ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Java / JMS » WMQ with SSL using Oracle JVM

Post new topic  Reply to topic
 WMQ with SSL using Oracle JVM « View previous topic :: View next topic » 
Author Message
4integration
PostPosted: Mon Sep 01, 2014 10:45 pm    Post subject: WMQ with SSL using Oracle JVM Reply with quote

Disciple

Joined: 04 Sep 2006
Posts: 197
Location: Gothenburg, Sweden

Hi,

I am trying the example described here and it works fine with JavaKeyStore (JKS) using IBM's JVM (and SSL provider) and pretty out of the box.
Just pointing to the JKS file and set the password etc.

But when changing to Oracle JVM I am facing problems with exeption:

Code:
JSSE is installed correctly!
Number of keys on JKS: 3
SSLContext provider: SunJSSE version 1.7
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'EBNGWT' with connection mode 'Client' and host name 'ebngwt.srv.company.com(1416)'.
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.
        at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:585)
        at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:221)
        at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:426)
        at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:6902)
        at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:6277)
        at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:285)
        at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6233)
        at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:149)
        at sample.wmq.ssl.SSLTest.main(SSLTest.java:89)
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
        at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:209)
        ... 7 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'ebngwt.srv.company.com(1416)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed.
 [1=javax.net.ssl.SSLHandshakeException[sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: algorithm constraints check failed],3=e
bngwt.srv.company.com/153.112.166.5:1416 (ebngwt.srv.company.com),4=SSLSocket.startHandshake,5=default]],3=ebngwt.srv.company.com(1416),5=RemoteTCPConnection.protocolConnect]
        at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2053)
        at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1226)
        at com.ibm.mq.ese.jmqi.InterceptedJmqiImpl.jmqiConnect(InterceptedJmqiImpl.java:311)
        at com.ibm.mq.ese.jmqi.ESEJMQI.jmqiConnect(ESEJMQI.java:337)
        at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:346)
        ... 6 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[sun.security.validator.ValidatorException: PKIX path validation failed: j
ava.security.cert.CertPathValidatorException: algorithm constraints check failed],3=ebngwt.srv.company.com/153.112.166.5:1416 (ebngwt.srv.company.com),4=SSLSocket.startHandshake,5=default]
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1187)
        at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:724)
        at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:400)
        at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:299)
        at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:164)
        at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1598)
        ... 10 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: algorithm constraints check fai
led
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1156)
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1151)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1149)
        ... 15 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: algorithm constraints check failed
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
        ... 26 more
Caused by: java.security.cert.CertPathValidatorException: algorithm constraints check failed
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)
        at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
        ... 32 more
Press any key to continue . . .


The code looks like:
Code:
package sample.wmq.ssl;

import com.ibm.mq.jms.*;

import java.io.FileInputStream;
import java.security.*;

import javax.jms.JMSException;
import javax.jms.QueueConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;

import com.ibm.mq.jms.MQQueueConnectionFactory;

public class SSLTest {
    public static void main(String[] args) {
        System.out.println(System.getProperty("java.home"));

        String HOSTNAME = "ebngwt.srv.company.com";
        String QMGRNAME = "EBNGWT";
        String CHANNEL = "ADTI.SRV01";
        // CipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHA is the same as WebSphere MQ 'CipherSpec' TRIPLE_DES_SHA_US
        // see book 'WebSphereMQ - Using Java' for equivalency table
        String SSLCIPHERSUITE = "SSL_RSA_WITH_3DES_EDE_CBC_SHA";

        try {
            Class.forName("com.sun.net.ssl.internal.ssl.Provider");
            System.out.println("JSSE is installed correctly!");

            char[] KSPW = "password".toCharArray();

            // instantiate a KeyStore with type JKS
            KeyStore ks = KeyStore.getInstance("JKS");
            // load the contents of the KeyStore
            ks.load(new FileInputStream("C:\\wmqssl-jks\\key.jks"), KSPW);
            System.out.println("Number of keys on JKS: " + Integer.toString(ks.size()));

            // Create a keystore object for the truststore
            KeyStore trustStore = KeyStore.getInstance("JKS");
            // Open our file and read the truststore (no password)
            trustStore.load(new FileInputStream("C:\\wmqssl-jks\\key.jks"), null);

            // Create a default trust and key manager
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

            // Initialise the managers
            trustManagerFactory.init(trustStore);
            keyManagerFactory.init(ks, KSPW);

            // Get an SSL context.
            // Note: not all providers support all CipherSuites. But the
            // "SSL_RSA_WITH_3DES_EDE_CBC_SHA" CipherSuite is supported on both SunJSSE
            // and IBMJSSE2 providers

            // Accessing available algorithm/protocol in the SunJSSE provider
            // see http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html
            SSLContext sslContext = SSLContext.getInstance("SSLv3");

