's still valid (i.e. not revoked)?
Careful how you tell your auditors about that..... 
No clue how you actually do it. Someone more knowledgeable will be along in a minute I expect.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| broker_new |
| Posted: Tue Feb 24, 2009 8:28 am Post subject: |
|
|
Yatiri
Joined: 30 Nov 2006
Posts: 614
Location: Washington DC
|
I am excited to hear something from our experts.
Meanwhile opened a PMR to find a resolution for it.
_________________
IBM ->Let's build a smarter planet |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Feb 24, 2009 8:44 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| broker_new wrote: |
| I am excited to hear something from our experts. |
Me too. Never an expert when you need one.
| broker_new wrote: |
| Meanwhile opened a PMR to find a resolution for it. |
Please post the answer when you get it (if no-one's posted the answer already obviously!)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| broker_new |
| Posted: Tue Feb 24, 2009 4:12 pm Post subject: |
|
|
Yatiri
Joined: 30 Nov 2006
Posts: 614
Location: Washington DC
|
I guess broker is not the best solution for calling the web services which checks for the expiry time based on the CRL's.
Even PMR wasn't looking promising, i have to research by myself by 
_________________
IBM ->Let's build a smarter planet |
|
| Back to top |
|
|
| broker_new |
| Posted: Thu Mar 05, 2009 7:20 am Post subject: |
|
|
Yatiri
Joined: 30 Nov 2006
Posts: 614
Location: Washington DC
|
Atlast the problem solved by ruling out that this is not the problem of CRL's.
Its the problem with chanining of certificates..
A jar is available at
ftp://ftp.emea.ibm.com/fromibm/pmr/44705,442,000/ibmjsseprovider-debug.jar
dowload it
1. Stop the application
2. Remove jre/lib/ibmjsseprovider.jar (renaming is not enough)
3. Load attached jar and rename it as ibmjsseprovider.jar
4. Give same permissions and ownership as before
5. Enable flag -Djavax.net.debug=true
(export IBM_JAVA_OPTIONS=-Djavax.net.debug=true)
6. Recreate problem and collect stdout (systemout)
It clearly tells from stdout that it is the problem with the certs
Here is the message from the stdout
<< sendAlert.
Alert: fatal, bad certificate
So from the server side they reconfigured the certs and it worked well.
Sometimes it will be very tough to accept that it is their problem without any proof. This helped a lot to make them revisit the certs and fix the problem.
_________________
IBM ->Let's build a smarter planet |
|
| Back to top |
|
|
| crossland |
| Posted: Sat Aug 07, 2010 11:47 am Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
Unfortunately, that link is not functioning any more.
Do you know where this file can be downloaded from?
Thanks,
Tim |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Aug 07, 2010 2:04 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
|
| Back to top |
|
|
| crossland |
| Posted: Sat Aug 07, 2010 7:37 pm Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
|
| Back to top |
|
|
| smdavies99 |
| Posted: Sat Aug 07, 2010 10:22 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Perhaps the functionality has been rolled into the .jar files supplied with broker.
see my post from a few days ago about jsseprovider.jar vs jsseprovider2.jar
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| crossland |
| Posted: Sat Aug 07, 2010 10:56 pm Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
Is anybody able to confirm if the new jsseprovider2.jar contains the functionality previously in ibmjsseprovider-debug.jar?
Or failing that, how to get hold of ibmjsseprovider-debug.jar? |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Sun Aug 08, 2010 1:45 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
IMHO, you need to rais a PMR. As no one has replied to my post about these .jar files then I think that the formal support route is the way to go.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| crossland |
| Posted: Wed Aug 11, 2010 12:05 am Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
Did you manage to use "openssl s_client" with a jks? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 11, 2010 8:32 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| crossland wrote: |
Did you manage to use "openssl s_client" with a jks? |
Usually when using openssl s_client I use a pkcs12 or no information as I might just query the target's cert and certchain validity...
However you can use gskit to convert your jks to a pkcs12 to use with openssl and check the certs.
Have fun. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| crossland |
| Posted: Wed Aug 18, 2010 11:53 am Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
| smdavies99 wrote: |
Perhaps the functionality has been rolled into the .jar files supplied with broker.
see my post from a few days ago about jsseprovider.jar vs jsseprovider2.jar |
IBM have provided the following clarification:
| Quote: |
The ibmjsseprovider.jar and its debug equivalent are for use only while using IBM JRE 142. It must not be used with JRE 150 or 160 java.
For JRE 150 and160, only IBM JSSE2 is used (ibmjsseprovider2.jar). Hence, please delete the file - ibmjsseprovider-debug.jar from the machine and use ibmjsseprovider2.jar.
And to debug this JSSE2 provider, you just need to do the following -
1. Export the env. variable -
IBM_JAVA_OPTIONS=-Djavax.net.debug=true
2. Restart the broker.
3. Recreate the problem and then send us the stderr and stdout files. |
|
|
| Back to top |
|
|
|
|
