| Author |
Message
|
| visasimbu |
 Posted: Thu Jul 09, 2015 7:55 am Post subject: Configuring broker to connect external URL using proxy |
 |
|
Disciple
Joined: 06 Nov 2009
Posts: 171
|
Hi All,
I have flow which will call external vendor site using HTTP request node. How can I use my proxy settings to my local broker which can establish connection.
Note - Same flow is worked in testing environment where testing server IP's are white listed. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Thu Jul 09, 2015 7:59 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| visasimbu |
| Posted: Mon Jul 13, 2015 6:49 am Post subject: |
|
|
Disciple
Joined: 06 Nov 2009
Posts: 171
|
@mqjeff - Thanks for reply.
I have configured proxy address with port number as "proxy.abc.com:8080" under HTTP(S) proxy location in SOAPRequest node. Is there any other configuration i have to make to use the proxy settings ?
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Jul 13, 2015 6:54 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| visasimbu wrote: |
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error |
That doesn't look like a problem connecting to a proxy to me. That looks like a problem with the SSL configuration leading to someone not being trusted. As that someone is VeriSign, I'd hazard a guess that it's quite a serious problem with the configuration; like no configuration at all.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| visasimbu |
| Posted: Wed Jul 15, 2015 5:36 pm Post subject: |
|
|
Disciple
Joined: 06 Nov 2009
Posts: 171
|
Hi vitor,
Thanks for your reply.
Seems I have to import the certificate to broker keystore file. So I have tried below steps.
1) importing the certificate for the https URL which is used in the httpRequest node. Certificate is downloaded using chrome browser under "Trusted Root Certificate Authorities".
2) used below keytool command to add the certificate in the broker keystore file
| Quote: |
keytool -import -alias mykey -file Class3PublicPrimaryCertificateAuthorityG5.cer -keystore “C:\Program Files (x86)\IBM\MQSI\7.0\jre16\lib\security\cacerts” -storepass changeit
|
I have received key tool error saying
| Quote: |
keytool error: java.io.FileNotFoundException: ôC:\Program Files (x86)\IBM\MQSI\7.0\jre16\lib\security\cacertsö (The fi
lename, directory name, or volume label syntax is incorrect)
|
3) Load the new jks file to broker
| Quote: |
mqsichangeproperties LOCALBRK -o BrokerRegistry -n brokerKeystoreFile -v C:\SIMBU\KEY\LOCALBRK1.jks
mqsisetdbparms LOCALBRK -n brokerKeystore::password -u dummy -p changeit
|
4) start and stop the broker
To avoid keytool exception I have tried administrtor CMD. It is also throwing same error. How can I avoid this keytool error ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jul 16, 2015 4:41 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Depends on what CA certs you have in the LOCALBRK1.jks truststore...
And I would not trust all the certs in the cacerts truststore either. Remember those were the CA certs at a certain moment in time... The intermediary certs may have changed since... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jul 16, 2015 4:46 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| visasimbu wrote: |
| Seems I have to import the certificate to broker keystore file. |
Or the truststore file. You also have to complete all the other steps for SSL configuration, not just the steps you list below.
| visasimbu wrote: |
| 1) importing the certificate for the https URL which is used in the httpRequest node. Certificate is downloaded using chrome browser under "Trusted Root Certificate Authorities". |
That's not the method I'd have used to obtain the certificate. Does no-one administer SSL at your site?
| visasimbu wrote: |
2) used below keytool command to add the certificate in the broker keystore file
| Quote: |
keytool -import -alias mykey -file Class3PublicPrimaryCertificateAuthorityG5.cer -keystore “C:\Program Files (x86)\IBM\MQSI\7.0\jre16\lib\security\cacerts” -storepass changeit
|
I have received key tool error saying
| Quote: |
keytool error: java.io.FileNotFoundException: ôC:\Program Files (x86)\IBM\MQSI\7.0\jre16\lib\security\cacertsö (The fi
lename, directory name, or volume label syntax is incorrect)
|
[/code] |
Well that didn't import anything did it? I'd also be surprised if the cacerts file supplied with the JVM didn't have that certificate, and if it didn't then "mykey" is an odd thing to call it.
What are you referencing to get these commands?
