| Author |
Message
|
| samuk |
 Posted: Thu Dec 10, 2015 11:57 am Post subject: Enable SSL for HTTPS Service Invocation |
 |
|
Newbie
Joined: 10 Dec 2015
Posts: 6
|
Hi
I am trying to call a service through HTTPS using a HTTPRequest node (within a message flow). It will be a mutual authentication, hence both broker and the service provider will validate each other. I have a dedicated EG to host my flow and want to enable SSL at the EG level. I have created a JKS keystore and a truststore to hold the following:
Keystore -> Private Key, Signed Certificate, Certificate Chain
Truststore -> Root and Sub CA certificates as shared by the provider. Imported them to the broker cacerts file and added the same to a JKS truststore file.
Next I executed the below commands to associate the keystore and the truststore to my EG.
mqsichangeproperties <BROKER> -e <EG Name> -o ComIbmJVMManager -n keystoreFile -v <Keystore File>
mqsichangeproperties <BROKER> -e <EG Name> -o ComIbmJVMManager -n keystoreType -v JKS
mqsichangeproperties <BROKER> -e <EG Name> -o ComIbmJVMManager -n keystorePass -v <Password>
mqsichangeproperties <BROKER> -e <EG Name> -o ComIbmJVMManager -n truststoreFile -v <Truststore File>
mqsichangeproperties <BROKER> -e <EG Name> -o ComIbmJVMManager -n truststoreType -v JKS
mqsichangeproperties <BROKER> -e <EG Name> -o ComIbmJVMManager -n truststorePass -v <Password>
Restarted the broker as well.
Now when the HTTPRequest node makes the service call, it fails saying "java.security.NoSuchAlgorithmException: SSLContext Default implementation not found:"
Further drilling down into the stack trace, I see it complains about not being able to locate the keystore file.
I have cross-checked the keystore file location and the keystore file name, but they are the same I used in the above command.
Is there anything I am missing here? Any suggestion is appreciated. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Dec 10, 2015 12:11 pm Post subject: Re: Enable SSL for HTTPS Service Invocation |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| samuk wrote: |
| Is there anything I am missing here? Any suggestion is appreciated. |
Have you quoted the full, absolute path in the mqsichangeproperties commands?
Does the id running the broker have file permissions on the files?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Dec 10, 2015 12:20 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Review your example from the infocenter. You did not properly follow the password part. You should need to pass the password with
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| samuk |
| Posted: Thu Dec 10, 2015 7:27 pm Post subject: |
|
|
Newbie
Joined: 10 Dec 2015
Posts: 6
|
@Vitor - Yes, I have used the absolute path (for example C:\Keys\keystore.jks). We have WMB v7.0 hosted on Windows. The id also has full permission.
@fjb_saper - I will try that. Thanks. |
|
| Back to top |
|
|
| samuk |
| Posted: Thu Dec 10, 2015 11:33 pm Post subject: |
|
|
Newbie
Joined: 10 Dec 2015
Posts: 6
|
I tried afresh with the below set of commands as suggested in Infocenter. But I continue to see the KeyStore Exception.
http://www-01.ibm.com/support/knowledgecenter/SSKM8N_7.0.0/com.ibm.etools.mft.doc/ap34020_.htm
D:\IBM\MQSI\7.0>mqsichangeproperties BROKER -e EG -o ComIbmJVMManager -n keystoreFile -v D:\IBM\MQSI\7.0\jre16\lib\security\EG\EG_KS.jks
BIP8071I: Successful command completion.
D:\IBM\MQSI\7.0>mqsichangeproperties BROKER -e EG -o ComIbmJVMManager -n keystorePass -v EG_KS::password
BIP8071I: Successful command completion.
D:\IBM\MQSI\7.0>mqsichangeproperties BROKER -e EG -o ComIbmJVMManager -n truststoreFile -v D:\IBM\MQSI\7.0\jre16\lib\security\EG\EG_TS.jks
BIP8071I: Successful command completion.
D:\IBM\MQSI\7.0>mqsichangeproperties BROKER -e EG -o ComIbmJVMManager -n truststorePass -v EG_TS::password
BIP8071I: Successful command completion.
D:\IBM\MQSI\7.0>mqsistop BROKER
BIP8071I: Successful command completion.
D:\IBM\MQSI\7.0>mqsisetdbparms BROKER -n EG_KS::password -u ignore -p keypass
BIP8071I: Successful command completion.
