| Author |
Message
|
| gfrench |
 Posted: Thu Mar 31, 2011 7:26 am Post subject: SSL support for TCPIPClient nodes in 7.0.0.2 |
 |
|
Acolyte
Joined: 10 Feb 2002
Posts: 71
|
Hi,
I've got broker 7.0.0.2 running on Windows XP,
I'm hoping to use the TCPIPClient nodes configured with SSL. I have configured a keystore and a truststore and changed the broker properties to use them.
BrokerRegistry
uuid='BrokerRegistry'
brokerKeystoreType='JKS'
brokerKeystoreFile='C:\Program Files\IBM\MQSI\7.0\BK7keystore.jks'
brokerKeystorePass='brokerKeystore::password'
brokerTruststoreType='JKS'
brokerTruststoreFile='C:\Program Fils\IBM\MQSI\7.0\BK7truststore.jks'
brokerTruststorePass='brokerTruststore::password'
httpConnectorPortRange=''
httpsConnectorPortRange=''
modeExtensions=''
operationMode='enterprise'
shortDesc=''
longDesc=''
I've created a TCPIPClient configurable service:-
MySecureConfigurableService
AlternativeAddresses=''
ExpireConnectionSec='-1'
Hostname='mySerber.abc.com'
MaxReceiveRecordBytes='100000000'
MaximumConnections='100'
MinimumConnections='0'
Port='789'
SO_KEEPALIVE='false'
SO_LINGER='false'
SO_LINGER_TIMEOUT_SEC='-1'
SO_RCVBUF='0'
SO_SNDBUF='0'
SSLCiphers=''
SSLProtocol='SSLv3'
TCP_NODELAY='false'
TrafficClass='-1'
UseUniqueConnectionPool='false'
And all was looking good. Send a message into the flow and get an exception
java.security.cert.CertificateException: No X509TrustManager implementation available
Anyone any thoughts on this ? There is not much from googling around.
Appreiciate any pointers. Thanks |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Thu Mar 31, 2011 7:33 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
You may have a trust store certificate type mis-match. Please post the content of 'C:\Program Fils\IBM\MQSI\7.0\BK7truststore.jks'
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| gfrench |
| Posted: Thu Mar 31, 2011 8:34 am Post subject: |
|
|
Acolyte
Joined: 10 Feb 2002
Posts: 71
|
Certificates in database C:\Program Files\IBM\MQSI\7.0\BK7truststore.jks:
verisign class 1 public primary certification authority
verisign class 1 public primary certification authority - g2
verisign class 1 public primary certification authority - g3
verisign class 2 public primary certification authority
verisign class 2 public primary certification authority - g2
verisign class 2 public primary certification authority - g3
verisign class 3 public primary certification authority
verisign class 3 public primary certification authority - g2
verisign class 3 public primary certification authority - g3
verisign class 4 public primary certification authority - g2
verisign class 4 public primary certification authority - g3
and none in the keystore, since we should just need to authenticate the server we are talking to and not authenticate ourelves.
The server provider states :-
"The secure server provides server authentication and data encryption but does not require SSL client authentication. In order to verify the identity of the secure server you will need the 'Verisign Class 3 Public Primary Certification Authority' root certificate available free from www.verisign.com (the certificate is also distributed with most web browsers)."
Which is why I loaded the certificates into the truststore. I pressume it would work in either? I'm a little out of my depth as you may be able to tell!
Cheers |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Thu Mar 31, 2011 8:37 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Did you notice the path name is mis-spelled?
| Quote: |
'C:\Program Fils\IBM\MQSI\7.0\BK7truststore.jks'
|
Should be
| Quote: |
'C:\Program Files\IBM\MQSI\7.0\BK7truststore.jks'
|
maybe?
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| gfrench |
| Posted: Thu Mar 31, 2011 8:54 am Post subject: |
|
|
Acolyte
Joined: 10 Feb 2002
Posts: 71
|
| Well spotted... Thanks, far tooooo late in the day for me. Its a long week already! |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Thu Mar 31, 2011 8:56 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
|
| Back to top |
|
|
|
|
