ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » using 2 certs HTTP IIB 10.0.0.4

Post new topic  Reply to topic Goto page 1, 2  Next
 using 2 certs HTTP IIB 10.0.0.4 « View previous topic :: View next topic » 
Author Message
anurag.munjal
PostPosted: Mon Apr 03, 2017 1:23 am    Post subject: using 2 certs HTTP IIB 10.0.0.4 Reply with quote

Voyager

Joined: 08 Apr 2012
Posts: 97

Hey Folks!

I am trying to communicate with an end system that i using 2 ssl certs.
i am using 10.0.0.4 and invoking the end system via http.

i have read that IIB10.0.0.4 does not support SNI.


just want to confirm if anyone has any thoughts on this please?
_________________
- Anurag
------------------------
Be Simple, Be Happy
Back to top
View user's profile Send private message
exerk
PostPosted: Mon Apr 03, 2017 1:36 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Moving this to the Message Broker forum...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Mon Apr 03, 2017 4:11 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Where ave you read that IIB does not support SSL?

Where have you read that you can't use more than one cert with HTTP in IIB?
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
zpat
PostPosted: Mon Apr 03, 2017 4:16 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

The "authentication alias" field on the node properties is the cert label to use.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Apr 03, 2017 4:18 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

mqjeff wrote:
Where ave you read that IIB does not support SSL?

Where have you read that you can't use more than one cert with HTTP in IIB?

The OP did not say anything about IIB 10 not support SSL. The OP said he read it did not support S.N.I. (scripps network interactive protocol?) completely different animal...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
anurag.munjal
PostPosted: Mon Apr 03, 2017 4:24 am    Post subject: more info on the issue/requirement Reply with quote

Voyager

Joined: 08 Apr 2012
Posts: 97

Hello folks,
much thanks for your awesome responses.

I am seeking your help in establishing SN functionality for our HTTP Nodes. Upon researching it is understood that this can be achieved through 10.0.0.6 version. Could you please help us on that.

http://www-01.ibm.com/support/docview.wss?uid=swg1IT14330

Background of the requirement is :

IIB has to reach out to the external server over the HTTPS server that has two certs through SSL Handshake to post some messages.

please let us know if there is a way this could be achieved with out changing the version. We currently have IIB 10.0.0.4 in our environment.
_________________
- Anurag
------------------------
Be Simple, Be Happy
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Apr 03, 2017 4:32 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

If the feature is not available until 10.0.0.6 do not even try to access it at 10.0.0.4 unless you have a PMR that delivers this functionality at your (lower) level...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
anurag.munjal
PostPosted: Mon Apr 03, 2017 8:37 pm    Post subject: Reply with quote

Voyager

Joined: 08 Apr 2012
Posts: 97

fjb_saper wrote:
If the feature is not available until 10.0.0.6 do not even try to access it at 10.0.0.4 unless you have a PMR that delivers this functionality at your (lower) level...


Thanks a lot! ill get a PMR Created... also get the 10.0.0.6 set up locally.
_________________
- Anurag
------------------------
Be Simple, Be Happy
Back to top
View user's profile Send private message
anurag.munjal
PostPosted: Tue Apr 04, 2017 12:33 am    Post subject: Reply with quote

Voyager

Joined: 08 Apr 2012
Posts: 97

mqjeff wrote:
Where ave you read that IIB does not support SSL?

Where have you read that you can't use more than one cert with HTTP in IIB?


Hi,
this is the exact error:

javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error



an interesting link on the same: http://www-01.ibm.com/support/docview.wss?uid=swg21369939
_________________
- Anurag
------------------------
Be Simple, Be Happy
Back to top
View user's profile Send private message
smdavies99
PostPosted: Tue Apr 04, 2017 12:53 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

anurag.munjal wrote:

java.security.cert.CertPathValidatorException: Certificate chaining error


There have been a good number of posts here with that very error.
If you search this forum using the google search box at the top right of the page and search for
Certificate chaining error

You may well find the cause of the problem.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
anurag.munjal
PostPosted: Tue Apr 04, 2017 7:59 pm    Post subject: Reply with quote

Voyager

Joined: 08 Apr 2012
Posts: 97

smdavies99 wrote:
anurag.munjal wrote:

java.security.cert.CertPathValidatorException: Certificate chaining error


There have been a good number of posts here with that very error.
If you search this forum using the google search box at the top right of the page and search for
Certificate chaining error

You may well find the cause of the problem.


Brilliant! the issue is now fixed.
We simply configured the other end certificate in iib trustore and restarted the broker! It worked..


Thanks everyone for your inputs!
Respect!
_________________
- Anurag
------------------------
Be Simple, Be Happy
Back to top
View user's profile Send private message
zpat
PostPosted: Tue Apr 04, 2017 11:20 pm    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

You should never add the other end's personal certificate to your truststore unless it is self-signed.

You should instead ensure that you have all the CA signer certificates needed (which may be a chain of them) in your truststore.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
anurag.munjal
PostPosted: Thu Apr 06, 2017 12:45 am    Post subject: Reply with quote

Voyager

Joined: 08 Apr 2012
Posts: 97

zpat wrote:
You should never add the other end's personal certificate to your truststore unless it is self-signed.

You should instead ensure that you have all the CA signer certificates needed (which may be a chain of them) in your truststore.



Thanks! is there some nice tutorial on this topic that you can guide me to? i saw several links, but wanted a clear picture for the certs and there configs
_________________
- Anurag
------------------------
Be Simple, Be Happy
Back to top
View user's profile Send private message
anurag.munjal
PostPosted: Tue Apr 11, 2017 7:28 am    Post subject: Reply with quote

Voyager

Joined: 08 Apr 2012
Posts: 97

zpat wrote:
You should never add the other end's personal certificate to your truststore unless it is self-signed.

You should instead ensure that you have all the CA signer certificates needed (which may be a chain of them) in your truststore.


ok, i raised a PMR for SNI functionality and got to know this:




Self-signed certificates are the poor man's certificate and should only be used for testing purposes. You do not want to trust these certificates unless you know for certain that the end-point is trusted anyway. For example, some clients use them on their internal network. The reason is because anyone can duplicate this certificate and it no longer becomes secure. You should be using CA signed certificates in your truststore whenever you need to trust the other end such as client authentication or if you are the client.
_________________
- Anurag
------------------------
Be Simple, Be Happy
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Apr 11, 2017 7:39 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

anurag.munjal wrote:

Self-signed certificates are the poor man's certificate and should only be used for testing purposes. You do not want to trust these certificates unless you know for certain that the end-point is trusted anyway. For example, some clients use them on their internal network. The reason is because anyone can duplicate this certificate and it no longer becomes secure. You should be using CA signed certificates in your truststore whenever you need to trust the other end such as client authentication or if you are the client.


I'm glad you got to know that before something bad happened. Be aware that adding a CA signed cert to a truststore is, as my worthy associate points out, a bad idea. Trust the signer not the cert.

I would point out that a "CA signed certificate" doesn't mean "signed by VeriSign". We use an internal CA to sign our internal certificates and reserve the use of externally signed certs (which cost money) when we're leaving the organization and need to prove ourselves to partners
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » using 2 certs HTTP IIB 10.0.0.4
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.