| Author |
Message
|
| Ross |
 Posted: Wed Jul 31, 2013 11:19 am Post subject: Broker V7 to Oracle with SSL. |
 |
|
Centurion
Joined: 15 Jun 2005
Posts: 127
Location: Ireland
|
Hi.
I have been working on getting Broker to connect to Oracle with SSL using Data Direct odbc driver.
We have both Broker V7 and Broker V8. Both need to connect to Oracle with SSL.
The issue here is IBM support!
IBM don't ship Data Direct drivers until V8.0.0.2. In this case it is DD V7.
But, they will supply (if you ask them nicely) DD V6 with broker V7. They do not support DD V7 with Broker V7.
So anyway, I have successfully tested Broker V8 to Oracle using DD V7 supplied driver, with SSL mutual authentication and 3DES encryption.
When I try to do the same with Broker V7 to Oracle with DD V6, I can't get it working.
If I get a copy of the DD V7 driver, and leave everything else the same (same certs/ketstores/truststores), then it all works.
I'm not sure if I'll be able to convince IBM to support DD V7 with Broker V7.
Error I am getting is:
[ODBC Oracle Wire Protocol driver]SSL passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.''.
Which is a bit misleading as the same certs/stores work with the V7 driver!
The Data Direct error codes are not very accurate!
This is on AIX.
GSKit 8 (gskcapicmd)
Any thoughts or suggestions appreciated. (I do have a PMR open)
Thanks,
Ross. |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Wed Jul 31, 2013 11:22 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
|
| Back to top |
|
|
| Ross |
| Posted: Wed Jul 31, 2013 11:44 am Post subject: |
|
|
Centurion
Joined: 15 Jun 2005
Posts: 127
Location: Ireland
|
Architects chose V7 for that project as V8 was too new (8.0.0.0), and V6.1 was in place elsewhere, which didn't have enough functionality. We were pushing V8 knowing how long it would take to get to prod!! But wasn't my call. Just bad timing!
There are a couple of time dependent project going in right now, and version upgrades will be addressed in the new year once they are in. Although this issue may force an upgrade of the single V7 pair!! |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Jul 31, 2013 11:49 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
You might ask your IBM sales rep for a comp. It would be less expensive for IBM to trade your V7 licenses for V8 ones rather than create a patch to V7.
In US, we have a beverage called 'V8'. Its a cultural phenomenon "I should've had a V8!' Head-palm."
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER
Last edited by lancelotlinc on Wed Jul 31, 2013 11:53 am; edited 1 time in total |
|
| Back to top |
|
|
| Ross |
| Posted: Wed Jul 31, 2013 11:53 am Post subject: |
|
|
Centurion
Joined: 15 Jun 2005
Posts: 127
Location: Ireland
|
It's not about the money!!!
It's about meeting dates, and resource availability.
But I would like to figure why this isn't working.
I'm surprised to see so little evidence of people connecting broker to Oracle with SSL! |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Jul 31, 2013 11:56 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| Ross wrote: |
| I would like to figure why this isn't working. |
My first guess would be the DataDirect driver. V7 runtime is pretty good, especially on 7.0.0.5. You've proven that DD V7/WMB V8 combo works. There's not a huge difference in the runtime database code between V7/V8.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Ross |
| Posted: Wed Jul 31, 2013 12:04 pm Post subject: |
|
|
Centurion
Joined: 15 Jun 2005
Posts: 127
Location: Ireland
|
I've also proven that Broker V7-> DDV7 works! (V7.0.1.6)
Yes, something's probably up with the driver, but am I being naive to assume that IBM broker and IBM supported DD V6 driver should work in its basic form!!
The main issue I've had with DD is their error codes. We had a Psuedo Random Number Generator (PRNG - /dev/random) error which was caused by 1 missing statement in the Oracle listener! Not exactly the correct message...
So it seems more likely that I need slight config tweak. Especially if others aren't getting the error. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jul 31, 2013 12:07 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Ross wrote: |
| I've also proven that Broker V7-> DDV7 works! (V7.0.1.6) |
Works is not the same as supported, alas.
| Ross wrote: |
| Yes, something's probably up with the driver, but am I being naive to assume that IBM broker and IBM supported DD V6 driver should work in its basic form!! |
Broker publishes specific documentation on what features of Oracle connectivity are supported and which aren't.
If SSL isn't supported before v8, then nobody's likely using it. |
|
| Back to top |
|
|
| Ross |
| Posted: Wed Jul 31, 2013 12:13 pm Post subject: |
|
|
Centurion
Joined: 15 Jun 2005
Posts: 127
Location: Ireland
|
They support SSL with Broker V7 with DD V6. They sent us the libraries via a PMR. This is 4 changed modules from the non-ssl standard.
That is the reason I'm trying to get V6 working rather than using V7. |
|
| Back to top |
|
|
| Ross |
| Posted: Wed Oct 16, 2013 1:43 pm Post subject: |
|
|
Centurion
Joined: 15 Jun 2005
Posts: 127
Location: Ireland
|
As an update.
We never got DD V6 working with WMB V7. IBM did on their systems which makes it frustrating!
They agreed to support us in this instance.
Solution, but with a bitter taste of defeat!!!
Thanks.
Ross. |
|
| Back to top |
|
|
| wibble7 |
| Posted: Tue Nov 19, 2013 8:02 am Post subject: |
|
|
Novice
Joined: 30 Apr 2012
Posts: 18
|
Hi Ross,
we are also trying to implement the same, can you share the missing the missing statement from the Oracle Listener that caused the Psuedo Random Number Generator (PRNG - /dev/random) error as that is one of the errors we have got. Which version of SSL have you managed to get this working with?
Cheers Andy |
|
| Back to top |
|
|
| Ross |
| Posted: Tue Nov 19, 2013 12:03 pm Post subject: |
|
|
Centurion
Joined: 15 Jun 2005
Posts: 127
Location: Ireland
|
Hi Andy,
The issue with our config was that the SSL_CLIENT_AUTHENTICATION = FALSE statement was not in the listener.ora file on the Oracle lpar.
We were testing one-way auth at the time, so needed this added.
We were testing using 3DES SSL/TLS. Set up using GSKit V8 on the broker side.
Hope this helps.
If not, Data Direct have supplied a new version of the driver to IBM which has updated error messages (I believe this is the only difference), so this might help. Also, they supplied us with an instrumented driver which to output a trace log.
Regards,
Ross. |
|
| Back to top |
|
|
|
|
