| Author |
Message
|
| Vitor |
 Posted: Mon Jan 28, 2013 11:47 am Post subject: Problem with embedded listeners for HTTPS |
 |
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
WMBv7.0.0.3
Solaris
Monday
So we have an execution group which we have configured to use embedded listeners and which are apparently content with their life. On start, we see in the log 2 messages; one indicates that the http listener has started listening on port 7820 for http and on port 7825 for https. We dance for the joy of it. We deploy, to the same EG, 3 flows. One uses http the other 2 https. We perform mqsireportproperties on the HTTPConnector & HttPSConnector objects and are delighted to see a) the ports mentioned in the messages, b) that the http object has the http flow's URL shown in the "URLRegistration" section, c) the https object likewise has the 2 https flows it its "URLRegistration" section.
Oh, the joy.
We test the http flow with SoapUI and get a response in 30ms.
We test either of the https flows from the same laptop and get java.net.SocketException:SocketClosed. The flow being invoked does not react in a user trace and there's no additional line in the system log. The network people swear that there are no firewall or other network components in the way, and if there were 7820 wouldn't work either.
We're clearly missing a key configuration step; more specifically I've been missing it for about a day now. Would some kind person please point out what's looking me in the face while wearing an "I'm The Problem" hat?
I blame cumulative Red Bull damage; linked with brain injury you know. Or karma. Could be karma.
(Before anyone suggests it, I've even looked through the WMB training materials on setting up web services - no luck)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Mon Jan 28, 2013 11:51 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Do you get a WSDL back when you do https://yourmachine/url-suffix?wsdl ? Is enableQueryWSDL true on your bar for those flows?
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 28, 2013 12:00 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| Do you get a WSDL back when you do https://yourmachine/url-suffix?wsdl ? Is enableQueryWSDL true on your bar for those flows? |
It is true for those flows, we do not get a WSDL back.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Jan 28, 2013 12:05 pm Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Then you might try to re-deploy. Make sure debugger is disabled and the Broker service Id has it's primary group as mqbrkrs.
If ?wsdl does not return when you enter the URL in Chrome or IE, then something is wrong with the listener process. IE will prompt you to accept an invalid cert but Chrome or SoapUI will not. Try ?wsdl with IE.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jan 28, 2013 1:54 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| Then you might try to re-deploy. Make sure debugger is disabled and the Broker service Id has it's primary group as mqbrkrs. |
We don't have no debugger in any town for which I am the law. Likewise mqbrkrs is mqbrkrs the way nature intended.
| lancelotlinc wrote: |
| If ?wsdl does not return when you enter the URL in Chrome or IE, then something is wrong with the listener process. IE will prompt you to accept an invalid cert but Chrome or SoapUI will not. Try ?wsdl with IE. |
We're trying it in IE8 and it was the thought that something must be wrong with the listener that prompted me to post because it all looks fine. Yet doesn't work.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Jan 28, 2013 2:45 pm Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Ok, look in SysLog, which for Solaris I think is in /var/adm/log directory, or wherever your SysAdmin put it.
It may give helpful insights into listener problems. Also you can use netstat to see if the port is open.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| kimbert |
| Posted: Mon Jan 28, 2013 2:46 pm Post subject: |
|
|
Jedi Council
Joined: 29 Jul 2003
Posts: 5542
Location: Southampton
|
| Quote: |
| We don't have no debugger in any town for which I am the law. |
Careful. He'll call you names for ignoring a 'viable debugging facility' soon  |
|
| Back to top |
|
|
| rekarm01 |
| Posted: Mon Jan 28, 2013 2:46 pm Post subject: Re: Problem with embedded listeners for HTTPS |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
| Vitor wrote: |
| We test either of the https flows from the same laptop and get java.net.SocketException:SocketClosed. |
It's probably some sort of SSL issue, but it's hard to narrow down without more info. For example, if the broker is using mutual SSL, but the client doesn't offer a recognized certificate, the HTTPS Listener might abruptly close the socket.
A service trace on the HTTPS Listener component, or a TCP packet capture might provide more detailed information. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Jan 28, 2013 2:56 pm Post subject: Re: Problem with embedded listeners for HTTPS |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| rekarm01 wrote: |
| Vitor wrote: |
| We test either of the https flows from the same laptop and get java.net.SocketException:SocketClosed. |
It's probably some sort of SSL issue, but it's hard to narrow down without more info. For example, if the broker is using mutual SSL, but the client doesn't offer a recognized certificate, the HTTPS Listener might abruptly close the socket.
A service trace on the HTTPS Listener component, or a TCP packet capture might provide more detailed information. |
From my experience on WMB7, even with a bad cert, IE 8 will allow you to proceed to the ?wsdl page by clicking through a certificate warning page.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jan 28, 2013 4:51 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Did you set the certs up at the same level you setup the http listeners?
Is the cert configured for http://brokerhostname in its CN?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| brianb |
| Posted: Mon Jan 28, 2013 8:46 pm Post subject: |
|
|
Voyager
Joined: 12 May 2010
Posts: 85
|
some old notes from a similar issue I had
mqsichangeproperties BK_name -e eg_name -o HTTPSConnector -n explicitlySetPortNumber -v 7825
Your milage may vary |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 29, 2013 5:59 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| Did you set the certs up at the same level you setup the http listeners? |
I think so. An mqsireportconfigurableproperties <broker name> -e <EG name> -o HTTPSConnector -r yields this:
| Code: |
HTTPSConnector
uuid='HTTPSConnector'
userTraceLevel='none'
traceLevel='none'
userTraceFilter='none'
traceFilter='none'
port='7825'
address=''
allowTrace=''
maxPostSize=''
acceptCount=''
bufferSize=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxSpareThreads=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
explicitlySetPortNumber='7825'
enableLookups=''
enableMQListener=''
shutdownDelay=''
algorithm=''
clientAuth=''
keystoreFile='<keystore name>.jks'
keystorePass='********'
keystoreType=''
sslProtocol=''
ciphers=''
keypass='********'
keyAlias=''
sslSessionTimeout=''
DefaultConnector
port='7825'
URLRegistration='/CompletionDays/GetCompletionDays'
nodeLabel='PDO_Screen_GetCompletionDays_SOAPInput'
outstandingRequests='0'
URLRegistration='/CompletionDays/UpdateCompletionDays'
nodeLabel='PDO_Screen_UpdateCompletionDays_SOAPInput'
outstandingRequests='0'
|
Ah. The cert we have has a dn of
| Code: |
| CN=<fully qualified server name>.com, O=<Company Name>,L=<Home Town>, S=<home state>, C=US |
That doesn't sound like what you're talking about
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| brianb |
| Posted: Tue Jan 29, 2013 3:43 pm Post subject: |
|
|
Voyager
Joined: 12 May 2010
Posts: 85
|
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 29, 2013 6:49 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Not really. We don't use the proxy, and there's no MQ listener involvement I can detect.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 29, 2013 6:54 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| Ok, look in SysLog, which for Solaris I think is in /var/adm/log directory, or wherever your SysAdmin put it. |
Found it (as I indicated in my first post). I can see messages indicating the listeners are listening on 7820 & 7825 but (again as I said) there's no further line in the log either informational or error when we try to test it nor does the user trace of the flow react (as I said originally).
| lancelotlinc wrote: |
| It may give helpful insights into listener problems. |
As I said originally, it doesn't. I emphasize these points as you seem to have missed them in my original post.
| lancelotlinc wrote: |
| Also you can use netstat to see if the port is open. |
The http port shows open, the https does not. This is not unexpected and offers no clues about how to make it open.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
