| Author |
Message
|
| shinchan |
 Posted: Wed Oct 14, 2015 5:23 pm Post subject: Error calling SSL webservice |
 |
|
Newbie
Joined: 18 Nov 2013
Posts: 6
|
Hi
I got a pfx certificate that i have to use to call a webservice with a SOAPRequest Node, so i transformed the certificate to pem extension and then i added it to a jks.
It is not need mutual auth.
I used a code that i saw in another topic.
IIB version: 9.0.0.4
| Code: |
--transform from pfx to pem
openssl pkcs12 -in certificateX.pfx -out certificateX.pem
-- create a certificate repository
runmqckm -keydb -create -db GE_Truststore -pw password -type jks
-- Add a certificate to repository
runmqckm -cert -add -db GE_Truststore.jks -label LABELX -file certificateX.pem -format binary
-- verify the certificate was successfully added
runmqckm -cert -details -db GE_Truststore.jks -label LABELX
-- add the certificate as trust at broker level
mqsichangeproperties IIB9 -e GE -o ComIbmJVMManager -n truststoreFile -v /opt/IBM/mqsi/9.0.0.4/GE_Truststore.jks
mqsichangeproperties IIB9 -e GE -o ComIbmJVMManager -n truststorePass -v GE_Truststore::password
mqsichangeproperties IIB9 -e GE -o ComIbmJVMManager -n truststoreType -v JKS
mqsichangeproperties IIB9 -b httplistener -o HTTPListener -n enableSSLConnector -v true
mqsichangeproperties IIB9 -b httplistener -o HTTPSConnector -n sslProtocol -v SSL
mqsistop IIB9
--Set password for truststore
mqsisetdbparms IIB9 -n GE_Truststore::password -u ignore -p password
mqsistart IIB9
|
The flow has MQInput -> Compute -> Subflow (dragging wsdl) -> MQOutput
The SOAPRequest node inside the subflow has these properties:
URL: https://example.com/path
Protocol: SSLv3
others by default
When i tested it i got this error:
| Code: |
Text:CHARACTER:A Web Service request has detected a SOCKET error whilst invoking a web service located at host &1, on port &2, on path &3.
Insert
Type:INTEGER:5
Text:CHARACTER:example.com
Insert
Type:INTEGER:2
Text:CHARACTER:443
Insert
Type:INTEGER:5
Text:CHARACTER:/path
SocketException
File:CHARACTER:F:\build\slot1\S900_P\src\WebServices\WSLibrary\ImbSocket.cpp
Line:INTEGER:1333
Function:CHARACTER:ImbSocketJNIManager::handleGeneralJavaException
Type:CHARACTER:
Name:CHARACTER:
Label:CHARACTER:
Catalog:CHARACTER:BIPmsgs
Severity:INTEGER:3
Number:INTEGER:3165
Text:CHARACTER:An error occurred whilst performing an SSL socket operation
Insert
Type:INTEGER:5
Text:CHARACTER:connect
Insert
Type:INTEGER:5
Text:CHARACTER:java.lang.StringIndexOutOfBoundsException
|
I don't know what i'm doing wrong. Does someone has any comment, idea or help?
Thanks in advance. |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Wed Oct 14, 2015 9:56 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
I know that this isn't the root cause but why are you using SSL?
SSL is basically as good as sending plain text these days. You really should be moving to TLS.
The set of commands you used were clearly for a much older version of the product. You don't need to stop the Broker to run the mqsisetdbparms any more.
The script was also aimed more at a broker that had to receive WebService requests hence the setting of the HTTPListener etc.
The error seems to be
BIP3165 and refers to a Java error. Do you use any User written Java Code in your flow by any chance?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 15, 2015 4:17 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Not so sure about that. It looks like it is a socket error. This could be due to the fact that if you are up to date, SSL(v3) is no longer supported and you need to specifically re-enable it or use TLS.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Oct 15, 2015 4:43 am Post subject: Re: Error calling SSL webservice |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| shinchan wrote: |
| Does someone has any comment, idea or help? |
Well, I echo the comments about using SSLv3.