I also question the wisdom of using a file stored under "Program Files". Aside from a path name with spaces in it being troublesome, Windows is parochial about that directory.
| visasimbu wrote: |
3) Load the new jks file to broker
| Quote: |
mqsichangeproperties LOCALBRK -o BrokerRegistry -n brokerKeystoreFile -v C:\SIMBU\KEY\LOCALBRK1.jks
mqsisetdbparms LOCALBRK -n brokerKeystore::password -u dummy -p changeit
|
|
How is that "the new jks file"? You've not referenced it in any previous commands you've posted, and it's not the one that was the target of your failed import attempt. Where did this come from and what does it contain?
| visasimbu wrote: |
| 4) start and stop the broker |
Well that would be a good move if you'd managed to change anything.
| visasimbu wrote: |
| To avoid keytool exception I have tried administrtor CMD. It is also throwing same error. How can I avoid this keytool error ? |
Well you could try using the file C:\SIMBU\KEY\LOCALBRK1.jks instead. Not only is that not in Program Files so a) there's no space in the path and b) you probably have access at an OS level, it's also the file you're using in broker!!!!!!
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| visasimbu |
| Posted: Thu Jul 16, 2015 8:57 pm Post subject: |
|
|
Disciple
Joined: 06 Nov 2009
Posts: 171
|
@Vitor,
Apologies for confusion in the path.. I have imported the pubilc certificate into cacert file using keytool commands.
This are the list of broker commands I have used to configure the SSL.
| Code: |
mqsichangeproperties LOCALBRK -e EG -o ComIbmJVMManager -n keystoreFile -v C:\SIMBU\KEY\brokerkey.jks,JKS
mqsichangeproperties LOCALBRK -e EG -o ComIbmJVMManager -n truststoreFile -v C:\SIMBU\KEY\cacerts,JKS
mqsichangeproperties LOCALBRK -e EG -o ComIbmJVMManager -n truststoreType -v JKS
mqsichangeproperties LOCALBRK -e EG -o ComIbmJVMManager -n keystoreType -v JKS
mqsisetdbparms LOCALBRK -n EG::keystorePass -u temp -p password
mqsisetdbparms LOCALBRK -n EG::truststorePass -u temp -p password
mqsichangeproperties LOCALBRK -o BrokerRegistry -n brokerKeystoreFile -v C:\SIMBU\KEY\brokerkey.jks
mqsichangeproperties LOCALBRK -o BrokerRegistry -n brokerTruststoreFile -v C:\SIMBU\KEY\cacerts
mqsisetdbparms LOCALBRK -n brokerKeystore::password -u temp -p password
mqsisetdbparms LOCALBRK -n brokerTruststore::password -u temp -p password |
I have encountered below specified error...
| Quote: |
Exception in thread "Thread-9" 2015-07-16 23:48:13.778 18 javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available
2015-07-16 23:48:13.794 18 at com.ibm.jsse2.o.a(o.java:31)
2015-07-16 23:48:13.794 18 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:569)
2015-07-16 23:48:13.794 18 at com.ibm.jsse2.kb.a(kb.java:269)
2015-07-16 23:48:13.810 18 at com.ibm.jsse2.kb.a(kb.java:273)
2015-07-16 23:48:13.810 18 at com.ibm.jsse2.lb.a(lb.java:107)
2015-07-16 23:48:13.810 18 at com.ibm.jsse2.lb.a(lb.java:278)
2015-07-16 23:48:13.810 18 at com.ibm.jsse2.kb.s(kb.java:391)
2015-07-16 23:48:13.810 18 at com.ibm.jsse2.kb.a(kb.java:165)
2015-07-16 23:48:13.810 18 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:
2015-07-16 23:48:13.810 18 at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:554)
2015-07-16 23:48:13.810 18 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:806)
2015-07-16 23:48:13.810 18 at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:97)
2015-07-16 23:48:13.825 18 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeoutInternalNoProxy(MbSslSocket.java:295)
2015-07-16 23:48:13.825 18 at com.ibm.broker.imbsslsocket.MbSslSocket.initiateSslHandshake(MbSslSocket.java:169)
2015-07-16 23:48:13.825 18 Caused by: java.security.cert.CertificateException: No X509TrustManager implementation available
2015-07-16 23:48:13.825 18 at com.ibm.jsse2.v.checkServerTrusted(v.java:6)
2015-07-16 23:48:13.825 18 at com.ibm.jsse2.lb.a(lb.java:24)
2015-07-16 23:48:13.825 18 ... 9 more
|
[/code]
What went wrong here ? |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 17, 2015 4:32 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| visasimbu wrote: |
| What went wrong here ? |
Your configuration.