D:\IBM\MQSI\7.0>mqsisetdbparms BROKER -n EG_TS::password -u ignore -p trustpass
BIP8071I: Successful command completion.
D:\IBM\MQSI\7.0>mqsistart BROKER
BIP8096I: Successful command initiation, check the system log to ensure that the component started without problem and that it continues to run without problem.
D:\IBM\MQSI\7.0>mqsireportproperties BROKER -e EG -o ComIbmJVMManager -r
ComIbmJVMManager
uuid='ComIbmJVMManager'
userTraceLevel='none'
traceLevel='none'
userTraceFilter='none'
traceFilter='none'
resourceStatsReportingOn='inactive'
resourceStatsMeasurements='<ResourceStatsSwitches ResourceType="JVM" version='1'> <Measurement name="InitialMemoryInMB" collect="on" /> <Measurement name="UsedMemoryI
Measurement name="CommittedMemoryInMB" collect="on" /> <Measurement name="MaxMemoryInMB" collect="on" /> <Measurement name="CumulativeGCTimeInSeconds" collect="on" /> <
lativeNumberOfGCCollections" collect="on" /> </ResourceStatsSwitches>'
jvmVerboseOption='none'
jvmDisableClassGC='false'
jvmShareClasses='false'
jvmNativeStackSize='-1'
jvmJavaOSStackSize='-1'
jvmMinHeapSize='33554432'
jvmMaxHeapSize='-1'
jvmDebugPort='17090'
jvmSystemProperty=''
keystoreType='JKS'
keystoreFile='D:\IBM\MQSI\7.0\jre16\lib\security\EG\EG_KS.jks'
keystorePass='EG_KS::password'
truststoreType=''
truststoreFile='D:\IBM\MQSI\7.0\jre16\lib\security\EG\EG_TS.jks'
truststorePass='EG_TS::password'
BIP8071I: Successful command completion.
Error as seen in stack trace:
IBMKeyManager: Problem accessing key store java.lang.Exception: Keystore file does not exist: broker-ks
Is it trying to refer the keystore 'broker-ks'? I thought it should now point to the keystore 'EG_KS.jks' set at the EG level. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Dec 11, 2015 12:36 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You are talking about an HTTP request. By default this goes to the broker wide listener. Did you config your EG to use the EG listener for HTTP nodes instead?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| samuk |
| Posted: Fri Dec 11, 2015 3:32 am Post subject: |
|
|
Newbie
Joined: 10 Dec 2015
Posts: 6
|
@fjb_saper - I think it is the broker wide listener we are using here.
Meanwhile I was referring to the below post.
http://www.mqseries.net/phpBB2/viewtopic.php?t=59283
In one of the responses from mqjeff, it says:
| Quote: |
The SOAPRequest node DOES NOT MAKE USE OF the EG SOAP listener NOR the bipHTTPListener.
So any properties of those are irrelevant. |
It sounds like it does not rely on the Broker HTTP Listener. Or am I misinterpreting? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Dec 11, 2015 5:22 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well in Configuring the HTTPRequest node for HTTPS it says to set up the PKI at BROKER level (not at eg level)...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| samuk |
| Posted: Tue Dec 15, 2015 6:13 am Post subject: |
|
|
Newbie
Joined: 10 Dec 2015
Posts: 6
|
Even after setting the properties at BROKER level, I continue to see the same error messages:
IBMKeyManager: Problem accessing key store java.lang.Exception: Keystore file does not exist: broker-ks
So I started doubting that broker is possibly trying to load the keystore from its 'bin' directory (since there is no file path provided with the keystore). To confirm this, I renamed my keystore to 'broker-ks' and placed the same in '\IBM\MQSI\7.0\bin' folder. Now when I ran the test, I get the below error as expected.
java.io.IOException: Keystore was tampered with, or password was incorrect
Is there a way to find out from where JSSE is loading the SSL properties? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Dec 15, 2015 7:45 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| samuk wrote: |
Is there a way to find out from where JSSE is loading the SSL properties? |
Try running it with -Djava.net.debug=true or -Djavax.net.debug=true. Look it up on google, or try it out... you may as well try -Djavax.net.ssl.debug="true"... at some point it will produce the output telling you exactly where the keystore and truststores are loaded from....
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Dec 15, 2015 7:51 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Change the EG properties to use the embedded listener for http.
Restart the EG afterwards.
