| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Problem connecting to QM from Glassfish, using JMS with SSL |
View previous topic :: View next topic |
| Author |
Message
|
| grebenar |
 Posted: Fri Mar 07, 2014 10:21 am Post subject: Problem connecting to QM from Glassfish, using JMS with SSL |
 |
|
Novice
Joined: 10 Apr 2006
Posts: 22
Location: Budapest, Hungary
|
Hello,
we've been trying to solve a connection problem.
We have an application in Glassfish which uses JMS messaging. It can connect to a qmgr with a non-ssl client channel, and operates well.
When we want to securize the channel, we are not able to get a working connection. I get a "bad certificate" message.
However, I believe that I have correct trust/keystores and channel/bindings file definitions. To prove it, I wrote a simple program (skipping the Glassfish app server) that uses the key/trust stores of the glassfish-program, uses the same .bindings file, and it is able to connect to the qm perfectly.
Here is the sample:
String url = "file:/C:/Users/u200089/Tools/bindings/QMGR_T2";
String icf = "com.sun.jndi.fscontext.RefFSContextFactory";
java.util.Hashtable environment = new java.util.Hashtable();
environment.put(Context.PROVIDER_URL, url);
environment.put(Context.INITIAL_CONTEXT_FACTORY, icf);
Context ctx = new InitialDirContext(environment);
MQMessage m = new MQMessage();
MQQueueConnectionFactory factory = (MQQueueConnectionFactory)ctx.lookup(“QMGR_T2");
System.setProperty( "javax.net.ssl.keyStore", "C:/Users/u234589/Tools/ssl/keystore2.jks");
System.setProperty( "javax.net.ssl.keyStorePassword", "changeit" );
System.setProperty( "javax.net.ssl.trustStore", "C:/Users/u234589/Tools/ssl/cacerts2.jks");
System.setProperty( "javax.net.ssl.trustStorePassword", "changeit");
Connection connection = factory.createConnection();
connection.start();
Session session;
boolean transacted = true;
session = connection.createSession(transacted, Session.SESSION_TRANSACTED);
Queue outQueue = (Queue)ctx.lookup(“OUTQ");
MessageProducer producer = session.createProducer(outQueue);
BytesMessage outMessage = session.createBytesMessage();
outMessage.setIntProperty(WMQConstants.JMS_IBM_CHARACTER_SET, 1208);
outMessage.writeBytes("Árvíztűrő tükörfúrógép".getBytes("UTF-8"));
producer.setDeliveryMode(DeliveryMode.PERSISTENT);
producer.setPriority(5);
producer.send(outMessage);
session.commit();
producer.close();
connection.stop();
connection.close();
System.out.println("Successful program completion!");
The JSSE layer in Glassfish seems to be initialized properly, as other functions of the program use the keys in it.
The Glassfish-MQ JMS bridge is done with GENERICJMSRA as the Oracle documentation describes it.
When it tries to make the SSL-securec MQ client connection, I get the following error trace:
[#|2014-03-03T09:45:35.734+0100|SEVERE|glassfish3.1.2|javax.enterprise.system.container.ejb.mdb.com.sun.ejb.containers|_ThreadID=21;_ThreadName=Thread-2;|java.lang.Exception
java.lang.Exception
at com.sun.enterprise.connectors.inbound.ConnectorMessageBeanClient.setup(ConnectorMessageBeanClient.java:233)
at com.sun.ejb.containers.MessageBeanContainer.<init>(MessageBeanContainer.java:205)
at com.sun.ejb.containers.ContainerFactoryImpl.createContainer(ContainerFactoryImpl.java:121)
at org.glassfish.ejb.startup.EjbApplication.loadContainers(EjbApplication.java:230)
at org.glassfish.ejb.startup.EjbDeployer.load(EjbDeployer.java:305)
at org.glassfish.ejb.startup.EjbDeployer.load(EjbDeployer.java:108)
at org.glassfish.internal.data.ModuleInfo.load(ModuleInfo.java:186)
at org.glassfish.internal.data.ApplicationInfo.load(ApplicationInfo.java:264)
at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:460)
at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:240)
at org.glassfish.deployment.admin.DeployCommand.execute(DeployCommand.java:389)
at com.sun.enterprise.v3.admin.CommandRunnerImpl$1.execute(CommandRunnerImpl.java:348)
at com.sun.enterprise.v3.admin.CommandRunnerImpl.doCommand(CommandRunnerImpl.java:363)
at com.sun.enterprise.v3.admin.CommandRunnerImpl.doCommand(CommandRunnerImpl.java:1085)
at com.sun.enterprise.v3.admin.CommandRunnerImpl.access$1200(CommandRunnerImpl.java:95)
at com.sun.enterprise.v3.admin.CommandRunnerImpl$ExecutionContext.execute(CommandRunnerImpl.java:1291)
at com.sun.enterprise.v3.admin.CommandRunnerImpl$ExecutionContext.execute(CommandRunnerImpl.java:1259)
at org.glassfish.admin.rest.ResourceUtil.runCommand(ResourceUtil.java:214)
at org.glassfish.admin.rest.ResourceUtil.runCommand(ResourceUtil.java:207)
at org.glassfish.admin.rest.resources.TemplateListOfResource.createResource(TemplateListOfResource.java:148)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:205)
at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:288)
at com.sun.jersey.server.impl.uri.rules.SubLocatorRule.accept(SubLocatorRule.java:134)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at com.sun.jersey.server.impl.uri.rules.SubLocatorRule.accept(SubLocatorRule.java:134)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1469)
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1400)
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1349)
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1339)
at com.sun.jersey.server.impl.container.grizzly.GrizzlyContainer._service(GrizzlyContainer.java:182)
at com.sun.jersey.server.impl.container.grizzly.GrizzlyContainer.service(GrizzlyContainer.java:147)
at org.glassfish.admin.rest.adapter.RestAdapter.service(RestAdapter.java:148)
at com.sun.grizzly.tcp.http11.GrizzlyAdapter.service(GrizzlyAdapter.java:179)
at com.sun.enterprise.v3.server.HK2Dispatcher.dispath(HK2Dispatcher.java:117)
at com.sun.enterprise.v3.services.impl.ContainerMapper$Hk2DispatcherCallable.call(ContainerMapper.java:354)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.resource.ResourceException: JMSWMQ0018: Failed to connect to queue manager 'QMGR_T2' with connection mode 'Client' and host name 'hostname.hu(1414)'.
