| Author |
Message
|
| Zeeshan Ali |
 Posted: Wed Jul 29, 2015 4:52 am Post subject: consuming Https rest services in IIB V9 |
 |
|
Newbie
Joined: 29 Jul 2015
Posts: 9
|
I have created one API using IBM API Management which is HTTPS url.
From this REST API I am getting JSON response.
My Scenario is I have to consume the response in IIB V9 using HTTP Request Node But I am geting SSL Handshaking Error.
Can anyone suggest proper steps to get json response in IIB V9. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Jul 29, 2015 5:08 am Post subject: Re: consuming Https rest services in IIB V9 |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Zeeshan Ali wrote: |
| Can anyone suggest proper steps to get json response in IIB V9. |
Yes. Fix this:
| Zeeshan Ali wrote: |
| I am geting SSL Handshaking Error |
This is nothing to do with REST, API management or a JSON message. It's a fault in the SSL configuration which causes the 2 ends to fail to handshake.
Fix your SSL.
And before you post "please suggest proper steps to fix the SSL", it's impossible to determine from your post what the problem is. Possible problems include but are not limited to:
- invalid personal certificate on IIB
- invalid personal certificate on the other end
- signer certificate missing from IIB
- signer certificate missing from the other end
- broken certificate chain in IIB
- broken certificate chain on the other end
If (for example) you're actually using the IBM cloud API management (the public one) then you can probably discount configuration issues at the other end as we assume IBM have it working.
If (for example) IIB can successfully use other HTTPS URLs from the same EG then you can probably discount issues with the basic broker configuration.
There should also be rather more error messages than a single "SSL Handshake error". There should be a fairly specific one on what went wrong with the handshake.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Zeeshan Ali |
| Posted: Wed Jul 29, 2015 5:55 am Post subject: |
|
|
Newbie
Joined: 29 Jul 2015
Posts: 9
|
Actually I have to consume the REST services which is Https In IIB V9.
So, I m looking for proper steps to configure broker.
I am using HTTPInputNode-->HttpRequestNode--->MQOutputNode |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jul 29, 2015 6:12 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Zeeshan Ali wrote: |
| So, I m looking for proper steps to configure broker. |
You don't need to do anything in terms of broker configuration, except you might want to alter the port that the HTTPInput node is listening on. You do need to set up application specific items such as the URL the HTTPInput services, the URL the HTTPRequest calls and so forth.
You don't need to "enable" JSON.
You do need to configure SSL to use HTTPS.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Zeeshan Ali |
| Posted: Wed Jul 29, 2015 6:23 am Post subject: |
|
|
Newbie
Joined: 29 Jul 2015
Posts: 9
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Jul 29, 2015 6:39 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 29, 2015 6:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Zeeshan Ali wrote: |
I am not using any httpInput node in my flow. I am using MQInput Node-->HttpRequestNode-->MQOutputNode.
. |
Doesn't matter much. The steps required to set up your PKI infrastructure are basically the same when setting up for an HTTPRequest node or an HTTPInput node.
You will require (for the HTTPRequest node) at a minimum a TrustStore with the relevant server's signer CA cert chain...
Search the knowledge center for PKI or public key infrastructure... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jul 29, 2015 6:53 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Zeeshan Ali wrote: |
| I am not using any httpInput node in my flow. I am using MQInput Node-->HttpRequestNode-->MQOuyputNode. |
So why did you post:
| Zeeshan Ali wrote: |
| I am using HTTPInputNode-->HttpRequestNode--->MQOutputNode |
| Zeeshan Ali wrote: |
| I am looking for SSL configuration steps In consumer flow. |
It's not configured in the flow, it's configured (as I said above) at the broker level. Start here. 
| Zeeshan Ali wrote: |
| So I am looking for Steps required to consume this services through HttpRequest Node. |
I suspect you have the needed steps for that, or you wouldn't have got the SSL handshake error.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Zeeshan Ali |
| Posted: Thu Jul 30, 2015 5:57 am Post subject: |
|
|
Newbie
Joined: 29 Jul 2015
Posts: 9
|
I am looking for documents for consuming https service in IIB and my service is at cloud.
Please send me documents if you have any.
and I dont know the port number of my service which is at cloud.
Email Id: alishaan.ali21@gmail.com |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jul 30, 2015 6:10 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You can not make an HTTP Request to a server without knowing it's port.
If they haven't told you a port, then assume it's the default HTTP Port.
Otherwise, as you've been told *several times*, you need to configure SSL for HTTPRequest nodes.
