| Author |
Message
|
| sumit |
 Posted: Thu May 05, 2016 11:11 am Post subject: IIB - One way SSL |
 |
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
HI,
Env-
My local Machine
OS - Win 7 64 bit
IIB v9
SSL is something I was always afraid of but now is the time to understand and configure it.
I was going through IIB infocenter, many other links and this forum to understand how it works and how I can set it up. I am doing on my local because someone did the setup on our dev server and it is not working. So, trying to find what went wrong.
I am trying to setup one way SSL on IIB flow. In Production, APIGEE will invoke a RESTFul service at IIB over HTTPS. For now, I am using a dummy flow and soapUI for my setup.
This is what I have done (I have a number of questions, which I will be asking during the description)
I was referring this link and performed following steps
1. set my classpath for JAVA_HOME.
2. Took the keystore and truststore from Dev server.
3. Checked both using iKeyMan, they both were identical. Did some changes (as per my limited undertanding) and now
KeyStore = has 1 personal cert, no signer cert and no personal cert requests
Truststore = has few signer certs (looks like CA cert) and no personal cert requests
4. Ran command
| Quote: |
| mqsireportproperties IIB9BROKER -o BrokerRegistry -r |
nothing was set.
5. Then executed these commands
| Quote: |
mqsichangeproperties IIB9BROKER -o BrokerRegistry -n brokerKeystoreFile -v "C:\Program Files\IBM\MQSI\9.0.0.1\IIB9BROKER_keystore.jks"
mqsichangeproperties IIB9BROKER -o BrokerRegistry -n brokerTruststoreFile -v "C:\Program Files\IBM\MQSI\9.0.0.1\IIB9BROKER_Truststore.jks"
mqsistop IIB9BROKER
mqsisetdbparms IIB9BROKER -n brokerKeystore::password -u ignore -p *****
mqsisetdbparms IIB9BROKER -n brokerTruststore::password -u ignore -p *****
mqsistart IIB9BROKER |
6. I also set port 7845 for HTTPS at broker level.
| Quote: |
C:\Sumit\Cert\local>mqsireportproperties IIB9BROKER -b httplistener -o AllReportableEntityNames -r
HTTPListener
uuid='HTTPListener'
enableSSLConnector='false'
threadPoolSize=''
traceOverrideLevel=''
traceOverrideSize=''
traceLevel='none'
traceSize='102400 KB'
javaDebugPort=''
startListener='true'
HTTPConnector
uuid='HTTPConnector'
address=''
port='7080'
maxPostSize=''
acceptCount=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
enableLookups='false'
HTTPSConnector
uuid='HTTPSConnector'
algorithm='Platform Default'
clientAuth='Platform Default'
keystoreFile='Platform Default'
keystorePass='********'
keystoreType='Platform Default'
truststoreFile='Platform Default'
truststorePass='********'
truststoreType='Platform Default'
sslProtocol='Platform Default'
ciphers='Platform Default'
keyAlias=''
keypass='********'
keyAlias='Platform Default'
crlFile='Platform Default'
propagateClientCert='Platform Default'
address=''
port='7845'
maxPostSize=''
acceptCount=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
enableLookups='false'
BIP8071I: Successful command completion. |
The infocenter link then asks to "Configuring PKI for the broker-wide HTTP listener", which I didn't do.
I wanted to see what happens at this stage and does IIB implement SSL.
I hit my IIB service at https://localhost:7845/dummy/https/test, but got 'connection refused' error.
Q: why IIB on Windows doesn't log this error any where? And how to find the correct reason for this error?
After searching online, I got a post on this forum mentioning steps to check if listener on that port is running or not.
I ran the command-
| Code: |
| C:\Sumit\Software\paping_1.5.5_x86_windows>netstat -a | find /i "listen" | find ":78" |
and got nothing.
Q: Why did the listener not start at 7845?
Finally, I tweaked my setup to use EG level listener and got the setup done-
| Quote: |
C:\Sumit\Cert\local>mqsireportproperties IIB9BROKER -e IS2_SSL -o HTTPSConnector -r
HTTPSConnector
uuid='HTTPSConnector'
userTraceLevel='none'
traceLevel='none'
userTraceFilter='debugTrace'
traceFilter='none'
port='7843'
address=''
maxPostSize=''
acceptCount=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
explicitlySetPortNumber=''
enableLookups=''
enableMQListener=''
shutdownDelay=''
allowCrossConnectorPolling=''
autoRespondHTTPHEADRequests=''
algorithm=''
clientAuth=''
keystoreFile=''
keystorePass='********'
keystoreType=''
truststoreFile=''
truststorePass='********'
truststoreType=''
sslProtocol=''
ciphers=''
keypass='********'
keyAlias=''
sslSessionTimeout=''
crlFile=''
propagateClientCert=''
sessionCacheSize=''
Connector
cachedSSLSessions='0'
port='7843'
type='Embedded'
URLRegistration
url='/dummy/https/test'
outstandingRequests='0'
UsedBySOAPNNodes='FALSE'
UsedByHTTPNNodes='TRUE'
nodeLabel='HTTPS_Input'
BIP8071I: Successful command completion. |
Now I can see the listener running
| Code: |
C:\Sumit\Software\paping_1.5.5_x86_windows>netstat -a | find /i "listen" | find ":78"
TCP [::]:7843 M2348587:0 LISTENING |
and now, I am able to hit my IIB service!
Q: Does it mean, it is done?
Q: In which scenarios do I need to execute steps given under "Configuring PKI for the broker-wide HTTP listener"?
_________________
Regards
Sumit |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Thu May 05, 2016 11:31 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The broker http listener is used when you tell it to be.