More importantly I saw a lot of that error when our network people unilaterally banned the use of SSLv3 and adjusted the network equipment (load balancers, switches and so forth) to block non-TLS traffic and all the SSLv3 flows in test stopped working. Apparently the change request was officially "low risk, low impact" as it was a non-Prod subnet, the notification that it was being done was subsequently found in a disused toilet of an inaccessible dark basement in a locked filing cabinet bearing a sign "Beware Of The Leopard".
Check with your network people nothing is blocking SSLv3 in their layer. Or try again with TLS.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Oct 15, 2015 5:10 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Every change the network people make is always "low impact, low risk".
  
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| shinchan |
| Posted: Thu Oct 15, 2015 3:41 pm Post subject: |
|
|
Newbie
Joined: 18 Nov 2013
Posts: 6
|
Thanks everybody for yours answers.
| Quote: |
why are you using SSL?
|
Because the server is exposing it through SSLv3.
| Quote: |
You really should be moving to TLS.
|
Anyway i tried with TLS protocol and i received another error:
| Code: |
Text:CHARACTER:A Web Service request has detected a SOCKET error whilst invoking a web service located at host &1, on port &2, on path &3.
Insert
Type:INTEGER:5
Text:CHARACTER:example.com
Insert
Type:INTEGER:2
Text:CHARACTER:443
Insert
Type:INTEGER:5
Text:CHARACTER:/path
SocketException
File:CHARACTER:F:\build\slot1\S900_P\src\WebServices\WSLibrary\ImbSocket.cpp
Line:INTEGER:1333
Function:CHARACTER:ImbSocketJNIManager::handleGeneralJavaException
Type:CHARACTER:
Name:CHARACTER:
Label:CHARACTER:
Catalog:CHARACTER:BIPmsgs
Severity:INTEGER:3
Number:INTEGER:3165
Text:CHARACTER:An error occurred whilst performing an SSL socket operation
Insert
Type:INTEGER:5
Text:CHARACTER:connect
Insert
Type:INTEGER:5
Text:CHARACTER:javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that protocol version is not enabled or not supported by the client
|
| Quote: |
The set of commands you used were clearly for a much older version of the product. You don't need to stop the Broker to run the mqsisetdbparms any more.
|
Do you mean just the mqsisetdbparms command? or also runmqckm command?
| Quote: |
The script was also aimed more at a broker that had to receive WebService requests hence the setting of the HTTPListener etc.
|
Yes, is my fault, it is not correct.
| Quote: |
| BIP3165 and refers to a Java error. Do you use any User written Java Code in your flow by any chance? |
No, i don't. I am only using MQInput -> Compute -> Subflow (dragging wsdl) -> MQOutput
| Quote: |
Not so sure about that. It looks like it is a socket error. This could be due to the fact that if you are up to date, SSL(v3) is no longer supported and you need to specifically re-enable it or use TLS. |
Sorry, i forgot to mention that i also ran this command:
| Code: |
| mqsichangeproperties BK9 -e GE9 -o ComIbmJVMManager -n allowSSLv3 -v true |
| Quote: |
| Check with your network people nothing is blocking SSLv3 in their layer. |
It is not blocked. I tried through SOAPUI loading pfx certificate with success |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 15, 2015 6:30 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| shinchan wrote: |
Thanks everybody for yours answers.
| Quote: |
why are you using SSL?
|
Because the server is exposing it through SSLv3.
| Quote: |
You really should be moving to TLS.
|
Anyway i tried with TLS protocol and i received another error:
| Code: |
Text:CHARACTER:javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that protocol version is not enabled or not supported by the client
|
|
You have an SSL problem. Even though you ran the command to enable SSLv3, did you bounce the broker after that?. Anyways it looks like the broker is not accepting the downgrade requested by the server from TLS to SSLv3.
Nothing else to do but read up on SSL in the manual and google developerworks for the relevant articles...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
