| Author |
Message
|
| anurag.munjal |
 Posted: Mon Apr 03, 2017 1:23 am Post subject: using 2 certs HTTP IIB 10.0.0.4 |
 |
|
Voyager
Joined: 08 Apr 2012
Posts: 97
|
Hey Folks!
I am trying to communicate with an end system that i using 2 ssl certs.
i am using 10.0.0.4 and invoking the end system via http.
i have read that IIB10.0.0.4 does not support SNI.
just want to confirm if anyone has any thoughts on this please?
_________________
- Anurag
------------------------
Be Simple, Be Happy |
|
| Back to top |
|
 |
| exerk |
| Posted: Mon Apr 03, 2017 1:36 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Moving this to the Message Broker forum...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Apr 03, 2017 4:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Where ave you read that IIB does not support SSL?
Where have you read that you can't use more than one cert with HTTP in IIB?
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Apr 03, 2017 4:16 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
The "authentication alias" field on the node properties is the cert label to use.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Apr 03, 2017 4:18 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mqjeff wrote: |
Where ave you read that IIB does not support SSL?
Where have you read that you can't use more than one cert with HTTP in IIB? |
The OP did not say anything about IIB 10 not support SSL. The OP said he read it did not support S.N.I. (scripps network interactive protocol?) completely different animal... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| anurag.munjal |
| Posted: Mon Apr 03, 2017 4:24 am Post subject: more info on the issue/requirement |
|
|
Voyager
Joined: 08 Apr 2012
Posts: 97
|
Hello folks,
much thanks for your awesome responses.
I am seeking your help in establishing SN functionality for our HTTP Nodes. Upon researching it is understood that this can be achieved through 10.0.0.6 version. Could you please help us on that.
http://www-01.ibm.com/support/docview.wss?uid=swg1IT14330
Background of the requirement is :
IIB has to reach out to the external server over the HTTPS server that has two certs through SSL Handshake to post some messages.
please let us know if there is a way this could be achieved with out changing the version. We currently have IIB 10.0.0.4 in our environment.
_________________
- Anurag
------------------------
Be Simple, Be Happy |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Apr 03, 2017 4:32 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If the feature is not available until 10.0.0.6 do not even try to access it at 10.0.0.4 unless you have a PMR that delivers this functionality at your (lower) level...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| anurag.munjal |
| Posted: Mon Apr 03, 2017 8:37 pm Post subject: |
|
|
Voyager
Joined: 08 Apr 2012
Posts: 97
|
| fjb_saper wrote: |
| If the feature is not available until 10.0.0.6 do not even try to access it at 10.0.0.4 unless you have a PMR that delivers this functionality at your (lower) level... |
Thanks a lot! ill get a PMR Created... also get the 10.0.0.6 set up locally.
_________________
- Anurag
------------------------
Be Simple, Be Happy |
|
| Back to top |
|
|
| anurag.munjal |
| Posted: Tue Apr 04, 2017 12:33 am Post subject: |
|
|
Voyager
Joined: 08 Apr 2012
Posts: 97
|
| mqjeff wrote: |
Where ave you read that IIB does not support SSL?
Where have you read that you can't use more than one cert with HTTP in IIB? |
Hi,
this is the exact error:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
an interesting link on the same: http://www-01.ibm.com/support/docview.wss?uid=swg21369939
_________________
- Anurag
------------------------
Be Simple, Be Happy |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Tue Apr 04, 2017 12:53 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| anurag.munjal wrote: |
java.security.cert.CertPathValidatorException: Certificate chaining error
|
There have been a good number of posts here with that very error.
If you search this forum using the google search box at the top right of the page and search for
Certificate chaining error
You may well find the cause of the problem.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| anurag.munjal |
| Posted: Tue Apr 04, 2017 7:59 pm Post subject: |
|
|
Voyager
Joined: 08 Apr 2012
Posts: 97
|
| smdavies99 wrote: |
| anurag.munjal wrote: |
java.security.cert.CertPathValidatorException: Certificate chaining error
|
There have been a good number of posts here with that very error.
If you search this forum using the google search box at the top right of the page and search for
Certificate chaining error
You may well find the cause of the problem. |
Brilliant! the issue is now fixed.
We simply configured the other end certificate in iib trustore and restarted the broker! It worked..
Thanks everyone for your inputs!
Respect! 
_________________
- Anurag
------------------------
Be Simple, Be Happy |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Apr 04, 2017 11:20 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
You should never add the other end's personal certificate to your truststore unless it is self-signed.
You should instead ensure that you have all the CA signer certificates needed (which may be a chain of them) in your truststore.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| anurag.munjal |
| Posted: Thu Apr 06, 2017 12:45 am Post subject: |
|
|
Voyager
Joined: 08 Apr 2012
Posts: 97
|
| zpat wrote: |
You should never add the other end's personal certificate to your truststore unless it is self-signed.
You should instead ensure that you have all the CA signer certificates needed (which may be a chain of them) in your truststore. |
Thanks! is there some nice tutorial on this topic that you can guide me to? i saw several links, but wanted a clear picture for the certs and there configs
_________________
- Anurag
------------------------
Be Simple, Be Happy |
|
| Back to top |
|
|
| anurag.munjal |
| Posted: Tue Apr 11, 2017 7:28 am Post subject: |
|
|
Voyager
Joined: 08 Apr 2012
Posts: 97
|
| zpat wrote: |
You should never add the other end's personal certificate to your truststore unless it is self-signed.
You should instead ensure that you have all the CA signer certificates needed (which may be a chain of them) in your truststore. |
ok, i raised a PMR for SNI functionality and got to know this:
Self-signed certificates are the poor man's certificate and should only be used for testing purposes. You do not want to trust these certificates unless you know for certain that the end-point is trusted anyway. For example, some clients use them on their internal network. The reason is because anyone can duplicate this certificate and it no longer becomes secure. You should be using CA signed certificates in your truststore whenever you need to trust the other end such as client authentication or if you are the client.
_________________
- Anurag
------------------------
Be Simple, Be Happy |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 11, 2017 7:39 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| anurag.munjal wrote: |
Self-signed certificates are the poor man's certificate and should only be used for testing purposes. You do not want to trust these certificates unless you know for certain that the end-point is trusted anyway. For example, some clients use them on their internal network. The reason is because anyone can duplicate this certificate and it no longer becomes secure. You should be using CA signed certificates in your truststore whenever you need to trust the other end such as client authentication or if you are the client. |
I'm glad you got to know that before something bad happened. Be aware that adding a CA signed cert to a truststore is, as my worthy associate points out, a bad idea. Trust the signer not the cert.
I would point out that a "CA signed certificate" doesn't mean "signed by VeriSign". We use an internal CA to sign our internal certificates and reserve the use of externally signed certs (which cost money) when we're leaving the organization and need to prove ourselves to partners
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