This is fully documented in the Knowledge Center.
Under the topic on configuring SSL for HTTPRequest nodes.
http://www.mqseries.net/phpBB2/viewtopic.php?t=70476
!!!!!!!
 |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jul 30, 2015 6:15 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Zeeshan Ali wrote: |
| I am looking for documents for consuming https service in IIB and my service is at cloud. |
Start here if you have not already done so. But the flow you've posted is exactly the sort of thing you need and I doubt there's a problem. The only actual problem you've described is with SSL, which has nothing directly to do with coding a flow to call a web service, and it doesn't matter to your flow if the target web service is in the cloud, in a local server or the Emerald City Somewhere Over The Rainbow. Though you do get some latency from the Emerald City servers.
Seriously. You seem to be refusing to believe you have the problem you have, and that you can fix it in code.
| Zeeshan Ali wrote: |
| and I dont know the port number of my service which is at cloud. |
Why do you think it's not on the default port and you have to quote one? What in the IBM documentation for API Management indicates that, but fails to indicate how to obtain the correct port number?
You're going to get a lot of emails with links and attachments to documents on how to do this. I urge you not to click or open any of them unless you are absolutely certain of the quality of your anti-virus and network security. You probably want to review your spam settings as well.
The web spiders will have your email address halfway across the Internet by now. It's very silly to post it in a public forum like this. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Zeeshan Ali |
| Posted: Fri Jul 31, 2015 3:27 am Post subject: |
|
|
Newbie
Joined: 29 Jul 2015
Posts: 9
|
I extracted a IBM API M signer certificate from HTTPS url.
I created keystore file keys.jks and added the above signer certificate (api.crt) and also added to my C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security\cacerts file also.
I runned following commands.
1> mqsistart Broker
2> mqsichangeproperties Broker -o BrokerRegistry -n brokerKeystoreFile -v C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security
3> mqsichangeproperties Broker -o BrokerRegistry -n brokerTruststoreFile -v C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security
4> mqsistop Broker
5> mqsisetdbparms Broker -n brokerKeystore::password -u ignore -p keystore_pass
6> mqsisetdbparms Broker -n brokerTruststore::password -u ignore -p truststore_pass
7> mqsistart Broker
and I am getting below error:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 31, 2015 3:55 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Zeeshan Ali wrote: |
| I created keystore file keys.jks and added the above signer certificate (api.crt) and also added to my C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security\cacerts file also. |
Why? Solid start on deciding to create a PKI so you can use HTTPS, but why choose this specific series of steps? Also how do you "add" the cacerts file to a keystore? And why? Which section of the documentation is leading you to this?
| Zeeshan Ali wrote: |
I runned following commands.
1> mqsistart Broker
2> mqsichangeproperties Broker -o BrokerRegistry -n brokerKeystoreFile -v C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security
3> mqsichangeproperties Broker -o BrokerRegistry -n brokerTruststoreFile -v C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security
4> mqsistop Broker
5> mqsisetdbparms Broker -n brokerKeystore::password -u ignore -p keystore_pass
6> mqsisetdbparms Broker -n brokerTruststore::password -u ignore -p truststore_pass
7> mqsistart Broker
|
So why do you think a property called brokerKeystoreFile takes a directory as a value not a file name? I repeat the question for the truststore.
| Zeeshan Ali wrote: |
and I am getting below error:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure |
Yes, I imagine you are. I repeat my previous comment which, like most everything else you're told, you seem reluctant to believe:
| Vitor wrote: |
| There should also be rather more error messages than a single "SSL Handshake error". There should be a fairly specific one on what went wrong with the handshake |
Granted that previously, when you hadn't set up any PKI then the even the specific error would have been fairly generic, but as you work through this not knowing what specifically has gone wrong with the handshake will seriously impede your progress.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Zeeshan Ali |
| Posted: Fri Jul 31, 2015 4:38 am Post subject: |
|
|
Newbie
Joined: 29 Jul 2015
Posts: 9
|
| Which steps is required you please tell me. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jul 31, 2015 4:44 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Zeeshan Ali wrote: |
| Which steps is required you please tell me. |
Review the steps you've taken.
Review the steps in the knowledge center.
Review the basics of SSL - what a keystore is, what a truststore is, and what's the difference between a private cert and a public cert.
Combine the knowledge you have now gained to perform another attempt.
Carefully review all of the results - all of the error messages, all of the data you get back from a user trace.
Determine the next thing to try. OR celebrate success. |
|
| Back to top |
|
|
|
|
