| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL Between Weblogic and IBM MQ |
« View previous topic :: View next topic » |
| Author |
Message
|
| rajakmra |
 Posted: Wed Dec 28, 2011 12:45 am Post subject: SSL Between Weblogic and IBM MQ |
 |
|
Newbie
Joined: 20 Dec 2011
Posts: 9
|
Dear All,
I would like to know how to configure SSL between Weblogic and MQ.
The existing setup we used is,
To put message in MQ, We are using MQ Java API directly.
To get message from MQ, We are using JMS API with binding file.
Now, we are in a position to enable SSL in those communication between Weblogic and MQ.
Here Weblogic is Treated as Client & MQ is treated as Server.
In High Level, Initially we planned for One-Way SSL with the below steps,
1. Create the Trust Store in MQ Server
gsk7capicmd -keydb -create -db "/var/mqm/qmgrs/WLMQTest/ssl/WLMQTest.kdb" -pw serverpass -type cms -expire 365 -stash -fips
2. Create Self-Signed Certificate Initially for MQ Server
gsk7capicmd -cert -create -db "/var/mqm/qmgrs/WLMQTest/ssl/WLMQTest.kdb" -pw serverpass -label ibmwebspheremqwlmqtest -dn "CN=WLMQTest,O=,C=" -expire 365 -fips -sigalg sha1
gsk7capicmd -cert -extract -db "/var/mqm/qmgrs/WLMQTest/ssl/WLMQTest.kdb" -pw serverpass -label ibmwebspheremqwlmqtest -target "/var/mqm/qmgrs/WLMQTest/ssl/*WLMQTest.crt*" -format ascii -fips
3. Create the Key Store in Weblogic Server
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
4. Copy the Public SSL Server Certificate to the Weblogic Server
Copied the WLMQTest.crt from MQ Server into a directory under Weblogic Server Domain
The below command list the content of the keystore.jks
keytool -list -keystore keystore.jks
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
mydomain, Dec 26, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): E7:B6:4C:02:A7:DE:A3:66:27:66:38:A1:87:DF:8F:0F
And tried to import the WLMQTest.crt
keytool -import -alias mydomain -file WLMQTest.crt -keystore keystore.jks -storepass serverpass
We got the error like below,
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
5. Configuring the Channels.
Please advice, Is it a right way? If any one throw some light here would be greatful for us to enable 2-way SSL. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Dec 28, 2011 6:03 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
When generating the self signed cert for MQ, did you make sure of the key size? As you are planning on using FIPS a minimum key size of 2048 is mandatory...
Look at the different ways of "adding" a cert to the keystore with keytool.
The output you got points towards trying to receive a signed cert for a request that you did not have... or at a possibly missing intermediate cert (if you had a CA signed cert)
What you want to do is "add" a trusted CA cert (the self-signed qmgr cert acts as a CA authority cert)
Alternatively you could use gsk7cmd to do it...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rajakmra |
| Posted: Wed Jan 04, 2012 9:32 pm Post subject: |
|
|
Newbie
Joined: 20 Dec 2011
Posts: 9
|
Hi,
Thanks for your reply.
I'm successfully imported the MQ Server public SSL certificate into the Key Store. From your reply, I'm understand that the CA or self-signed certificate is needed to created in Key Store before import any other certificate. Now I'm stuck in another issue.
