| Author |
Message
|
| smdavies99 |
 Posted: Mon Sep 21, 2015 1:19 am Post subject: SOAP HTTPS V7 to IIB 9 difference |
 |
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I have a working SOAP flow that uses HTTPS on 7.0.0.4
If I migrate this broker to V9 and NOT replace the flow with a newly built one it all keeps on working.
However once I replace the originally deployed flow with one that has been migrated to an application it has problems with the SSL specifically, the Keystore (or well that is what the exception list says)
For V7
| Code: |
C:\Program Files\IBM\MQSI\7.0>mqsireportproperties PSTBRKR -e EG_3 -o HTTPSConnector -r
HTTPSConnector
uuid='HTTPSConnector'
userTraceLevel='none'
traceLevel='none'
userTraceFilter='none'
traceFilter='none'
port='7903'
address=''
allowTrace=''
maxPostSize=''
acceptCount=''
bufferSize=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxSpareThreads=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
explicitlySetPortNumber='7903'
enableLookups=''
enableMQListener=''
shutdownDelay=''
autoRespondHTTPHEADRequests=''
algorithm=''
clientAuth='false'
keystoreFile='D:\SSL_Keystore\PRODKS.jks'
keystorePass='********'
keystoreType='JKS'
sslProtocol='TLS'
ciphers=''
keypass='********'
keyAlias=''
sslSessionTimeout=''
DefaultConnector
port='7903'
URLRegistration='/PSTReporting/PSTReportingService.svc'
nodeLabel='SF_PST_Reporting_SOAP_Input.SOAP Input'
outstandingRequests='0'
BIP8071I: Successful command completion.
C:\Program Files\IBM\MQSI\7.0>
|
We don't use any keys but are just using HTTPS at both ends.
This all works fine.
now on a V9 (or V10) broker the HTTPSConnector is setup in the same way. The same .jks file is used. for testing I am using a different EG and this a different port.
| Code: |
W:\Data\test>mqsireportproperties %BKR% -e EG_1 -o HTTPSConnector -r
HTTPSConnector
uuid='HTTPSConnector'
userTraceLevel='none'
traceLevel='none'
userTraceFilter='none'
traceFilter='none'
port='9701'
address=''
maxPostSize=''
maxSavePostSize=''
acceptCount=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
explicitlySetPortNumber='9701'
enableLookups=''
enableMQListener=''
shutdownDelay=''
allowCrossConnectorPolling=''
autoRespondHTTPHEADRequests=''
integratedWindowsAuthentication=''
iwaTimeoutSeconds='300'
serverName=''
algorithm=''
clientAuth=''
keystoreFile='d:\SSL_Keystore\PROD.jks'
keystorePass='********'
keystoreType='JKS'
truststoreFile=''
truststorePass=''
truststoreType=''
sslProtocol='TLS'
ciphers=''
keypass=''
keyAlias=''
sslSessionTimeout=''
crlFile=''
propagateClientCert=''
sessionCacheSize=''
Connector
cachedSSLSessions='0'
port='9701'
type='Embedded'
URLRegistration
url='/PSTReporting/PSTReportingService.svc'
outstandingRequests='0'
UsedBySOAPNNodes='TRUE'
UsedByHTTPNNodes='FALSE'
nodeLabel='SF_PST_SOAP_Input.SOAP Input'
BIP8071I: Successful command completion.
W:\Data\test>
|
But when I try to use another flow from within the same EG to send some data to the webservice the sending flow fails with and error.
| Code: |
(0x01000000:Name ):SocketException = (
(0x03000000:NameValue):File = 'F:\build\slot1\S900_P\src\WebServices\WSLibrary\ImbSocket.cpp' (CHARACTER)
(0x03000000:NameValue):Line = 1355 (INTEGER)
(0x03000000:NameValue):Function = 'ImbSocketJNIManager::handleGeneralJavaException' (CHARACTER)
(0x03000000:NameValue):Type = '' (CHARACTER)
(0x03000000:NameValue):Name = '' (CHARACTER)
(0x03000000:NameValue):Label = '' (CHARACTER)
(0x03000000:NameValue):Catalog = 'BIPmsgs' (CHARACTER)
(0x03000000:NameValue):Severity = 3 (INTEGER)
(0x03000000:NameValue):Number = 3165 (INTEGER)
(0x03000000:NameValue):Text = 'An error occurred whilst performing an SSL socket operation' (CHARACTER)
(0x01000000:Name ):Insert = (
(0x03000000:NameValue):Type = 5 (INTEGER)
(0x03000000:NameValue):Text = 'setSSLOptions' (CHARACTER)
)
(0x01000000:Name ):Insert = (
(0x03000000:NameValue):Type = 5 (INTEGER)
(0x03000000:NameValue):Text = 'java.security.KeyStoreException: IBMKeyManager:
Problem accessing key store java.io.IOException: Keystore was tampered with, or password was incorrect' (CHARACTER)
)
|
The Keystore is accessible using the MQ tool using the correct password.