Make sure your https listener (EG one) has the correct JVM settings if you are receiving http requests into the EG.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Dec 15, 2015 7:57 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
Change the EG properties to use the embedded listener for http.
Restart the EG afterwards.
Make sure your https listener (EG one) has the correct JVM settings if you are receiving http requests into the EG. |
He's not using the HTTPInput Node. He's using the HTTP REQUEST node!.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Dec 15, 2015 8:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Why are you configuring the ComIbmJVMManager?
Review the steps in your link again.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| samuk |
| Posted: Tue Dec 15, 2015 7:18 pm Post subject: |
|
|
Newbie
Joined: 10 Dec 2015
Posts: 6
|
@fjb_saper - I did set IBM_JAVA_OPTIONS to -Djava.net.debug=true and ran the test. That is how I am seeing below errors in the JSSE trace generated.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
IBMJSSEProvider2 Build-Level: -20111101
Installed Providers =
IBMJSSE2
IBMJCE
IBMJGSSProvider
IBMCertPath
IBMSASL
IBMXMLCRYPTO
IBMXMLEnc
Policy
IBMSPNEGO
IBMKeyManager: Exception accessing default keystore: java.lang.Exception: Keystore file does not exist: broker-ks
default context init failed: java.security.KeyStoreException: IBMKeyManager: Problem accessing key store java.lang.Exception: Keystore file does not exist: broker-ks
Exception in thread "Thread-9" java.net.SocketException: java.security.NoSuchAlgorithmException: SSLContext Default implementation not found:
at javax.net.ssl.DefaultSSLSocketFactory.a(SSLSocketFactory.java:11)
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:5)
at com.ibm.broker.imbsslsocket.MbSslSocket.<init>(MbSslSocket.java:92)
Caused by: java.security.NoSuchAlgorithmException: SSLContext Default implementation not found:
at java.security.Provider$Service.newInstance(Provider.java:894)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:299)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:237)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:33)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:22)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:29)
at com.ibm.broker.imbsslsocket.MbSslSocket.<init>(MbSslSocket.java:89)
Caused by: java.security.KeyStoreException: IBMKeyManager: Problem accessing key store java.lang.Exception: Keystore file does not exist: broker-ks
at com.ibm.jsse2.rc.a(rc.java:45)
at com.ibm.jsse2.tc.g(tc.java:17)
at com.ibm.jsse2.tc.<init>(tc.java:2)
at java.lang.J9VMInternals.newInstanceImpl(Native Method)
at java.lang.Class.newInstance(Class.java:1345)
at java.security.Provider$Service.newInstance(Provider.java:880)
... 6 more
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
@mqjeff - I was initially trying to set the properties at the JVM level. But now it is all configured at the BROKER level. Below are the set of commands used to do so.
mqsichangeproperties BROKER -o BrokerRegistry -n brokerKeystoreFile -v D:\IBM\MQSI\7.0\jre16\lib\security\BROKER_KS.jks
mqsichangeproperties BROKER -o BrokerRegistry -n brokerTruststoreFile -v D:\IBM\MQSI\7.0\jre16\lib\security\cacerts
mqsistop BROKER
mqsisetdbparms BROKER -n brokerKeystore::password -u ignore -p keypass
mqsisetdbparms BROKER -n brokerTruststore::password -u ignore -p changeit
mqsistart BROKER
mqsireportproperties BROKER -o BrokerRegistry -r
mqsichangeproperties BROKER -b httplistener -o HTTPListener -n enableSSLConnector -v true
mqsichangeproperties BROKER -b httplistener -o HTTPSConnector -n sslProtocol -v TLS
mqsichangeproperties BROKER -b httplistener -o HTTPSConnector -n keystoreFile -v D:\IBM\MQSI\7.0\jre16\lib\security\BROKER_KS.jks
mqsichangeproperties BROKER -b httplistener -o HTTPSConnector -n keystorePass -v keypass
mqsistop BROKER
mqsistart BROKER
I still continue to see the same error with keystore file in the JSSE trace. However when I tried renaming my keystore file with the same name (broker-ks) in the 'D:\IBM\MQSI\7.0\bin' folder, it stopped complaining about the keystore file. Now it was failing with java.io.IOException: Keystore was tampered with, or password was incorrect, which is expected I believe.
Any suggestion? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Dec 15, 2015 9:46 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
After changing... did you bounce the broker?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