Channels are configured like below:
| Code: |
alter channel(SSL.SERVER) CHLTYPE(SVRCONN) SSLCIPH(RC4_MD5_EXPORT)
alter channel(SSL.SERVER) CHLTYPE(CLNTCONN) SSLCIPH(RC4_MD5_EXPORT)
REFRESH SECURITY TYPE(SSL) |
Client Program resides in Weblogic tries to connect MQ like below
| Code: |
MQEnvironment.hostname = hostname;
MQEnvironment.channel = channel;
MQEnvironment.sslCipherSuite="SSL_RSA_EXPORT_WITH_RC4_40_MD5";
MQEnvironment.port = 33311;
MQEnvironment.properties.put(MQC.TRANSPORT_PROPERTY,MQC.TRANSPORT_MQSERIES);
System.setProperty("javax.net.ssl.trustStore", "/var/mqm/qmgrs/SSLQMGR/ssl/sslqmgr");
System.setProperty("javax.net.ssl.keyStore", "/D:/SSLClientStore/keystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "clientpass");
System.setProperty("javax.net.debug","SSL"); |
I'm getting the below exception
An MQSeries error occurred : Completion code 2 Reason code 2397
Root Cause is : javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
SSL Trace & Error Logs for your kind perusal
SSL Trace:
| Code: |
keyStore is : /D:/SSLClientStore/keystore.jks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : selfsigned
chain [0] = [
[
Version: V3
Subject: CN=sslqmgr, OU=Unknown, O=psl, L=Unknown, ST=Unknown, C=Unknown
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 1314444876701230130249268259176731531759598908389217497276980
0533474122570094529540271714507525100935849149828661590932091
8838967611563932938374681788837046611642860512603336317284201
4307334809647913877113464394268458009138087091620415860153051
82265914071517170990391522881662860622373111521425366381018207607
public exponent: 65537
Validity: [From: Wed Jan 04 12:12:15 IST 2012,
To: Sat Dec 29 12:12:15 IST 2012]
Issuer: CN=sslqmgr, OU=Unknown, O=psl, L=Unknown, ST=Unknown, C=Unknown
SerialNumber: [ 4f03f4c7]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 5E 09 B7 66 E0 B0 E4 58 40 CF 7A EE A4 10 85 C0 ^..f...X@.z.....
0010: CC 60 6F A1 8A 55 C7 05 70 91 FB 08 5C 8C 91 48 .`o..U..p...\..H
0020: 68 1C 99 0C 02 A6 6C 7C C4 03 75 41 C6 1A 9A 6F h.....l...uA...o
0030: 32 FC 6C 0F B0 9E 8E 6F CC 09 54 A5 C1 70 D3 2E 2.l....o..T..p..
0040: 83 81 C7 91 2D 9D 09 44 77 6A 03 5C 96 83 3D 18 ....-..Dwj.\..=.
0050: BF BF B3 F5 FF 32 77 77 BC EB A2 00 AF B7 F3 E8 .....2ww........
0060: A1 C3 5C D3 0A C0 AE 09 2B E2 4A E8 C8 23 46 8B ..\.....+.J..#F.
0070: B9 AC BC FA B1 77 A8 80 50 E7 E1 90 13 8F DB 6B .....w..P......k
]
***
***
found key for : mydomain
chain [0] = [
[
Version: V3
Subject: CN=sslqmgr, OU=Unknown, O=psl, L=Unknown, ST=Unknown, C=Unknown
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 1322215482118598504224566155683538280910891459044784149275186
9743178442226430769186740641422264549293302341838362310813558
3612970143799062642012893756742562407674643554681498269873981
2647251158372285995903228098418109208271424114251124905639092
33841537445926658687742425322563968816216759048025029693602651929
public exponent: 65537
Validity: [From: Wed Jan 04 12:10:02 IST 2012,
To: Tue Apr 03 12:10:02 IST 2012]
Issuer: CN=sslqmgr, OU=Unknown, O=psl, L=Unknown, ST=Unknown, C=Unknown
SerialNumber: [ 4f03f442]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 95 F8 A6 86 96 E4 94 32 43 A9 3F A3 5F 2D 25 7C .......2C.?._-%.
0010: F1 B0 B5 4C D1 40 68 11 22 17 32 FB A7 4E F0 FB ...L.@h.".2..N..
0020: A7 D7 BB 4B 3B 1B 10 7B 59 E4 1E AC 10 C4 26 3F ...K;...Y.....&?
0030: D9 C5 BB 08 03 B7 69 27 AA CA 18 D7 04 D1 BF 74 ......i'.......t
0040: E3 CE 0E BB A7 95 4A 3C 0E 01 EA D4 73 81 23 78 ......J<....s.#x
0050: 9D CB 69 53 00 57 AC 19 EE EF BA 36 6C 90 EA 25 ..iS.W.....6l..%
0060: 63 33 00 8F D1 00 8F 1C B4 71 7F 39 58 3E 54 F3 c3.......q.9X>T.
