| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| How to access a HTTPS REST webservice |
« View previous topic :: View next topic » |
| Author |
Message
|
| Bichu |
 Posted: Tue Dec 13, 2016 4:30 am Post subject: How to access a HTTPS REST webservice |
 |
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
Hi Guys,
I have configured a message flow in order to access a HTTPS REST webservice. My flow is like
MQ INput -> HTTPRequest -> Compute -> MQ Output.
I have downloaded the certificate from the browser and added to the cacerts file in the location
C:\Program Files (x86)\IBM\IntegrationToolkit90\jdk\jre\lib\security.
I have configured the HTTPRequest node web service url with full url since the method is GET.
Do I need to configure anything else in the runtime or in the HTTPRequest node. I am getting a time out error.
When tried the same url from browser, I got the output.
Request your thoughts on this. |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Tue Dec 13, 2016 5:03 am Post subject: Re: How to access a HTTPS REST webservice |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| Bichu wrote: |
I have downloaded the certificate from the browser and added to the cacerts file in the location
C:\Program Files (x86)\IBM\IntegrationToolkit90\jdk\jre\lib\security.
|
Why do I get the feeling that this is not a good idea?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Dec 13, 2016 5:32 am Post subject: Re: How to access a HTTPS REST webservice |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Bichu wrote: |
| Request your thoughts on this. |
So you downloaded the certificates from the browser and added them to the security path the Toolkit is using.
You then ran your flow in the runtime and were surprised when it didn't work.
You don't want my thoughts on this. They're not very polite.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Bichu |
| Posted: Tue Dec 13, 2016 5:52 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
Thanks Vitor. But I have updated the certificate in the path C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security\cacerts; but still its the same.
Do i need to generate a truststore jks file and associate with the broker or EG just to access the webservice? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Dec 13, 2016 6:03 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Bichu wrote: |
Thanks Vitor. But I have updated the certificate in the path C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security\cacerts; but still its the same.
Do i need to generate a truststore jks file and associate with the broker or EG just to access the webservice? |
The same way you would do it to access any other https endpoint...
And lucky you, it's all described in the IIB infocenter!... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Dec 13, 2016 6:11 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Bichu wrote: |
| Do i need to generate a truststore jks file and associate with the broker or EG just to access the webservice? |
Unless you have the Magic Pixies support pac.
Seriously - you're asking if you need to set up the the SSL configuration within IIB to access an SSL secured end point? 
Just because all that configuration is done under the covers in the average browser doesn't mean that it's not been done, which is why it's working from your browser.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Bichu |
| Posted: Wed Dec 14, 2016 2:40 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
I have configured the broker for accessing HTTPS webservice now by running the below commands.
| Code: |
keytool -genkey -alias Broker -keystore Broker.jks -keysize 2048
mqsichangeproperties Broker -e default -o HTTPSConnector -n sslProtocol -v SSLv3
mqsichangeproperties Broker -e default -o HTTPSConnector -n explicitlySetPortNumber -v 7043
mqsichangeproperties Broker -e default -o ComIbmJVMManager -n truststoreFile -v "C:\Program Files\IBM\MQSI\9.0.0.0\Broker.jks"
mqsichangeproperties Broker -e default -o ComIbmJVMManager -n truststoreType -v JKS
mqsichangeproperties Broker -e default -o ComIbmJVMManager -n truststorePass -v default::password
mqsisetdbparms Broker -n default::password -u temp -p changeit |
But I am getting ssl handshake exception now.
