Author |
Message
|
sankritya |
Posted: Fri Jul 15, 2011 3:28 am Post subject: How to access Services deployed with SSL Security internally |
|
|
Centurion
Joined: 14 Feb 2008 Posts: 100
|
Hi All,
I need to access a set of message flows(Web Services) deployed in the same Execution group from a message flow which is also in same EG. EG is SSL enabled i.e working with https. I tried setting the following as URL
https://localhost:7844/ServiceName in the SOAP Request node but it is returning error message
Quote: |
<faultstring>SocketException: An error occurred whilst performing an SSL socket operation, connect, javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target</faultstring> |
Please suggest how to access the service from within the EG. |
|
Back to top |
|
 |
smdavies99 |
Posted: Fri Jul 15, 2011 3:33 am Post subject: |
|
|
 Jedi Council
Joined: 10 Feb 2003 Posts: 6076 Location: Somewhere over the Rainbow this side of Never-never land.
|
Did you setup the HTTPS Connector properly for the eg?
Did you restart the EG?
Have you checked that something is listening on the required port? _________________ WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
Back to top |
|
 |
sankritya |
Posted: Fri Jul 15, 2011 3:38 am Post subject: |
|
|
Centurion
Joined: 14 Feb 2008 Posts: 100
|
HTTPSConnector
uuid='HTTPSConnector'
userTraceLevel='none'
traceLevel='none'
userTraceFilter='none'
traceFilter='none'
port='7844'
address='pipmbit_sv1a'
allowTrace=''
maxPostSize=''
acceptCount=''
bufferSize=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxSpareThreads=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
explicitlySetPortNumber='7844'
enableLookups=''
enableMQListener=''
algorithm=''
clientAuth='true'
keystoreFile='/ABCD/BK01/data/httpsconnector_keys.jks'
keystorePass='password'
keystoreType=''
sslProtocol=''
ciphers=''
keypass=''
keyAlias=''
DefaultConnector
2. I have restarted the EG , but it does not works.
3. Services which I need to access are working on standalone. |
|
Back to top |
|
 |
smdavies99 |
Posted: Fri Jul 15, 2011 4:10 am Post subject: |
|
|
 Jedi Council
Joined: 10 Feb 2003 Posts: 6076 Location: Somewhere over the Rainbow this side of Never-never land.
|
Dir you do the reportproperties on the HTTPS connector using the -a or the -r option?
If you used the -a please do it again with the -r.
If you have this working on another syswtem then do the same operation there. Compare the results (excluding the port if they are different) _________________ WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
Back to top |
|
 |
lancelotlinc |
Posted: Fri Jul 15, 2011 4:44 am Post subject: |
|
|
 Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
|
Back to top |
|
 |
sankritya |
Posted: Fri Jul 15, 2011 5:08 am Post subject: |
|
|
Centurion
Joined: 14 Feb 2008 Posts: 100
|
smdavies99: Earlier I was using with -a. After using it with -r , it shows the list of services
like
URLRegistration='/ServiceName_V1.00'
nodeLabel='SOAP Input'
Service I am trying to access is registered there.
I checked MQ Series and found that you had raised a similar question in feb2011, but it does not have any reply or solution.
Do I need to set up any other parameters or give the path of security profile in the SOAP Request node to access the service?
@lancelotlinc
Quote: |
I would use two execution groups, not the single one.
|
How will it help in accessing the service? Basically we have a predefined set of EG's based on Functional Area and services belonging to a particular functional area reside in the same group. |
|
Back to top |
|
 |
lancelotlinc |
Posted: Fri Jul 15, 2011 5:53 am Post subject: |
|
|
 Jedi Knight
Joined: 22 Mar 2010 Posts: 4941 Location: Bloomington, IL USA
|
sankritya wrote: |
@lancelotlinc
Quote: |
I would use two execution groups, not the single one. |
How will it help in accessing the service? Basically we have a predefined set of EG's based on Functional Area and services belonging to a particular functional area reside in the same group. |
If you allow political borders to influence your technical architecture, it will be much more difficult to be successful. The political organization has nothing to do with running broker instances or execution groups efficiently. Your implementations should be flexible enough to adopt instant changes to the architecture.