0070: 77 A2 18 49 30 73 C6 BC D7 BA CE 82 8A A1 CD 92 w..I0s..........
]
***
trustStore is: No File Available, using empty keystore.
trustStore type is : jks
trustStore provider is :
init truststore
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, SSLv3
RandomCookie: GMT: 1325678945 bytes = { 212, 166, 241, 209, 47, 79,
128, 197, 230, 158, 159, 180, 58, 24, 205, 95, 36, 94, 79, 193, 175, 237,
38, 23, 4, 118, 176, 158 }
Session ID: {}
Cipher Suites: [SSL_RSA_EXPORT_WITH_RC4_40_MD5]
Compression Methods: { 0 }
***
Main Thread, WRITE: SSLv3 Handshake, length = 45
Main Thread, received EOFException: error
Main Thread, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Main Thread, SEND TLSv1 ALERT: fatal, description = handshake_failure
Main Thread, WRITE: TLSv1 Alert, length = 2
Main Thread, called closeSocket()
MQJE001: An MQException occurred: Completion Code 2, Reason 2397
MQJE056: Initial negotiation failure
MQJE001: Completion Code 2, Reason 2397
An MQSeries error occurred : Completion code 2 Reason code 2397
Root Cause is : javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Trace is : MQJE001: Completion Code 2, Reason 2397
[b]Error Log[/b]
01/04/12 17:02:59 - Process(12134.27) User(mqm) Program(amqrmppa)
Host(CTOLAB02)
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
----- amqrmrsa.c : 524 --------------------------------------------------------
01/04/12 17:22:28 - Process(12134.28) User(mqm) Program(amqrmppa)
Host(CTOLAB02)
AMQ9620: Internal error on call to SSL function on channel '????'.
EXPLANATION:
An error indicating a software problem was returned from a function which is
used to provide SSL support. The error code returned was '701'. The function
call was 'gsk_attribute_set_enum - GSK_URI_CDP_DISABLE'. The channel is '????';
in some cases its name cannot be determined and so is shown as '????'. The
channel did not start.
ACTION:
Collect the items listed in the 'Problem determination' section of the System
Administration manual and use either the WMQ Support site:
http://www.ibm.com/software/integration/wmq/support/, or IBM Support Assistant
(ISA): http://www.ibm.com/software/support/isa/, to see whether a solution is
already available. If you are unable to find a match, contact your IBM support
center.
----- amqccisa.c : 2070 -------------------------------------------------------
01/04/12 17:22:28 - Process(12134.28) User(mqm) Program(amqrmppa)
Host(CTOLAB02)
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
----- amqrmrsa.c : 524 --------------------------------------------------------
Refered the below link too.
https://www-304.ibm.com/support/docview.wss?uid=swg21455237
The link state that, the resolution for the problem is Upgrade GSKit Version to correct Version
My Environment Version Details:
MQ Version : 7.0.1.5
gsk7cmd version : 7.0.3.15
I'm unable to keep track the problem.
Is it related to the unavailability of the Trust Store (or) due to the GSKit versioning? |
I need your assistance to keep track that.
Thanks. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 04, 2012 10:08 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Do you have the JAVA_HOME variable defined in the environment that is running the qmgr? It should point to <mqinstall>/ssl/jre
Also list all the certs with label and with detail (distinguished name + issuer distinguished name) in each key store.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rajakmra |
| Posted: Mon Jan 23, 2012 3:34 am Post subject: |
|
|
Newbie
Joined: 20 Dec 2011
Posts: 9
|
The .profile file have an entry like JAVA_HOME=/opt/mqm/ssl
There is no jre directory under ssl.