| Code: |
2016-12-13 20:24:56.222 1 IBMJSSEProvider2 Build-Level: -20130410
2016-12-13 20:25:01.509 22 IBMJSSE2 will not enable CBC protection
2016-12-13 20:25:01.547 22 keyStore is: C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security\cacerts
2016-12-13 20:25:01.549 22 keyStore type is: JKS
2016-12-13 20:25:01.550 22 keyStore provider is:
2016-12-13 20:25:01.551 22 init keystore
2016-12-13 20:25:01.695 22 adding as trusted cert:
2016-12-13 20:25:01.695 22 Subject: CN=*.entsoe.eu, O=ENTSO-E, OU=D&I, L=Brussels, ST=Brussels, C=BE
2016-12-13 20:25:01.696 22 Issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE
2016-12-13 20:25:01.696 22 Algorithm: RSA; Serial number: 0x3b1a8b7c3bfd777a02a92120
2016-12-13 20:25:01.701 22 Valid from Wed Jun 08 13:47:08 BST 2016 until Wed Feb 14 12:22:30 GMT 2018
2016-12-13 20:25:01.702 22
2016-12-13 20:25:01.702 22 adding as trusted cert:
2016-12-13 20:25:01.703 22 Subject: CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE
2016-12-13 20:25:01.703 22 Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
2016-12-13 20:25:01.704 22 Algorithm: RSA; Serial number: 0x40000000001444ef04247
2016-12-13 20:25:01.704 22 Valid from Thu Feb 20 10:00:00 GMT 2014 until Tue Feb 20 10:00:00 GMT 2024
2016-12-13 20:25:01.704 22
2016-12-13 20:25:01.705 22 adding as trusted cert:
2016-12-13 20:25:01.705 22 Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
2016-12-13 20:25:01.706 22 Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
2016-12-13 20:25:01.706 22 Algorithm: RSA; Serial number: 0x40000000001154b5ac394
2016-12-13 20:25:01.707 22 Valid from Tue Sep 01 13:00:00 BST 1998 until Fri Jan 28 12:00:00 GMT 2028
2016-12-13 20:25:01.707 22
2016-12-13 20:25:01.710 22 SSLContextImpl: Using X509ExtendedKeyManager com.ibm.broker.imbsslsocket.MbSslSocket$KeyChoiceX509KeyManager
2016-12-13 20:25:01.710 22 SSLContextImpl: Using X509TrustManager com.ibm.jsse2.yc
2016-12-13 20:25:01.713 22 Installed Providers =
2016-12-13 20:25:01.720 22 IBMJSSE2
2016-12-13 20:25:01.720 22 IBMJCE
2016-12-13 20:25:01.720 22 IBMJGSSProvider
2016-12-13 20:25:01.721 22 IBMCertPath
2016-12-13 20:25:01.721 22 IBMSASL
2016-12-13 20:25:01.722 22 IBMXMLCRYPTO
2016-12-13 20:25:01.722 22 IBMXMLEnc
2016-12-13 20:25:01.723 22 IBMSPNEGO
2016-12-13 20:25:01.723 22 SUN
2016-12-13 20:25:01.724 22 JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
2016-12-13 20:25:01.724 22 trigger seeding of SecureRandom
2016-12-13 20:25:01.724 22 done seeding SecureRandom
2016-12-13 20:25:01.727 22 JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
2016-12-13 20:25:02.646 22 JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.7
2016-12-13 20:25:02.646 22 JsseJCE: Using signature SHA1withECDSA from provider TBD via init
2016-12-13 20:25:02.648 22 JsseJCE: Using signature NONEwithECDSA from provider TBD via init
2016-12-13 20:25:02.649 22 JsseJCE: Using KeyFactory EC from provider IBMJCE version 1.7
2016-12-13 20:25:02.651 22 JsseJCE: Using KeyPairGenerator EC from provider TBD via init
2016-12-13 20:25:02.652 22 JsseJce: EC is available
2016-12-13 20:25:02.666 22 JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
2016-12-13 20:25:02.671 22 Thread-10, setSoTimeout(118828) called
2016-12-13 20:25:02.718 22 IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
2016-12-13 20:25:02.718 22 IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
2016-12-13 20:25:02.719 22 IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
2016-12-13 20:25:02.720 22
Is initial handshake: true
2016-12-13 20:25:02.721 22 Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.721 22 Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.722 22 Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.722 22 Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.723 22 Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.723 22 Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.723 22 Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.724 22 Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.724 22 Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.725 22 Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.725 22 Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.726 22 Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.726 22 Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.726 22 Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.727 22 Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_RC4_128_SHA
2016-12-13 20:25:02.727 22 Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_RC4_128_SHA
2016-12-13 20:25:02.728 22 Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_RC4_128_SHA
2016-12-13 20:25:02.728 22 Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_RC4_128_SHA
2016-12-13 20:25:02.728 22 Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
2016-12-13 20:25:02.729 22 Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
2016-12-13 20:25:02.729 22 Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
2016-12-13 20:25:02.730 22 Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
2016-12-13 20:25:02.733 22 %% No cached client session
2016-12-13 20:25:02.734 22 *** ClientHello, SSLv3
2016-12-13 20:25:02.734 22 RandomCookie: GMT: 1481660702 bytes = { 139, 40, 81, 202, 255, 147, 125, 18, 119, 188, 117, 193, 160, 240, 238, 78, 45, 187, 151, 41, 87, 0, 110, 102, 92, 19, 201, 208 }
2016-12-13 20:25:02.736 22 Session ID: {}
2016-12-13 20:25:02.736 22 Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]
2016-12-13 20:25:02.737 22 Compression Methods: { 0 }
2016-12-13 20:25:02.737 22 ***
2016-12-13 20:25:02.738 22 [write] MD5 and SHA1 hashes: len = 55
2016-12-13 20:25:02.739 22 0000: 01 00 00 33 03 00 58 50 59 1e 8b 28 51 ca ff 93 ...3..XPY...Q...
