| Author |
Message
|
| grasher134 |
 Posted: Wed May 20, 2015 3:14 am Post subject: Http request over SSL |
 |
|
Acolyte
Joined: 22 Oct 2014
Posts: 62
|
Hello guys,
I'm working with IIB for a little while now and this forum helped me many times to find a right path.
I need to do send a GET http request over ssl using http request node. I made some brief research on this topic and found some "tiny" instructions like this http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap34020_.htm?lang=ru.
I really doubt I need to do all of this in order to send some requests to public url, which I can access from browser from everywhere.
Maybe I'm getting it wrong, but I think there should be an easier way. Or maybe I'm just lazy.. 
For now I get following exception.
| Code: |
| javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target |
|
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed May 20, 2015 4:52 am Post subject: Re: Http request over SSL |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| grasher134 wrote: |
| I really doubt I need to do all of this in order to send some requests to public url, which I can access from browser from everywhere. |
You mean from a browser that comes with a lot of that work done for you under the covers? 
| grasher134 wrote: |
| Maybe I'm getting it wrong, but I think there should be an easier way. Or maybe I'm just lazy.. |
I decline to comment on your work ethic.
If you really mean a public url like www.ibm.com you certainly don't need the full swathe of a PKI. But you need enough of that to allow the broker to participate in the kind of anonymous HTTPS session you're describing, which means some configuration of the broker (for example, acceptance of the usual suspects like Verisign in the truststore)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed May 20, 2015 5:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Browsers come with truststores prepopulated with a lot of known signers.
IIB doesn't. |
|
| Back to top |
|
|
| joebuckeye |
| Posted: Wed May 20, 2015 6:01 am Post subject: |
|
|
Partisan
Joined: 24 Aug 2007
Posts: 365
Location: Columbus, OH
|
Save yourself future headaches and only put root certificates into your trust stores. Those certificates have long life times. Certificates for individual endpoints (like ibm.com) expire every year or two at most.
I bring this up because establishing proper certificate processes early on will save you much maintenance pain later on. |
|
| Back to top |
|
|
| grasher134 |
| Posted: Wed May 20, 2015 8:32 pm Post subject: |
|
|
Acolyte
Joined: 22 Oct 2014
Posts: 62
|
| Thank you all for you replies. Seems I misunderstand the whole technology a bit. I'll read more on this topic |
|
| Back to top |
|
|
| grasher134 |
| Posted: Tue May 26, 2015 3:22 am Post subject: |
|
|
Acolyte
Joined: 22 Oct 2014
Posts: 62
|
I've created a JKS type db and imported all certificates in it. Then I attached this db as truststore to Broker and Broker-wide HTTP listener as was written in the instruction above.
Now I get
| Code: |
| javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available |
Google told me that I must include certificates to my truststore, but I already did it. There are no other decisions to this problem.
Could you help me?
(Sorry for my English) |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue May 26, 2015 4:36 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| grasher134 wrote: |
I've created a JKS type db and imported all certificates in it. Then I attached this db as truststore to Broker and Broker-wide HTTP listener as was written in the instruction above.
Now I get
| Code: |
| javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available |
Google told me that I must include certificates to my truststore, but I already did it. There are no other decisions to this problem.
Could you help me?
