| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL cert for accessing external webservice from WMB FLOW |
« View previous topic :: View next topic » |
| Author |
Message
|
| CuriCAT |
 Posted: Tue Aug 09, 2011 10:41 am Post subject: SSL cert for accessing external webservice from WMB FLOW |
 |
|
Voyager
Joined: 26 Sep 2006
Posts: 82
|
I have developed a message flow, which includes a HTTP Request node calling external webservice.
My Flow :
MQInput--- > HTTPRequest --- > MQOutput
Question:
My question is regarding SSL cert, external service has given me SSL certs to import into Broker to access their secured service (HTTPS). those SSL certs are not created for the Virtual URL/BIGIP instead those are pointing to Physical URL.
Example:
Physical URL in SSL cert .
https://servername1/abc.svc
https://servername2/abc.svc
Virtual URL shared with me, to use in HTTPRequest node at broker flow.
https://www.xyz.com/abc.svc
Will it work when import SSL certs given for physcial URL and broker flow accessig virtual URL? Will it throw cert/socket error ?
Difference :
In dev/test environment, flow is accessing external physical URL and external service has SSL cert implemented for that physcial URL.
For prod, flow is going to access external virtual URL and external service has SSL cert implemented for that physcial URL.
I have asked to create similer test environment as in production, but the team refused saying, it works with all other windows consumers, so it should work for Broker running in AIX also.
Can someone clarify my doubt ?
Message Broker 6.1
OS : AIX
Please let me know if you need more information.
[/u] |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Tue Aug 09, 2011 11:21 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
You import the SSL certs into the Broker's truststore. You use bar file override to make the difference in the node's caller address between test and prod.
Why are you using HTTPRequest node to call a web service. Why not use SOAPRequest node?
Have you taken the WM663 class yet? If not why not?
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| CuriCAT |
| Posted: Wed Aug 10, 2011 7:12 am Post subject: |
|
|
Voyager
Joined: 26 Sep 2006
Posts: 82
|
| Quote: |
You import the SSL certs into the Broker's truststore. You use bar file override to make the difference in the node's caller address between test and prod.
|
---> Thats what I do.
My question is regarding SSL cert, external service has given me SSL certs to import into Broker to access their secured service (HTTPS). those SSL certs are not created for the Virtual URL/BIGIP instead those are pointing to Physical URL.
Example:
Physical URL in SSL cert .
https://servername1/abc.svc
https://servername2/abc.svc
Virtual URL shared with me, to use in HTTPRequest node at broker flow.
https://www.xyz.com/abc.svc
Will it work when import SSL certs given for physcial URL and broker flow accessig virtual URL? Will it throw cert/socket error ?
[/b][/u]
Have you taken the WM663 class yet? If not why not?
I prefer to study on my own... yes I am bit femilier with SOAP nodes, i have used it in my previous projects.. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Aug 10, 2011 7:47 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
What happens when you try it?
I would anticipate a security certificate chaining error exception since the names do not match. Something like...
| Code: |
(0x03000000:NameValue):Text = 'javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=xxx, DC=yyy, DC=com is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error' (CHARACTER)
|
You should have your downstream admins give you certs for the VIP as well, especially if the VIP is maintaining proxy session.
I'm not an expert of this, mqjeff or others may like to offer their opinion on it. I'm not an ex-pert, just a pert.
You may like to consider taking the WM663 training class. Highly recommended.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Aug 10, 2011 7:49 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| lancelotlinc wrote: |
| I'm not an expert of this, mqjeff or others may like to offer their opinion on it. |
I'd expect it to fail too, but I can see circumstances where it wouldn't. So I don't have a guess...
| lancelotlinc wrote: |
| I'm not an ex-pert, just a pert. |
Except when you're being im-pert-inent. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