The eg level http listener is used when you tell it to be.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| sumit |
| Posted: Thu May 05, 2016 11:38 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
| mqjeff wrote: |
The broker http listener is used when you tell it to be.
The eg level http listener is used when you tell it to be. |
Agree. But I didn't understand why I was not able to see port 7845 when I set it at Broker level?
I had no idea how to identify the problem when I got 'connection refused' error even though I can see correct port is set at Broker level.
_________________
Regards
Sumit |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu May 05, 2016 11:40 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Was the biphttplistener running?
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| zpat |
| Posted: Thu May 05, 2016 11:52 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
If you choose to use the EG level listener (and I would generally recommend it - and it's also the default for SOAP nodes) then you could set the keystore or truststore in the JVM settings for the EG.
Actually some better documentation with diagrams showing which ports and keystores/truststores are used with various options would be helpful for IBM to produce, it's a bit confusing just looking at the knowledge centre text.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu May 05, 2016 11:57 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| zpat wrote: |
| Actually some better documentation with diagrams showing which ports and keystores/truststores are used with various options would be helpful for IBM to produce, it's a bit confusing just looking at the knowledge centre text. |
Could add a comment to the relevant page...
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| sumit |
| Posted: Thu May 05, 2016 11:58 am Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
| mqjeff wrote: |
| Was the biphttplistener running? |
Yes, I can see it in my task manager.
_________________
Regards
Sumit |
|
| Back to top |
|
|
| sumit |
| Posted: Thu May 05, 2016 12:00 pm Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
| zpat wrote: |
| If you choose to use the EG level listener (and I would generally recommend it - and it's also the default for SOAP nodes) then you could set the keystore or truststore in the JVM settings for the EG. |
Does it mean, I am missing something?
I setup the keystore and truststore at broker level and using EG level listener. I believe in absence of EG level SSL setting, broker level setting will be used.
_________________
Regards
Sumit |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu May 05, 2016 12:12 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
If the EG listener is running, but the EG level SSL stuff is not configured, then - yes, I think you're right that the broker level SSL stuff will get used.
But even if you tell it to start, the biphttplistener may not open it's socket and start listening if nothing is deployed to an EG that uses the broker listener.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| sumit |
| Posted: Thu May 05, 2016 12:45 pm Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
| mqjeff wrote: |
| But even if you tell it to start, the biphttplistener may not open it's socket and start listening if nothing is deployed to an EG that uses the broker listener. |
So, the flow was deployed and running in the EG. I deployed it before I started this SSL setup. And also did broker restart, as per the step.
One thing which was difficult to debug was this 'connection refused' error. There was nothing in Windows logs, ran user trace at EG level, didn't capture anything. Out of curiosity, I also ran service trace but no luck.
What do you all do in such scenario?
_________________
Regards
Sumit |
|
| Back to top |
|
|
| sumit |
| Posted: Mon May 09, 2016 3:17 pm Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
| sumit wrote: |
| But I didn't understand why I was not able to see port 7845 when I set it at Broker level? |
I got this now. As mentioned in my earlier post, my HTTPListener setup was-
| Quote: |
C:\Program Files\IBM\MQSI\9.0.0.1>mqsireportproperties IIB9BROKER -b httplistener -o AllReportableEntityNames -r
HTTPListener
uuid='HTTPListener'
enableSSLConnector='false'
threadPoolSize=''
traceOverrideLevel=''
traceOverrideSize=''
traceLevel='none'
traceSize='102400 KB'
javaDebugPort=''
startListener='true'
HTTPConnector
uuid='HTTPConnector'
address=''
port='7080'
maxPostSize=''
acceptCount=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
enableLookups='false'
HTTPSConnector
uuid='HTTPSConnector'
algorithm='Platform Default'
clientAuth='Platform Default'
keystoreFile='C:\Program Files\IBM\MQSI\9.0.0.1\IIB9BROKER_keystore.jks'
keystorePass='********'
keystoreType='Platform Default'
truststoreFile='C:\Program Files\IBM\MQSI\9.0.0.1\MDIIBDB05_Truststore.jks'
truststorePass='********'
truststoreType='Platform Default'
sslProtocol='Platform Default'
ciphers='Platform Default'
keyAlias=''
keypass='********'
keyAlias='Platform Default'
crlFile='Platform Default'
propagateClientCert='Platform Default'
address=''
port='7845'
maxPostSize=''
acceptCount=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
enableLookups='false' |
Then I refer this link and set the value of enableSSLConnector to 'true'. And there you go, I can see my broker wide HTTP listener running and accepting SSL connections-
| Code: |
C:\Program Files\IBM\MQSI\9.0.0.1>netstat -a | find /i "listen" | find ":78"
TCP 0.0.0.0:7843 M2348587:0 LISTENING
TCP 0.0.0.0:7845 M2348587:0 LISTENING
TCP [::]:7843 M2348587:0 LISTENING
TCP [::]:7845 M2348587:0 LISTENING |
_________________
Regards
Sumit |
|
| Back to top |
|
|
| sumit |
| Posted: Mon May 09, 2016 3:19 pm Post subject: |
|
|
Partisan
Joined: 19 Jan 2006
Posts: 398
|
However, I am still curious to know where I can find error logs for this scenario-
| sumit wrote: |
One thing which was difficult to debug was this 'connection refused' error. There was nothing in Windows logs, ran user trace at EG level, didn't capture anything. Out of curiosity, I also ran service trace but no luck.
What do you all do in such scenario? |
_________________
Regards
Sumit |
|
| Back to top |
|
|
|
|
