| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| WMQ with SSL using Oracle JVM |
« View previous topic :: View next topic » |
| Author |
Message
|
| 4integration |
 Posted: Mon Sep 01, 2014 10:45 pm Post subject: WMQ with SSL using Oracle JVM |
 |
|
Disciple
Joined: 04 Sep 2006
Posts: 197
Location: Gothenburg, Sweden
|
Hi,
I am trying the example described here and it works fine with JavaKeyStore (JKS) using IBM's JVM (and SSL provider) and pretty out of the box.
Just pointing to the JKS file and set the password etc.
But when changing to Oracle JVM I am facing problems with exeption:
| Code: |
JSSE is installed correctly!
Number of keys on JKS: 3
SSLContext provider: SunJSSE version 1.7
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'EBNGWT' with connection mode 'Client' and host name 'ebngwt.srv.company.com(1416)'.
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.
at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:585)
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:221)
at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:426)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:6902)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:6277)
at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:285)
at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6233)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:149)
at sample.wmq.ssl.SSLTest.main(SSLTest.java:89)
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:209)
... 7 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'ebngwt.srv.company.com(1416)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed.
[1=javax.net.ssl.SSLHandshakeException[sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: algorithm constraints check failed],3=e
bngwt.srv.company.com/153.112.166.5:1416 (ebngwt.srv.company.com),4=SSLSocket.startHandshake,5=default]],3=ebngwt.srv.company.com(1416),5=RemoteTCPConnection.protocolConnect]
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2053)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1226)
at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:311)
at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:337)
at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:346)
... 6 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[sun.security.validator.ValidatorException: PKIX path validation failed: j
ava.security.cert.CertPathValidatorException: algorithm constraints check failed],3=ebngwt.srv.company.com/153.112.166.5:1416 (ebngwt.srv.company.com),4=SSLSocket.startHandshake,5=default]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1187)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:724)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:400)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:299)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:164)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1598)
... 10 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: algorithm constraints check fai
led
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1156)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1151)
at java.security.AccessController.doPrivileged(Native Method)
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1149)
... 15 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: algorithm constraints check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 26 more
Caused by: java.security.cert.CertPathValidatorException: algorithm constraints check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
... 32 more
Press any key to continue . . . |
The code looks like:
| Code: |
package sample.wmq.ssl;
import com.ibm.mq.jms.*;
import java.io.FileInputStream;
import java.security.*;
import javax.jms.JMSException;
import javax.jms.QueueConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import com.ibm.mq.jms.MQQueueConnectionFactory;
public class SSLTest {
public static void main(String[] args) {
System.out.println(System.getProperty("java.home"));
String HOSTNAME = "ebngwt.srv.company.com";
String QMGRNAME = "EBNGWT";
String CHANNEL = "ADTI.SRV01";
// CipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHA is the same as WebSphere MQ 'CipherSpec' TRIPLE_DES_SHA_US
// see book 'WebSphereMQ - Using Java' for equivalency table
String SSLCIPHERSUITE = "SSL_RSA_WITH_3DES_EDE_CBC_SHA";
try {
Class.forName("com.sun.net.ssl.internal.ssl.Provider");
System.out.println("JSSE is installed correctly!");
char[] KSPW = "password".toCharArray();
// instantiate a KeyStore with type JKS
KeyStore ks = KeyStore.getInstance("JKS");
// load the contents of the KeyStore
ks.load(new FileInputStream("C:\\wmqssl-jks\\key.jks"), KSPW);
System.out.println("Number of keys on JKS: " + Integer.toString(ks.size()));
// Create a keystore object for the truststore
KeyStore trustStore = KeyStore.getInstance("JKS");
// Open our file and read the truststore (no password)
trustStore.load(new FileInputStream("C:\\wmqssl-jks\\key.jks"), null);
// Create a default trust and key manager
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
// Initialise the managers
trustManagerFactory.init(trustStore);
keyManagerFactory.init(ks, KSPW);
// Get an SSL context.