Shelia Jackson Lee said it best about the political situation in Vietnam:
http://www.youtube.com/watch?v=XK3rTUgoQD4
and the discovery of an American flag planted by Apollo 11 astronauts on Mars:
http://www.zimbio.com/Congresswoman+Sheila+Jackson+Lee/articles/31/Breaking+News+Exhaustive+Search+contact admin+Archives
Politicans should stick to politicking and let the technical architects determine technical architecture. _________________ http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
Back to top |
|
 |
smdavies99 |
Posted: Fri Jul 15, 2011 6:05 am Post subject: |
|
|
 Jedi Council
Joined: 10 Feb 2003 Posts: 6076 Location: Somewhere over the Rainbow this side of Never-never land.
|
sankritya wrote: |
URLRegistration='/ServiceName_V1.00'
nodeLabel='SOAP Input'
|
Quote: |
I need to access a set of message flows(Web Services) deployed in the same Execution group from a message flow which is also in same EG. EG is SSL enabled i.e working with https. I tried setting the following as URL
https://localhost:7844/ServiceName in the SOAP Request node but it is returning error message
|
Aside from the refernce to my old post can anyone see the difference here? _________________ WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
Back to top |
|
 |
Vitor |
Posted: Fri Jul 15, 2011 6:11 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
lancelotlinc wrote: |
If you allow political borders to influence your technical architecture, it will be much more difficult to be successful. |
Now I saw Functional Area and I thought Billing, Sales & Accounting rather than EMEA, Pacific Rim and Amercias. Which could legitimately require separation for confidentially or SLA reasons (for instance). _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
sankritya |
Posted: Fri Jul 15, 2011 6:16 am Post subject: |
|
|
Centurion
Joined: 14 Feb 2008 Posts: 100
|
@smdavies99: Apologies for my typo. But the Endpoints are correct in the actual bar I deployed. It has been copied from the WSRR.
https://localhost:7844/ServiceName_V1.00 and it is same as what shown in mqsireportproperties. |
|
Back to top |
|
 |
sankritya |
Posted: Sun Jul 17, 2011 9:47 pm Post subject: |
|
|
Centurion
Joined: 14 Feb 2008 Posts: 100
|
Please suggest if there is any way I can invoke the Service deployed in same EG enabled with two way SSL?
If it is possible then what are the parameters that need to be set... like Security Profile in the SOAP Request Node? |
|
Back to top |
|
 |
fjb_saper |
Posted: Mon Jul 18, 2011 5:55 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
And you are sure this has nothing to do with the content of the cert and the way it checks the DN (like sslpeer content)?  _________________ MQ & Broker admin |
|
Back to top |
|
 |
sankritya |
Posted: Mon Jul 18, 2011 8:23 am Post subject: |
|
|
Centurion
Joined: 14 Feb 2008 Posts: 100
|
Well, I have tried by disabling the two way SSL. While I was able to call the service successfully using SOAP UI but the same service could not be invoked from a service with in the same EG. It returned the same exception. |
|
Back to top |
|
 |
nmaddisetti |
Posted: Fri Dec 14, 2012 2:07 pm Post subject: |
|
|
Centurion
Joined: 06 Oct 2004 Posts: 145
|
Hi All,
I am getting same error as in this post using SOAP nodes when I am calling Provider message flow using Consumer message flow and both are in same EG.
but same Provider flow is working when we are calling from SOAP UI.
We configured SSL at EG level and Broker version we are using is MB 6.1.0.7 on AIX.
Error :
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
can you please share your thoughts to resolve this issue.
Thanks in Advance,
Venkat. |
|
Back to top |
|
 |
fjb_saper |
Posted: Fri Dec 14, 2012 8:01 pm Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
Looks like you're missing the cert in the truststore....
What is your SSL setup? CA signed or selfsigned? Where did you put the certs?  _________________ MQ & Broker admin |
|
Back to top |
|
 |
|