at com.sun.genericra.util.ExceptionUtils.newResourceException(ExceptionUtils.java:73)
at com.sun.genericra.inbound.async.InboundJmsResourcePool.initialize(InboundJmsResourcePool.java:173)
at com.sun.genericra.inbound.async.EndpointConsumer.initialize(EndpointConsumer.java:89)
at com.sun.genericra.inbound.async.EndpointConsumer.start(EndpointConsumer.java:82)
at com.sun.genericra.GenericJMSRA.endpointActivation(GenericJMSRA.java:216)
at com.sun.enterprise.connectors.inbound.ConnectorMessageBeanClient.setup(ConnectorMessageBeanClient.java:225)
... 59 more
Caused by: com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'QMGR_T2' with connection mode 'Client' and host name 'hostname.hu(1414)'.
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.
at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:580)
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:216)
at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:423)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:6772)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:6151)
at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:280)
at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6143)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:144)
at com.sun.genericra.inbound.AbstractJmsResourcePool.createConnection(AbstractJmsResourcePool.java:178)
at com.sun.genericra.inbound.async.InboundJmsResourcePool.initialize(InboundJmsResourcePool.java:168)
... 63 more
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:204)
... 71 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'hostname.hu(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Received fatal alert: bad_certificate],3=hostname.hu/172.25.3.24:1414 (hostname.hu),4=SSLSocket.startHandshake,5=default]],3=hostname.hu(1414),5=RemoteTCPConnection.protocolConnect]
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2059)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1334)
at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:342)
... 70 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Received fatal alert: bad_certificate],3=hostname.hu/172.25.3.24:1414 (hostname.hu),4=SSLSocket.startHandshake,5=default]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1187)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:711)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:355)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:264)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:144)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1681)
... 72 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
On the MQ server, I get this log entry:
AMQ9633: Bad SSL certificate for channel '????'.
EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system
(c) it was found in a Certification Revocation List (CRL) on an LDAP server
(d) a CRL was specified but the CRL could not be found on the LDAP server
(e) an OCSP responder has indicated that it is revoked
The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The remote host is 'enbapp1 (172.25.3.22)'. The channel did
not start.
The details of the certificate which could not be validated are '????'.
The certificate validation error was 575010. For a table of certificate
validation errors and their meanings, search for "Secure Sockets Layer (SSL)
and Transport Layer Security (TLS) return codes" in the WebSphere MQ
Information Center.
ACTION:
Check which of the possible causes applies on your system. Correct the error,
and restart the channel.
I would really appreciate your ideas.
Thanks,
Robert |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Mar 08, 2014 7:38 am Post subject: Re: Problem connecting to QM from Glassfish, using JMS with |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| grebenar wrote: |
The details of the certificate which could not be validated are '????'.
The certificate validation error was 575010. For a table of certificate
validation errors and their meanings, search for "Secure Sockets Layer (SSL)
and Transport Layer Security (TLS) return codes" in the WebSphere MQ
Information Center.
ACTION:
Check which of the possible causes applies on your system. Correct the error,
and restart the channel.
I would really appreciate your ideas.
Thanks,
Robert |
So what did you find when you searched as indicated above? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| grebenar |
| Posted: Sun Mar 09, 2014 1:18 am Post subject: |
|
|
Novice
Joined: 10 Apr 2006
Posts: 22
Location: Budapest, Hungary
|
Sure, I checked that message, too. I found "No certificate chain was built". Which is something I don't understand, since the qmgr keystore is good, and the client jks keystore is good also. (A native java program connects thru the channel with ssl, using the same jks, and also my sample program was able to connect to a reproduction qmgr using the same keystores).
There must be something in Glassfish. Unfortunately I've never worked with that app server, so I've looked many many documentation pages, but - till now - without result 😥 |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Mar 09, 2014 2:50 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
I would expect Glassfish not to be using the keystore you think it is using.
Glassfish would be using a keystore of it's own. You may have to add the certificates from that keystore and to that keystore...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| grebenar |
| Posted: Sun Mar 09, 2014 2:55 am Post subject: |
|
|
Novice
Joined: 10 Apr 2006
Posts: 22
Location: Budapest, Hungary
|
Glassfish has its own key/trust stores, which have the correct MQ certs imported. I've used these (Glassfish) keystores to connect to the qmgr from my JMS sample, no problem in connecting. Fun starts to be too much 😉
Thanks for the ideas anyway! |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Mar 09, 2014 12:31 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| grebenar wrote: |
Glassfish has its own key/trust stores, which have the correct MQ certs imported. I've used these (Glassfish) keystores to connect to the qmgr from my JMS sample, no problem in connecting. Fun starts to be too much 😉
Thanks for the ideas anyway! |
Obviously if it works one way and you get bad cert chain on the other, you are not using the same keystores / truststore. You might be thinking you are, but then you should not be getting the different response.
Find out, how ever difficult this task is, what keystore / truststore pair is actually being used and verify the cert chain in each of those stores...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