What is this supposed to be:
| visasimbu wrote: |
| Code: |
mqsichangeproperties LOCALBRK -e EG -o ComIbmJVMManager -n keystoreFile -v C:\SIMBU\KEY\brokerkey.jks,JKS
mqsichangeproperties LOCALBRK -e EG -o ComIbmJVMManager -n truststoreFile -v C:\SIMBU\KEY\cacerts,JKS
|
|
You have one property in the -n list and two properties in the -v list.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| visasimbu |
| Posted: Fri Jul 17, 2015 7:24 am Post subject: |
|
|
Disciple
Joined: 06 Nov 2009
Posts: 171
|
@Vitor,
I have changed config with one value with below commands and restarted my local broker.. Still facing same issue.. is there any other clue in this.. Thanks for your help.
| Code: |
mqsichangeproperties LOCALBRK -e EG -o ComIbmJVMManager -n keystoreFile -v C:\SIMBU\KEY\brokerkey.jks
mqsichangeproperties LOCALBRK -e EG -o ComIbmJVMManager -n truststoreFile -v C:\SIMBU\KEY\cacerts
|
| Code: |
C:\Program Files (x86)\IBM\MQSI\7.0>mqsireportproperties LOCALBRK -o BrokerRegis
try -r
BrokerRegistry
uuid='BrokerRegistry'
brokerKeystoreType='JKS'
brokerKeystoreFile='C:\SIMBU\KEY\brokerkey.jks'
brokerKeystorePass='brokerKeystore::password'
brokerTruststoreType='JKS'
brokerTruststoreFile='C:\SIMBU\KEY\cacerts'
brokerTruststorePass='brokerTruststore::password'
httpConnectorPortRange=''
httpsConnectorPortRange=''
modeExtensions=''
operationMode='enterprise'
shortDesc=''
longDesc=''
BIP8071I: Successful command completion. |
|
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 17, 2015 7:38 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| visasimbu wrote: |
| is there any other clue in this. |
The only clue is that you've still got something wrong. You need to work through this yourself, starting here. 
Hint: what does this do that you don't? 
Hint: what's different between your earlier posts and your more recent ones?
Do not despair.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| visasimbu |
| Posted: Fri Jul 17, 2015 12:00 pm Post subject: |
|
|
Disciple
Joined: 06 Nov 2009
Posts: 171
|
Issue got resolved  
Root cause -
I have checked the algorithm used for truststore file by going through the file "java.security" under "C:\Program Files (x86)\IBM\MQSI\7.0\jre16\lib\security". It says that algorithm is PKIX.
| Code: |
ssl.KeyManagerFactory.algorithm=IbmX509
ssl.TrustManagerFactory.algorithm=PKIX |
Solution -
I have created a brand new PK12 truststore file using IBM Key managament and run below broker commands.
| Code: |
mqsichangeproperties LOCALBRK -e EG -o ComIbmJVMManager -n keystoreFile -v C:\SIMBU\KEY\brokerkey.jks
mqsichangeproperties LOCALBRK -e EG -o ComIbmJVMManager -n truststoreFile -v C:\SIMBU\KEY\key.p12
mqsisetdbparms LOCALBRK -n EG::keystorePass -u temp -p password
mqsisetdbparms LOCALBRK -n EG::truststorePass -u temp -p changeit
mqsichangeproperties LOCALBRK -o BrokerRegistry -n brokerKeystoreFile -v C:\SIMBU\KEY\brokerkey.jks
mqsichangeproperties LOCALBRK -o BrokerRegistry -n brokerTruststoreFile -v C:\SIMBU\KEY\key.p12
mqsisetdbparms LOCALBRK -n brokerKeystore::password -u temp -p password
mqsisetdbparms LOCALBRK -n brokerTruststore::password -u temp -p changeit
|
This works for me..
Thanks Vitor for your help. |
|
| Back to top |
|
|
|
|