            // Acessing available algorithm/protocol in the IBMJSSE2 provider
            // see http://www.ibm.com/developerworks/java/jdk/security/142/secguides/jsse2docs/JSSE2RefGuide.html
            // SSLContext sslContext = SSLContext.getInstance("SSL_TLS");
            System.out.println("SSLContext provider: " + sslContext.getProvider().toString());

            // Initialise our SSL context from the key/trust managers
            sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

            // Get an SSLSocketFactory to pass to WMQ
            SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

            // Create default MQ connection factory
            MQQueueConnectionFactory factory = new MQQueueConnectionFactory();

            // Customize the factory
            factory.setSSLSocketFactory(sslSocketFactory);
            factory.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
            factory.setQueueManager(QMGRNAME);
            factory.setHostName(HOSTNAME);
            factory.setChannel(CHANNEL);
            factory.setPort(1416);
            factory.setSSLFipsRequired(false);
            factory.setSSLCipherSuite(SSLCIPHERSUITE);

            QueueConnection connection = null;
            connection = factory.createQueueConnection("", ""); // empty user, pass to avoid
            // MQJMS2013 messages
            connection.start();
            System.out.println("JMS SSL client connection started!");
            connection.close();

        } catch (JMSException ex) {
            ex.printStackTrace();
        } catch (Exception ex) {
            ex.printStackTrace();
        }
    }
}


Do I need to do some configuration in Oracle JVM ?
Any ideas what actions I need to take?
_________________
Best regards
4 Integration
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Sep 02, 2014 12:00 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

You're not specifying the version of WMQ and yes it is relevant.
If V 7.5.0.x open a PMR, specify the version of WMQ and the version of java and ask for the relevant APAR. (up to 7.5.0.3, I guess the fix will make 7.5.0.4 )

If you're using an IBM JVM everything should work. For a non IBM JVM the APAR is necessary.

Also run your program with JVM option -Djavax.net.debug=true and attach the output to the PMR.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
4integration
PostPosted: Tue Sep 02, 2014 4:06 am    Post subject: Reply with quote

Disciple

Joined: 04 Sep 2006
Posts: 197
Location: Gothenburg, Sweden

Hi,

I am using:

Code:
C:\>dspmqver
Name:        WebSphere MQ
Version:     7.5.0.2
Level:       p750-002-130627
BuildType:   IKAP - (Production)
Platform:    WebSphere MQ for Windows
Mode:        32-bit
O/S:         Windows Ver 6.2 (5) Enterprise x64 Edition, Build 9200
InstName:    Installation1
InstDesc:
Primary:     Yes
InstPath:    C:\Program Files (x86)\IBM\WebSphere MQ
DataPath:    C:\Program Files (x86)\IBM\WebSphere MQ
MaxCmdLevel: 750

C:\>java -version
java version "1.7.0_55"
Java(TM) SE Runtime Environment (build 1.7.0_55-b13)
Java HotSpot(TM) Client VM (build 24.55-b03, mixed mode, sharing)

I was thinking if Oracle JVM required some actions using keytool etc but I have not found any good documentation.
But sure I can register a PMR
_________________
Best regards
4 Integration
Back to top
View user's profile Send private message
RogerLacroix
PostPosted: Tue Sep 02, 2014 9:38 am    Post subject: Reply with quote

Jedi Knight

Joined: 15 May 2001
Posts: 3252
Location: London, ON Canada

Hi,

I just went through this issue with MQ Visual Browse and WMQ v7.5 and I posted it here.

Basically, it boils down Oracle JREs not working and the included IBM JRE worked.

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Tue Sep 02, 2014 4:35 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

4integration wrote:

I was thinking if Oracle JVM required some actions using keytool etc but I have not found any good documentation.
But sure I can register a PMR


There is a big difference between JVM6, JVM7 and even more so JVM8.
One of the main things I noticed is that I was unable to use a cipherspec that required SSLFIPS=true on a non IBM JVM (Oracle).

The reason id that oracle's JSSE is not FIPS certified. So you'd have to use the nss add on. Unless this is an absolute must on your site, it's more hastle than it is worth. Just get a FIPS certified JSSE.

Second thing is the phasing out of some ciphersuites. Check with your JVM / JSSE provider.

Third was that at 7.5 I had to get an APAR to use a non IBM JVM for JMS + SSL. Works fine at MQ 8.0 though...

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
4integration
PostPosted: Wed Oct 15, 2014 11:24 pm    Post subject: Reply with quote

Disciple

Joined: 04 Sep 2006
Posts: 197
Location: Gothenburg, Sweden

I got it working with Sun's JVM (java.specification.version:1.7.0_67-b01) by changing the file:
C:\Program Files (x86)\Java\jre7\lib\security\java.security
and line from:
Code:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

to
Code:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 256


References:
* http://docs.oracle.com/javase/7/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppB (section CertPathValidator)
* http://stackoverflow.com/questions/19756681/introscope-8-2-2-does-not-work-with-java-7 (not WMQ but anyway)
_________________
Best regards
4 Integration
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Java / JMS » WMQ with SSL using Oracle JVM
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.