Naturally, everything works fine using HTTP rather than HTTPS.#
I have to make some changes to the Flow and really don't want to have to do it with a V7 Toolkit.
I'm probably missing something silly but for the life of me, I can't see what it is.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Last edited by smdavies99 on Mon Sep 21, 2015 2:13 am; edited 2 times in total |
|
| Back to top |
|
 |
| mayheminMQ |
| Posted: Mon Sep 21, 2015 2:00 am Post subject: |
|
|
Voyager
Joined: 04 Sep 2012
Posts: 77
Location: UK beyond the meadows of RocknRoll
|
Hi,
Hopefully this is not the cause but from the v7 and v9, I can see a difference in the jks file name itself as one states Prod and the other states SIT. Also the protocol of the configurable property appears different as v9 states SSL while the v7 one is defined as TLS.
_________________
A Colorblind man may appear disadvantaged but he always sees more than just colors... |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Sep 21, 2015 2:11 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| mayheminMQ wrote: |
Hi,
Hopefully this is not the cause but from the v7 and v9, I can see a difference in the jks file name itself as one states Prod and the other states SIT. Also the protocol of the configurable property appears different as v9 states SSL while the v7 one is defined as TLS. |
Ok, the first one was a mistake in my 'anonymizing' the details.
This has been corrected.
The second one was from an older text grab. It is now TLS and there is no change to the error.
Thanks for spotting the mistakes
however, AFAIK, because I'm not using any keys the SSL/TLS part does not matter. I might be wrong though.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Sep 21, 2015 4:46 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I've been doing some more digging into this.
1) calling the WebService (V9 application) from SOAP-UP and HTTPS works.
2) Trying to put a SOAP Request inside a message flow to do the same fails.
| Code: |
2015-09-21 15:28:24.397998 1280 SocketException BIP3165S: An error occurred whilst performing an SSL socket operation. Operation: 'setSSLOptions'. Error Text: 'java.security.KeyStoreException: IBMKeyManager: Problem accessing key store java.io.IOException: Keystore was tampered with, or password was incorrect'.
This may be a temporary error, such as a server not responding, or a symptom of an invalid hostname or port number.
See the following messages for information pertaining to this error.
|
Even running the flow in the same EG as the WebService results in the same error.
The SOAP_Request node must to things a bit differently to the SOAP_INPUT node.
Still baffled.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Sep 21, 2015 5:30 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The SOAPRequest node doesn't use the HTTP/HTTPS Connector.
Those are for inbound connections, not outbound.
I can't really say why it works from the v7 flow that's not in an application, though.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Sep 21, 2015 6:01 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| mqjeff wrote: |
The SOAPRequest node doesn't use the HTTP/HTTPS Connector.
|
L
What does it use then? How would it get the SSL/TLS key data then? Does it use the JVM (ComIbmJVM....) ?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Sep 21, 2015 6:35 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| mgk |
| Posted: Mon Sep 21, 2015 6:51 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
For outbound, HTTP/SOAP Request nodes do not need a key unless they are talking to a server that requests one (mutual auth or two-way SSL). By default they use the cacerts that comes with the JVM to decide if they trust the remote server cert, although you can configure them to use a different truststore if you need to. Like Jeff said, the HTTP(S)Connector is only used on inbound by the HTTP/SOAP Input nodes. The only change I can think of that you may hit is that later versions of V9.0.0.? (and 10.0.0.x) disallow SSL OOTB and default to TLS which was not the case in V7. You can re-enable SSL if you really need it, but it's off by default for security reasons...
Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Sep 21, 2015 7:07 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| mgk wrote: |
For outbound, HTTP/SOAP Request nodes do not need a key unless they are talking to a server that requests one (mutual auth or two-way SSL). By default they use the cacerts that comes with the JVM to decide if they trust the remote server cert, although you can configure them to use a different truststore if you need to. Like Jeff said, the HTTP(S)Connector is only used on inbound by the HTTP/SOAP Input nodes. The only change I can think of that you may hit is that later versions of V9.0.0.? (and 10.0.0.x) disallow SSL OOTB and default to TLS which was not the case in V7. You can re-enable SSL if you really need it, but it's off by default for security reasons...
Kind regards, |
Ok, I'm sort of getting a bit of the picture now.
If I understand you correctly then
This error
| Code: |
SocketException BIP3165S: An error occurred whilst performing an SSL socket operation. Operation: 'setSSLOptions'. Error Text: 'java.security.KeyStoreException: IBMKeyManager: Problem accessing key store java.io.IOException: Keystore was tampered with, or password was incorrect'.
|
Is because the endpoint has requested a key?