Tried with JMS Client program. I got the same error in the error log. Find the MQ Server Side cert list
bash-3.00$ gsk7cmd -cert -list -db "/var/mqm/qmgrs/MYSSLQM/ssl/MYSSLQM.kdb" -pw serverpass
Certificates in database: /var/mqm/qmgrs/MYSSLQM/ssl/MYSSLQM.kdb
Entrust.net Global Secure Server Certification Authority
Entrust.net Global Client Certification Authority
Entrust.net Client Certification Authority
Entrust.net Certification Authority (2048)
Entrust.net Secure Server Certification Authority
VeriSign Class 3 Public Primary Certification Authority
VeriSign Class 2 Public Primary Certification Authority
VeriSign Class 1 Public Primary Certification Authority
VeriSign Class 4 Public Primary Certification Authority - G2
VeriSign Class 3 Public Primary Certification Authority - G2
VeriSign Class 2 Public Primary Certification Authority - G2
VeriSign Class 1 Public Primary Certification Authority - G2
VeriSign Class 4 Public Primary Certification Authority - G3
VeriSign Class 3 Public Primary Certification Authority - G3
VeriSign Class 2 Public Primary Certification Authority - G3
VeriSign Class 1 Public Primary Certification Authority - G3
Thawte Personal Premium CA
Thawte Personal Freemail CA
Thawte Personal Basic CA
Thawte Premium Server CA
Thawte Server CA
ibmwebspheremqmysslqm
In Client Side:
D:\MQ-JMS-SSL-BindFile\JavaKeyDB>runmqckm -cert -list -db TestClientJPMC.jks -pw clientpass
5724-H72 (C) Copyright IBM Corp. 1994, 2004. ALL RIGHTS RESERVED.
"C:\Program Files\IBM\WebSphere MQ\gskit\jre\bin\java.exe" -classpath "C:\Program Files\ibm\gsk7\classes\cfwk.zip;C:\Pro
gram Files\ibm\gsk7\classes\jlog.jar;C:\Program Files\ibm\gsk7\classes\gsk7cls.jar;C:\Program Files\ibm\gsk7\classes;C:\
Program Files\Java\jdk1.6.0_14\lib;D:\Program Files\Apache Software Foundation\Tomcat 6.0\lib;D:\Program Files\Jboss-5.1
.0.-jdk\lib;D:\Apache-ant-1.8.1\lib;D:\oracle\ora90\jdbc\lib;C:\Program Files\IBM\WebSphere MQ\Java\lib\providerutil.jar
;C:\Program Files\IBM\WebSphere MQ\Java\lib\com.ibm.mqjms.jar;C:\Program Files\IBM\WebSphere MQ\Java\lib\ldap.jar;C:\Pro
gram Files\IBM\WebSphere MQ\Java\lib\jta.jar;C:\Program Files\IBM\WebSphere MQ\Java\lib\jndi.jar;C:\Program Files\IBM\We
bSphere MQ\Java\lib\jms.jar;C:\Program Files\IBM\WebSphere MQ\Java\lib\connector.jar;C:\Program Files\IBM\WebSphere MQ\J
ava\lib\fscontext.jar;C:\Program Files\IBM\WebSphere MQ\Java\lib\com.ibm.mq.jar;C:\Program Files\IBM\WebSphere MQ\tools\
Java\base;D:\JMeter\lib;D:\JMeter\lib\ext;D:\Program Files\Apache Maven 3.0.1\lib;D:\Technical\Tools\sonar-2.8\lib;D:\ja
mes-2.3.2\lib;D:\Program Files\axis2-1.5.2\lib;.;;(null)" -Dkeyman.verbose=true com.ibm.gsk.ikeyman.ikeycmd "-cert" "-
list" "-db" "TestClientJPMC.jks" "-pw" "clientpass"
Certificates in database: TestClientJPMC.jks
verisign class 1 public primary certification authority - g3
verisign class 4 public primary certification authority - g3
verisign class 1 public primary certification authority - g2
verisign class 4 public primary certification authority - g2
verisign class 2 public primary certification authority
entrust.net global client certification authority
verisign class 2 public primary certification authority - g3
verisign class 2 public primary certification authority - g2
verisign class 3 public primary certification authority
verisign class 3 public primary certification authority - g3
verisign class 3 public primary certification authority - g2
thawte premium server ca
verisign class 1 public primary certification authority
entrust.net global secure server certification authority
thawte personal basic ca
thawte personal premium ca
thawte personal freemail ca
thawte server ca
entrust.net certification authority (2048)
entrust.net client certification authority
entrust.net secure server certification authority
ibmwebspheremqmysslqm
ibmwebspheremqrajakumar.c
Error Log:
----- amqccisa.c : 2070 -------------------------------------------------------
01/23/12 15:10:43 - Process(10857.30) User(mqm) Program(amqrmppa)
Host(CTOLAB02)
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
----- amqrmrsa.c : 524 --------------------------------------------------------
01/23/12 15:18:32 - Process(10857.32) User(mqm) Program(amqrmppa)
Host(CTOLAB02)
AMQ9620: Internal error on call to SSL function on channel '????'.
