| Author |
Message
|
| crossland |
 Posted: Sat Aug 14, 2010 12:46 am Post subject: Using self signed certificates with HTTP request node |
 |
|
Master
Joined: 26 Jun 2001
Posts: 248
|
We want to consume a remote service using a HTTP request node with SSL.
The external party has supplied a self signed certificate.
We have created a jks and added this certificate to it.
The Broker has been configured to use the new keystore:
mqsichangeproperties BROKER -o BrokerRegistry -n brokerKeyStoreFile -v /path/name.jks
mqsichangeproperties BROKER -o BrokerRegistry -n brokerTrustStoreFile -v /path/name.jks
mqisstop BROKER
mqsisetdbparms BROKER -n brokerKeyStore::password -u ignore -p pw
mqsisetdbparms BROKER -n brokerTrustStore::password -u ignore -p pw
mqsistart BROKER
When the HTTP request is invoked, the following error is produced:
BIP3165S: An error occurred whilst performing an SSL socket operation. Operation:createSocket. Error text: java.net.SocketException: Unconnected sockets not implemented.
That really is all that is produced! And that is after getting hold of the debug jar and doing the following:
1. Stop the application
2. Remove jre/lib/ibmjsseprovider.jar (renaming is not enough)
3. Load attached jar and rename it as ibmjsseprovider.jar
4. Give same permissions and ownership as before
5. Enable flag -Djavax.net.debug=true
(export IBM_JAVA_OPTIONS=-Djavax.net.debug=true)
One thing. When I convert the jks to pem and use openssl to test the connection (openssl s_client -connect ip:443 -cert file.pem), the following message is produced:
verify error:num-18:self signed certificate
verify return:1
Am I correct in assuming that this is a warning? The documentation on this error message is a bit obscure!
Have I missed anything or is there any way I can get more debug info? |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Sat Aug 14, 2010 3:49 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
This "unconnected sockets" error message is a fairly common warning that is not specific to a single cause.
You should make sure you are at the most recent FixPack level of whatever version of the product you are using and then examine the HTTP failure that is being returned from calling the service.
I don't know openSSL enough to know whether or not that verify error is a warning, but it appears to be. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Aug 14, 2010 6:33 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Also use the most verbose output when using openssl. This should give you more information about the certificate and keys... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| crossland |
| Posted: Sat Aug 14, 2010 12:18 pm Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
mqjeff - Couldn't agree more with you - "unconnected sockets" is a fairly unhelpful message on its own. We are using 6.1.0.8 which is about as recent as you can get without going to 7.
fjp_saper - are you talking about using the -debug and -showcerts flags with openssl s_client?
Thanks for the help! |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Aug 14, 2010 1:02 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| crossland wrote: |
mqjeff - Couldn't agree more with you - "unconnected sockets" is a fairly unhelpful message on its own. We are using 6.1.0.8 which is about as recent as you can get without going to 7.
fjp_saper - are you talking about using the -debug and -showcerts flags with openssl s_client?
Thanks for the help! |
see -verify, -purpose, -showcerts @ link
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sun Aug 15, 2010 8:17 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| crossland wrote: |
| mqjeff - Couldn't agree more with you - "unconnected sockets" is a fairly unhelpful message on its own. We are using 6.1.0.8 which is about as recent as you can get without going to 7. |
You can examine a service trace to see if it shows anything more useful.
A startup trace would be good to see what it says about loading and accessing the keyring. |
|
| Back to top |
|
|
| crossland |
| Posted: Sat Aug 21, 2010 4:43 am Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
In the end it took a combination of OpenSSL, start up traces, service traces, analysis of the WMB log, stdout and stderr logs, upgrading to the latest version of WMB, plus use of the following:
1. Export the env. variable -
IBM_JAVA_OPTIONS=-Djavax.net.debug=true
2. Restart the broker.
Anyway, it is fixed now. Thanks for the pointers. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sat Aug 21, 2010 4:45 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
So does that mean you went from 6.1.0.8 to 7.0.0.1?
What was the actual error that was occurring? |
|
| Back to top |
|
|
| crossland |
| Posted: Sat Aug 21, 2010 5:00 am Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
No, I meant the latest flavour of WMB 6 - 6.1.0.8.
The error turned out to be an issue with the certificate in their keystore on one server and having specified a parameter incorrectly on another server. |
|
| Back to top |
|
|
|
|