(Sorry for my English) |
Check your procedure. Did you define the jks file as keystore or as truststore?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| grasher134 |
| Posted: Wed May 27, 2015 3:30 am Post subject: |
|
|
Acolyte
Joined: 22 Oct 2014
Posts: 62
|
| fjb_saper wrote: |
Check your procedure. Did you define the jks file as keystore or as truststore? |
As both.. I made a mistake with my jks file path. Now I get
| Code: |
| javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target |
I tried to add only root cert or the whole tree to my jks file in addition to default CA certs but seems it makes no difference. I'll add my broker properties below. And this is the link I try to send request to https://web.msm.az/
| Code: |
C:\Program Files\IBM\MQSI\9.0.0.2>mqsireportproperties ib9node -o BrokerRegistry
-r
BrokerRegistry
uuid='BrokerRegistry'
brokerKeystoreType='JKS'
brokerKeystoreFile='C:\Program Files\IBM\MQSI\9.0.0.2\key.jks'
brokerKeystorePass='brokerKeystore::password'
brokerTruststoreType='JKS'
brokerTruststoreFile='C:\Program Files\IBM\MQSI\9.0.0.2\key.jks'
brokerTruststorePass='brokerTruststore::password'
brokerCRLFileList=''
httpConnectorPortRange=''
httpsConnectorPortRange=''
brokerKerberosConfigFile=''
brokerKerberosKeytabFile=''
modeExtensions=''
operationMode='advanced'
shortDesc=''
longDesc='' |
| Code: |
C:\Program Files\IBM\MQSI\9.0.0.2>mqsireportproperties ib9node -b httplistener -
o HTTPSConnector -r
HTTPSConnector
uuid='HTTPSConnector'
algorithm='Platform Default'
clientAuth='Platform Default'
keystoreFile='Platform Default'
keystorePass='********'
keystoreType='Platform Default'
truststoreFile='C:\Program Files\IBM\MQSI\9.0.0.2\key.jks'
truststorePass='********'
truststoreType='Platform Default'
sslProtocol='Platform Default'
ciphers='Platform Default'
keyAlias=''
keypass='********'
keyAlias='Platform Default'
crlFile='Platform Default'
propagateClientCert='Platform Default'
address=''
port=''
maxPostSize=''
maxSavePostSize=''
acceptCount=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
enableLookups='false' |
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed May 27, 2015 4:23 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
In order to get the cert path right you need the whole certification path in your truststore. The Root CA AND all the intermediate CA signers...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| grasher134 |
| Posted: Wed May 27, 2015 4:48 am Post subject: |
|
|
Acolyte
Joined: 22 Oct 2014
Posts: 62
|
| fjb_saper wrote: |
In order to get the cert path right you need the whole certification path in your truststore. The Root CA AND all the intermediate CA signers...
Have fun |
I gave the link above. I saved all 4 of them in .cert files, opened Ibm Key Manager - Signer Certificates - Add..
I added them, beginning from root, and ending with last one. I can include my .jks file if it is needed.
I know I did something wrong, but I can't figure out what 
P.S. Here is the link to my truststore
https://drive.google.com/file/d/0B3RMDAZ55GHeVG5vTXEyZW5OZVk/view?usp=sharing |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed May 27, 2015 5:02 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
if you want us to look at it you have to provide the store passwd as well...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| joebuckeye |
| Posted: Wed May 27, 2015 5:52 am Post subject: |
|
|
Partisan
Joined: 24 Aug 2007
Posts: 365
Location: Columbus, OH
|
| fjb_saper wrote: |
| In order to get the cert path right you need the whole certification path in your truststore. The Root CA AND all the intermediate CA signers... |
I thought the URL you were calling was supposed to return its URL cert and any intermediate certs needed to get to a Root CA.
The more certs you include on the calling side the more cert management you will need to perform and more frequently.
If you are having problems I would start with all the certs in the cert chain, you should be connecting if you trust the URL cert itself. If that is not working then your SSL config is not correct yet. Then start removing certs until you have the bare minimum needed to make the call work. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed May 27, 2015 6:24 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| joebuckeye wrote: |
I thought the URL you were calling was supposed to return its URL cert and any intermediate certs needed to get to a Root CA.
|
Sure, but that doesn't mean that you don't have to have all the signer certs in your truststore for it to work...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| grasher134 |
| Posted: Thu May 28, 2015 8:08 pm Post subject: |
|
|
Acolyte
Joined: 22 Oct 2014
Posts: 62
|
| fjb_saper wrote: |
| if you want us to look at it you have to provide the store passwd as well... |
Whoops.. my bad... pass : ibm |
|
| Back to top |
|
|
| grasher134 |
| Posted: Sun May 31, 2015 8:20 pm Post subject: |
|
|
Acolyte
Joined: 22 Oct 2014
Posts: 62
|
Guys, I'm still stuck at this problem.. Could you look through this file and tell me what am I doing wrong?  |
|
| Back to top |
|
|
|
|