EXPLANATION:
An error indicating a software problem was returned from a function which is
used to provide SSL support. The error code returned was '701'. The function
call was 'gsk_attribute_set_enum - GSK_URI_CDP_DISABLE'. The channel is '????';
in some cases its name cannot be determined and so is shown as '????'. The
channel did not start.
ACTION:
Collect the items listed in the 'Problem determination' section of the System
Administration manual and use either the WMQ Support site:
http://www.ibm.com/software/integration/wmq/support/, or IBM Support Assistant
(ISA): http://www.ibm.com/software/support/isa/, to see whether a solution is
already available. If you are unable to find a match, contact your IBM support
center.
Application Log:
keyStore is : D:/MQ-JMS-SSL-BindFile/JavaKeyDB/TestClientJPMC.jks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : ibmwebspheremqrajakumar.c
chain [0] = [
[
Version: V3
Subject: CN=JPMC, OU=Testing, O=PSL, L=test, C=test
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: 120446588334886199182462422227489033822541075709784313713243423788753472912565554214242912540008498407413805009338790726742403472916039193928885678494007546672355407481689912099213814461440079673770488367701140210299208152970399577043690223332133098610939226343464876005088221355899642795030530743402251284707
public exponent: 65537
Validity: [From: Mon Jan 23 14:50:21 IST 2012,
To: Tue Jan 22 14:50:21 IST 2013]
Issuer: CN=JPMC, OU=Testing, O=PSL, L=test, C=test
SerialNumber: [ 4f1d2655]
]
Algorithm: [MD5withRSA]
Signature:
0000: 80 FB 3E 11 03 76 1F 7F 16 71 83 2F 0D FE 76 6A ..>..v...q./..vj
0010: CC 28 3A 4A 9F 9F AB 36 45 7F 34 F8 E1 60 35 AF .(:J...6E.4..`5.
0020: 27 02 09 DC EB D1 6B F6 29 8B 98 7F 29 36 BB 11 '.....k.)...)6..
0030: D8 93 98 15 E9 8B 3B 99 61 A3 08 4F 7A 8F 51 1E ......;.a..Oz.Q.
0040: C0 C8 C1 FD 76 B8 EB 6B 00 61 22 AE 6A 5A E1 3F ....v..k.a".jZ.?
0050: A4 2B BA 9E 53 15 90 ED 7C EB 0F BF 9E 0B 7F 00 .+..S...........
0060: 00 BF 5D 01 48 7A FC 93 F2 5B B7 7B FA 47 4A 0C ..].Hz...[...GJ.
0070: 61 58 DE 9A FB BB 55 E4 5C F3 F0 30 4B B4 3F 5F aX....U.\..0K.?_
]
***
trustStore is: No File Available, using empty keystore.
trustStore type is : jks
trustStore provider is :
init truststore
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, SSLv3
RandomCookie: GMT: 1327312858 bytes = { 208, 50, 43, 47, 100, 122, 181, 23, 219, 172, 141, 104, 99, 66, 146, 209, 129, 99, 14, 92, 214, 244, 86, 163, 179, 238, 198, 90 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
***
Main Thread, WRITE: SSLv3 Handshake, length = 45
Main Thread, received EOFException: error
Main Thread, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Main Thread, SEND TLSv1 ALERT: fatal, description = handshake_failure
Main Thread, WRITE: TLSv1 Alert, length = 2
Main Thread, called closeSocket()
javax.jms.JMSException: MQJMS2005: failed to create MQQueueManager for '172.23.76.134:MYSSLQM'
\nFAILURE\n
Application Code:
MQQueueConnectionFactory cf = new MQQueueConnectionFactory();
// Config
cf.setHostName("172.23.76.134");
cf.setPort(13131);
cf.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
cf.setQueueManager("MYSSLQM");
cf.setChannel("SSL.CLIENTS");
cf.setSSLCipherSuite("SSL_RSA_WITH_3DES_EDE_CBC_SHA");
System.setProperty("javax.net.ssl.trustStore","/var/mqm/qmgrs/MYSSLQM/ssl/MYSSLQM");
System.setProperty("javax.net.ssl.keyStore", "D:/MQ-JMS-SSL-BindFile/JavaKeyDB/TestClientJPMC.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "clientpass");
System.setProperty("javax.net.debug","SSL");
Is it related to GSKit Versioning Issue? Why because, I found the below link for the error like this
AMQ9620: Internal error on call to SSL function on channel '????'.