// Note: not all providers support all CipherSuites. But the
// "SSL_RSA_WITH_3DES_EDE_CBC_SHA" CipherSuite is supported on both SunJSSE
// and IBMJSSE2 providers
// Accessing available algorithm/protocol in the SunJSSE provider
// see http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html
SSLContext sslContext = SSLContext.getInstance("SSLv3");
// Acessing available algorithm/protocol in the IBMJSSE2 provider
// see http://www.ibm.com/developerworks/java/jdk/security/142/secguides/jsse2docs/JSSE2RefGuide.html
// SSLContext sslContext = SSLContext.getInstance("SSL_TLS");
System.out.println("SSLContext provider: " + sslContext.getProvider().toString());
// Initialise our SSL context from the key/trust managers
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
// Get an SSLSocketFactory to pass to WMQ
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
// Create default MQ connection factory
MQQueueConnectionFactory factory = new MQQueueConnectionFactory();
// Customize the factory
factory.setSSLSocketFactory(sslSocketFactory);
factory.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
factory.setQueueManager(QMGRNAME);
factory.setHostName(HOSTNAME);
factory.setChannel(CHANNEL);
factory.setPort(1416);
factory.setSSLFipsRequired(false);
factory.setSSLCipherSuite(SSLCIPHERSUITE);
QueueConnection connection = null;
connection = factory.createQueueConnection("", ""); // empty user, pass to avoid
// MQJMS2013 messages
connection.start();
System.out.println("JMS SSL client connection started!");
connection.close();
} catch (JMSException ex) {
ex.printStackTrace();
} catch (Exception ex) {
ex.printStackTrace();
}
}
} |
Do I need to do some configuration in Oracle JVM ?
Any ideas what actions I need to take?
_________________
Best regards
4 Integration |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Sep 02, 2014 12:00 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You're not specifying the version of WMQ and yes it is relevant.
If V 7.5.0.x open a PMR, specify the version of WMQ and the version of java and ask for the relevant APAR. (up to 7.5.0.3, I guess the fix will make 7.5.0.4 )
If you're using an IBM JVM everything should work. For a non IBM JVM the APAR is necessary.
Also run your program with JVM option -Djavax.net.debug=true and attach the output to the PMR.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| 4integration |
| Posted: Tue Sep 02, 2014 4:06 am Post subject: |
|
|
Disciple
Joined: 04 Sep 2006
Posts: 197
Location: Gothenburg, Sweden
|
Hi,
I am using:
| Code: |
C:\>dspmqver
Name: WebSphere MQ
Version: 7.5.0.2
Level: p750-002-130627
BuildType: IKAP - (Production)
Platform: WebSphere MQ for Windows
Mode: 32-bit
O/S: Windows Ver 6.2 (5) Enterprise x64 Edition, Build 9200
InstName: Installation1
InstDesc:
Primary: Yes
InstPath: C:\Program Files (x86)\IBM\WebSphere MQ
DataPath: C:\Program Files (x86)\IBM\WebSphere MQ
MaxCmdLevel: 750
C:\>java -version
java version "1.7.0_55"
Java(TM) SE Runtime Environment (build 1.7.0_55-b13)
Java HotSpot(TM) Client VM (build 24.55-b03, mixed mode, sharing)
|
I was thinking if Oracle JVM required some actions using keytool etc but I have not found any good documentation.
But sure I can register a PMR
_________________
Best regards
4 Integration |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Tue Sep 02, 2014 9:38 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
I just went through this issue with MQ Visual Browse and WMQ v7.5 and I posted it here.
Basically, it boils down Oracle JREs not working and the included IBM JRE worked.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 02, 2014 4:35 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| 4integration wrote: |
I was thinking if Oracle JVM required some actions using keytool etc but I have not found any good documentation.
But sure I can register a PMR |
There is a big difference between JVM6, JVM7 and even more so JVM8.
One of the main things I noticed is that I was unable to use a cipherspec that required SSLFIPS=true on a non IBM JVM (Oracle).
The reason id that oracle's JSSE is not FIPS certified. So you'd have to use the nss add on. Unless this is an absolute must on your site, it's more hastle than it is worth. Just get a FIPS certified JSSE.
Second thing is the phasing out of some ciphersuites. Check with your JVM / JSSE provider.
Third was that at 7.5 I had to get an APAR to use a non IBM JVM for JMS + SSL. Works fine at MQ 8.0 though...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| 4integration |
| Posted: Wed Oct 15, 2014 11:24 pm Post subject: |
|
|
Disciple
Joined: 04 Sep 2006
Posts: 197
Location: Gothenburg, Sweden
|
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