0010: 7d 12 77 bc 75 c1 a0 f0 ee 4e 2d bb 97 29 57 00 ..w.u....N....W.
0020: 6e 66 5c 13 c9 d0 00 00 0c 00 ff 00 05 00 0a 00 nf..............
0030: 16 00 13 00 04 01 00 .......
2016-12-13 20:25:02.739 22 Thread-10, WRITE: SSLv3 Handshake, length = 55
2016-12-13 20:25:02.740 22 [Raw write]: length = 60
2016-12-13 20:25:02.741 22 0000: 16 03 00 00 37 01 00 00 33 03 00 58 50 59 1e 8b ....7...3..XPY..
0010: 28 51 ca ff 93 7d 12 77 bc 75 c1 a0 f0 ee 4e 2d .Q.....w.u....N.
0020: bb 97 29 57 00 6e 66 5c 13 c9 d0 00 00 0c 00 ff ...W.nf.........
0030: 00 05 00 0a 00 16 00 13 00 04 01 00 ............
2016-12-13 20:25:02.780 22 [Raw read]: length = 5
2016-12-13 20:25:02.780 22 0000: 15 03 00 00 02 .....
2016-12-13 20:25:02.781 22 [Raw read]: length = 2
2016-12-13 20:25:02.781 22 0000: 02 28 ..
2016-12-13 20:25:02.782 22 Thread-10, READ: SSLv3 Alert, length = 2
2016-12-13 20:25:02.782 22 Thread-10, RECV TLSv1 ALERT: fatal, handshake_failure
2016-12-13 20:25:02.783 22 Thread-10, called closeSocket()
2016-12-13 20:25:02.784 22 Thread-10, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2016-12-13 20:25:02.784 22 unable to negotiate SSL connection. Client key alias supplied was [].
Exception in thread "Thread-10" 2016-12-13 20:25:02.786 22 javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2016-12-13 20:25:02.787 22 at com.ibm.jsse2.j.a(j.java:9)
2016-12-13 20:25:02.787 22 at com.ibm.jsse2.j.a(j.java:32)
2016-12-13 20:25:02.787 22 at com.ibm.jsse2.qc.b(qc.java:5)
2016-12-13 20:25:02.788 22 at com.ibm.jsse2.qc.a(qc.java:645)
2016-12-13 20:25:02.788 22 at com.ibm.jsse2.qc.h(qc.java:809)
2016-12-13 20:25:02.789 22 at com.ibm.jsse2.qc.a(qc.java:106)
2016-12-13 20:25:02.789 22 at com.ibm.jsse2.qc.startHandshake(qc.java:586)
2016-12-13 20:25:02.789 22 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeoutInternalNoProxy(MbSslSocket.java:316)
2016-12-13 20:25:02.790 22 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeout(MbSslSocket.java:168) |
I doubt whether the jks is accessible by the broker since I have the same exception as above even after I change the jks name in the directory.
 please |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Dec 14, 2016 5:52 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Bichu wrote: |
| I doubt whether the jks is accessible by the broker since I have the same exception as above even after I change the jks name in the directory. |
How can you "doubt" that, when it's probably the easiest thing in the world to check?
| Bichu wrote: |
| please |
Try thinking instead of randomly doing stuff in the hopes it works.
You've already stated in this post that you tried using the cacerts file, but tried to use it in the toolkit not the runtime. So explain why you thought generating a keystore yourself (badly) and using that would actually work?
My worthy associate has pointed out that the instructions you need are in the InfoCenter. While he failed to point out that you need to follow them all and not just the ones you think look pretty, that should have been self evident.
If you think you need the cacerts file in the runtime, put it in the runtime.
If you think you need a self signed cert to provide to the endpoint, create one and put it in the runtime.
If you think you need to explicitly trust the endpoint, add that to the runtime.
If you don't even know how to answer these questions, find someone on your site who understands SSL and get them to explain it to you.
Also a tip - if the endpoint you're calling is not local to your machine, you may find that even when you've figured this out it still doesn't work because SSLv3 traffic is being blocked by your network. SSLv3 is cracked and many network appliances routinely block packets so encrypted.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Dec 14, 2016 5:56 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Your config is not right or your permissions to the store file are not right ... because this is the file that's being loaded:
| Code: |
| keyStore is: C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security\cacerts |
Which would be the file if you did not configure anything.
After your config change did you bounce the broker twice?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