https://www-304.ibm.com/support/docview.wss?uid=swg21455237
Please do me a favor to resolve the issue.
Version Details:
MQ Version : 7.0.1.5
gsk7cmd version : 7.0.3.15
Thanks in Advance. |
|
| Back to top |
|
|
| rajakmra |
| Posted: Thu Feb 02, 2012 4:59 am Post subject: |
|
|
Newbie
Joined: 20 Dec 2011
Posts: 9
|
Hi Team,
I moved little bit further. Completed One-Way SSL Testing successfully. But, In Two-Way SSL facing an issue.
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is 'SSL.LIQ.CHANNEL' (if '????' it is unknown at this stage in the SSL
processing). The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.
Execution Steps:
1) Export the certificate from a keystore (Client Side)
keytool -export -alias clientkey -rfc -file MyClientCert.crt -keystore keystore.jks -storepass clientpass
2) Adding the Client Self signed CA Certificate to Key Database (MQ Side)
gsk7cmd -cert -add -db TestJPMC.kdb -pw serverpass -label ibmwebspheremqmqm -file MyClientCert.crt -format ascii
mqm - is the user id for MQ Server access
3) MQ Queue Manager Channel Configuration
alter chl(SSL.LIQ.CHANNEL) chltype(svrconn) sslciph(RC4_MD5_US) sslcauth(required)
NOTE:- If i changed the sslauth(optional) the code is working file.
Few questions?
1. Above step for creating a certificate for Server is correct?
2. In the label i used the mq user id. Is it correct? or need to specify my windows userid (because, executed my program from my laptop)
If any one give your valuable suggestions/comments will help me a lot.
Thanks. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Feb 03, 2012 9:04 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Looks like possibly your ssl peer values are not correct or not in the right order (multiple OU=)
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rajakmra |
| Posted: Wed Feb 08, 2012 1:38 am Post subject: |
|
|
Newbie
Joined: 20 Dec 2011
Posts: 9
|
Hi,
Thanks a lot for your valuable/vital information. I'm implemented the Two-Way SSL successfully because of the ssl peer settings in the client channel level.
I'm very very happy now. Once again Thanks a lot for your valuable support. |
|
| Back to top |
|
|
| rajakmra |
| Posted: Tue Feb 14, 2012 1:51 am Post subject: |
|
|
Newbie
Joined: 20 Dec 2011
Posts: 9
|
Hi All,
We successfully completed the Two-Way SSL with the below combination earlier
Cipher Spec in Client/Server Channel Level: RC4_MD5_US
Cipher Suite used in the Code Level: SSL_RSA_WITH_RC4_128_MD5
We tried the below combination, It throw the error
Cipher Suite : SSL_RSA_WITH_AES_128_CBC_SHA
Cipher Spec : TLS_RSA_WITH_AES_128_CBC_SHA
MQJE001: An MQException occurred: Completion Code 2, Reason 2400
MQJE011: Socket connection attempt refused
MQJE001: An MQException occurred: Completion Code 2, Reason 2400
MQJE011: Socket connection attempt refused
MQException: com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2400
MQJE011: Socket connection attempt refused
We need your suggestions.
Is there any thing is additionally need to configure?
Thanks |
|
| Back to top |
|
|
| rekarm01 |
| Posted: Tue Feb 14, 2012 3:49 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
| rajakmra wrote: |
| MQJE001: An MQException occurred: Completion Code 2, Reason 2400 |
Consult the documentation for a more detailed explanation of MQRC 2400. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