No keys are in the keystore and it works from SOAP-UI
Still a bit confused as to where this error originates.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mgk |
| Posted: Mon Sep 21, 2015 7:45 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
This error is returned before an outbound connection request has been made because of a set-up problem. So to me this error looks like the V9/10 set-up has an IntegratioNode keystore defined with an incorrect/empty password. To see what is defined run this command on V7 and V9/10 and compare the output:
| Code: |
| mqsireportproperties <integrationNodeName> -o BrokerRegistry -r |
The PKI setup info is here: http://www-01.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/ap34020_.htm?lang=en
but if I understand you correctly, you do not need to set this up, you just need to make sure it is not set-up 
Kind regards,
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Sep 21, 2015 8:11 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| mgk wrote: |
but if I understand you correctly, you do not need to set this up, you just need to make sure it is not set-up
|
Ok. I'll do some more testing tomorrow but it seems to me that if I need to have one SSL/TLS setup with a key and one without a key they can't be on the same broker because one needs the broker wide setup and the other does not.
I'll start with a clean broker tomorrow and see what transpires.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| mgk |
| Posted: Mon Sep 21, 2015 8:21 am Post subject: |
|
|
Padawan
Joined: 31 Jul 2003
Posts: 1642
|
What I'm trying to say is that it looks like you do not have a keystore in V7 so everything works. However on V9/10 you accidently have defined a keystore which the Node tries to open and can't giving the exception. Removing the definition of the keystore should put the Node back to a V7 like config set-up and hopefully work. Of course, this is just my speculation at this point...
_________________
MGK
The postings I make on this site are my own and don't necessarily represent IBM's positions, strategies or opinions. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Sep 21, 2015 1:10 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Don't know if V7 used to give information about a truststore...
In the output I see that V9 (V10) does but you did not define one?
Even if the truststore is the same file as the keystore, it is good policy to set it up...
Also typically to have the request call go out https make sure you have following defined either on the request node or its override properties for the environment:
use https true
keyname => this is the name of the private key to use for the call. It is the label of that key in the keystore.
I usually don't leave any of this to default to something. Either it is a mandated key by the partner, or I simply put the broker's key label there.
Last but certainly not LEAST you will have to verify the key length and available algorithms in the keystore. You may need new keys as the versions of Java go up, fewer and fewer of the old keys (and algorithms) are still acceptable...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Sep 21, 2015 10:13 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| fjb_saper wrote: |
Also typically to have the request call go out https make sure you have following defined either on the request node or its override properties for the environment:
use https true
|
Done
| Quote: |
keyname => this is the name of the private key to use for the call. It is the label of that key in the keystore.
I usually don't leave any of this to default to something. Either it is a mandated key by the partner, or I simply put the broker's key label there.
Last but certainly not LEAST you will have to verify the key length and available algorithms in the keystore. You may need new keys as the versions of Java go up, fewer and fewer of the old keys (and algorithms) are still acceptable...
|
There are no keys being used, just HTTPS. I guess that might be part of the problem but I'm no expert in this area. As I said, SOAP-UI works OOTB. I'm just trying to get broker to do the same.
[/quote]
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Tue Sep 22, 2015 1:22 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I created a clean broker on another VM using IIB10
After deploying the flow with NOTHING setup and sending a message to it, I got the following
| Code: |
An error occurred whilst performing an SSL socket operation | connect | javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j:
PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
|
This indicates to me that a keystore/truststore needs to be defined.
Remember that all I want to do is send SOAP/HTTPS to a broker flow without specifying any keys. The target responds to SOAP-UP OOTB. I can also get the ?wsdl returned using a browser.
SO I defined a key/trust store.
| Code: |
set SHARED_DRIVE=C:
set KEYSTORE_DIR=SSL_Keystore
set PWD=Numpty1066
set KEYDIR=%SHARED_DRIVE%\%KEYSTORE_DIR%
set KEYSTORE=MYSTORE
%MQSI_JREPATH%\bin\ikeycmd -keydb -create -db %KEYDIR%\%KEYSTORE%.jks -type jks -pw %PWD%
|
and then did the following to the broker.
| Code: |
SET BKR=TESTBRKR
mqsichangeproperties %BKR% -o BrokerRegistry -n brokerKeystoreFile -v %KEYDIR%\%KEYSTORE%.jks
mqsichangeproperties %BKR% -o BrokerRegistry -n brokerTruststoreFile -v %KEYDIR%\%KEYSTORE%.jks
mqsistop %BKR%
mqsisetdbparms %BKR% -n brokerKeystore::password -u na -p %PWD%
mqsisetdbparms %BKR% -n brokerTruststore::password -u na -p %PWD%
mqsistart %BKR%
|
{the above steps were done using a single script}
Then the error returned was
| Code: |
An error occurred whilst performing an SSL socket operation | connect | javax.net.ssl.SSLException: java.lang.RuntimeException:
Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
|
This is where I am at present. If only the customer wanted to use a proper key for the connection to the endpoint, life would be a lot simpler.
as usual, thought (and brickbats) welcomly received.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
|
|
