| Author |
Message
|
| gag_nm |
 Posted: Wed Sep 08, 2010 4:56 am Post subject: Import SSL Certificate in Message Broker AIX |
 |
|
Centurion
Joined: 16 Oct 2008
Posts: 102
|
Hi Friends,
i have to import Certificate in Message Broker 6.1 in AIX Machine. i have done this by executing below steps
Creating Keystore file
keytool -genkey -keystore broker.keystore -storepass password -alias broker -validity 365
Importing Certificate
keytool -import -alias broker -file broker.crt -keystore "/app/IBM/mqsi/6.1/jre15/lib/security/cacerts" -keypass changeit
it has given message successfully imported.
i have included below script in mqsiprofile
IBM_JAVA_OPTIONS=-Djavax.net.ssl.keyStore=/app/IBM/mqsi/6.1/jre15/lib/security/broker.keystore
-Djavax.net.ssl.keyStorePassword=changeit
changed broker Proprites
mqsichangeproperties Broker02 -o BrokerRegistry -n brokerKeystoreFile -v /app/IBM/mqsi/6.1/jre15/lib/security/broker.keystore
I am using SOAP Request Node in Message Flow.
when i am trying to invoke webservice. iam getting below Error.
please help me to solve this issue
please let know, where i went wrong, please provide me some information, how to include Certificate in Message Broker Under AIX
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=XXXXXXXX CA, DC=in, DC=XXXXX, DC=com, DC=im is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Sep 08, 2010 5:16 am Post subject: Re: Import SSL Certificate in Message Broker AIX |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| gag_nm wrote: |
| please help me to solve this issue |
Try reading the error message.
| gag_nm wrote: |
| please let know, where i went wrong, please provide me some information, how to include Certificate in Message Broker |
I don't think you've done anything wrong per se:
| gag_nm wrote: |
internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=XXXXXXXX CA, DC=in, DC=XXXXX, DC=com, DC=im is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error |
I tthink you need to import at least one more certificate.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| nathanw |
| Posted: Wed Sep 08, 2010 5:18 am Post subject: |
|
|
Knight
Joined: 14 Jul 2004
Posts: 550
|
suspect you are missing the root certificate ie the actual cert that issued the one you have.
you may have to dig around and get teh signees cert
_________________
Who is General Failure and why is he reading my hard drive?
Artificial Intelligence stands no chance against Natural Stupidity.
Only the User Trace Speaks The Truth  |
|
| Back to top |
|
|
| gag_nm |
| Posted: Wed Sep 08, 2010 5:23 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2008
Posts: 102
|
I Have imported Correct certificate. in cacerts , it was showing successfully imported.
does any one have Information to import certificate In AIX Broker |
|
| Back to top |
|
|
| nathanw |
| Posted: Wed Sep 08, 2010 5:25 am Post subject: |
|
|
Knight
Joined: 14 Jul 2004
Posts: 550
|
I do not have ahuge amount of experience in this area BUT I do recall that having the certificate of teh company that signed the certificate you have solves alot of issues as this will confirm that the certifcate is genuine
_________________
Who is General Failure and why is he reading my hard drive?
Artificial Intelligence stands no chance against Natural Stupidity.
Only the User Trace Speaks The Truth |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Sep 08, 2010 5:26 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| gag_nm wrote: |
| I Have imported Correct certificate. in cacerts , it was showing successfully imported. |
Yes you have and yes it did. That's not what I or the other poster where saying. 
| gag_nm wrote: |
| does any one have Information to import certificate In AIX Broker |
You seem to have all the information you need to successfully achieve this task, as you've demonstrated with this successful import. Where you seem to be having trouble is reading the advice you're being given! 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Sep 08, 2010 5:27 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| nathanw wrote: |
| I do recall that having the certificate of teh company that signed the certificate you have solves alot of issues |
Solves the issues in the "fixes" sense of the word eh? 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| nathanw |
| Posted: Wed Sep 08, 2010 5:29 am Post subject: |
|
|
Knight
Joined: 14 Jul 2004
Posts: 550
|
| Vitor wrote: |
| nathanw wrote: |
| I do recall that having the certificate of teh company that signed the certificate you have solves alot of issues |
Solves the issues in the "fixes" sense of the word eh? |
of course
I only know this as on a project we had certificates all over from business partners but the certificates that had been issued required that the root certificate was also present
_________________
Who is General Failure and why is he reading my hard drive?
Artificial Intelligence stands no chance against Natural Stupidity.
Only the User Trace Speaks The Truth |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Sep 08, 2010 5:48 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| nathanw wrote: |
| the certificates that had been issued required that the root certificate was also present |
It's SSL 101 - how do you know the certificate you've got is worth the electons used to make it?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| gag_nm |
| Posted: Wed Sep 08, 2010 6:03 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2008
Posts: 102
|
can some tell where below values need to set in AIX
i found this in our forum
AIX:
HTTPSConnector=''
uuid='HTTPSConnector'
clientAuth='true'
keystoreFile='/opt/IBM/ibm/mqsi/6.1/jre15/bin/Broker.jks'
keystorePass='******'
port='4433' |
|
| Back to top |
|
|
| gag_nm |
| Posted: Wed Sep 08, 2010 6:09 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2008
Posts: 102
|
when iam logging in AIX section with Broker userid and password, iam getting below error
.profile[17]: -Djavax.net.ssl.keyStorePassword=changeit: not found |
|
| Back to top |
|
|
| joebuckeye |
| Posted: Wed Sep 08, 2010 9:51 am Post subject: |
|
|
Partisan
Joined: 24 Aug 2007
Posts: 365
Location: Columbus, OH
|
You need to make sure all the text of this code:
| Code: |
IBM_JAVA_OPTIONS=-Djavax.net.ssl.keyStore=/app/IBM/mqsi/6.1/jre15/lib/security/broker.keystore
-Djavax.net.ssl.keyStorePassword=changeit |
is on the same line in your .profile file and not two separate lines. It is probably at line 17 in the .profile based on the error message you posted.
This is pretty basic AIX type stuff. |
|
| Back to top |
|
|
|
|
