Author |
Message
|
lancelotlinc |
Posted: Fri May 06, 2011 8:03 am Post subject: SSL Soap Request Node Problem |
|
|
 Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
Hi gang,
I have a problem with a simple flow. When I run the flow with appropriate input from RFHUtil for a Web Service call to third party provider, I get an SSL certificate chain exception.
Flow is thusly:
MQInput -> Compute -> SOAP Request -> MQOutput
In Compute node, I have placed these lines:
Code: |
CALL CopyEntireMessage();
SET OutputRoot.Properties.IdentityMappedType = 'usernameAndPassword';
SET OutputRoot.Properties.IdentityMappedToken = 'myuid';
SET OutputRoot.Properties.IdentityMappedPassword = 'mypwd';
|
I have successfully imported the target Web Service server's SSL certificate, and have verified it is present in the keystore:
Code: |
Alias name: broker
Creation date: May 6, 2011
Entry type: trustedCertEntry
Owner: CN=xxx, DC=yyy, DC=com
Issuer: CN=xxx, DC=yyy, DC=com
Serial number: 5f21f511d64372a3436b28645c156b3e
Valid from: 9/21/09 1:59 PM until: 9/21/19 2:09 PM
Certificate fingerprints:
MD5: 0A:6C:2D:3F:8A:25:D4:31:F1:A5:06:21:F2:15:BE:A1
SHA1: FE:1C:51:A6:F9:27:3D:14:D0:B0:35:3E:09:F8:FE:A6:C8:FE:4A:9E
|
I have used an external website to check the Web Service server's SSL credentials:
Code: |
DNS resolves 'zzz.yyy.com' to 00.255.225.255
HTTP Server Header: Microsoft-IIS/6.0
SSL certificate
Common Name = zzz.yyy.com
Issuer = xxx
Serial Number = 3A444F3A000000000009
SHA1 Thumbprint = 2A7146E69BB0DBB70054EAA270813E7C1BC8CA6F
Key Length = 1024 bit
Signature algorithm = SHA1+RSA (good)
Secure Renegotiation: Supported
|
Yet, I still get this error:
Quote: |
2011-05-06 10:14:31.977549
(0x03000000:NameValue):Text = 'javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=xxx, DC=yyy, DC=com is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error' (CHARACTER)
|
I have re-accomplished the steps to setting up the cert in the keystore several times and modifying the bar file properties on the node to use 'Default Propagation'.
If someone could help me brainstorm other things to check I would be greatly appreciative.
This is WMB Toolkit/WMB runtime on Windows 7.0.0.0 (working on permission from mgt to upgrade to FP2).
Lance _________________ http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
Back to top |
|
 |
mqjeff |
Posted: Fri May 06, 2011 8:37 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
Looks like you're missing a signer or intermediate certificate. |
|
Back to top |
|
 |
lancelotlinc |
Posted: Fri May 06, 2011 8:46 am Post subject: |
|
|
 Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
That was my thinking. I asked the third party about it, they say the "self-signed" certificate provided is sufficient. How would I challenge their statement? They say they have validated their Web Service using soapUI and if does not work on WMB, then its a WMB issue. _________________ http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
Back to top |
|
 |
mqjeff |
Posted: Fri May 06, 2011 10:22 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
Sorry, did you put it in the keystore or the truststore?
Also, did you put it in the EG level truststore or the Broker level truststore? |
|
Back to top |
|
 |
lancelotlinc |
Posted: Fri May 06, 2011 10:29 am Post subject: |
|
|
 Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
I put it in the Broker-level keystore located at:
Code: |
"$MQSI_WORKPATH\jre16\lib\security\cacerts" |
In further discussion with the third party, they agreed to procure a commercial SSL certificate and forego their "self-signed" cert. I also noticed that the Common Name did not use the server name, therefore a server name did not appear anywhere in the cert.
This link helped me: http://info.ssl.com/article.aspx?id=10048 :
Quote: |
The Common Name must be the same as the Web address you will be accessing when connecting to a secure site. |
Once I ferret out the new certificate, I will post the resolution or further details. Thanks for your help on it, mqjeff. _________________ http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
Back to top |
|
 |
lancelotlinc |
Posted: Fri May 06, 2011 10:30 am Post subject: |
|
|
 Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
It was also very humourous. I told the third party:
Quote: |
I have a certificate chaining error. |
Third party said:
Quote: |
Just press enter, and you will still be encrypted. |
 _________________ http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
Back to top |
|
 |
mqjeff |
Posted: Fri May 06, 2011 10:49 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
|
Back to top |
|
 |
rekarm01 |
Posted: Sun May 08, 2011 6:46 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 1415
|
Whether the Common Name must match the server hostname depends on the client, and the client truststore.
Most web browsers, for example, will accept an untrusted certificate with matching CN and trusted CA; they will also accept any trusted certificate, regardless of CN.
However, that does not necessarily mean the WMB will accept an untrusted certificate with matching CN. |
|
Back to top |
|
 |
|