ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SSLHandshakeException in IIB 9.0.0.7

Post new topic  Reply to topic
 SSLHandshakeException in IIB 9.0.0.7 « View previous topic :: View next topic » 
Author Message
andrewfemin
PostPosted: Sat Aug 26, 2017 4:42 am    Post subject: SSLHandshakeException in IIB 9.0.0.7 Reply with quote

Acolyte

Joined: 26 Aug 2017
Posts: 54

Hello,

I'm trying to call a SOAP webservice from IIB SOAP Request node. The URL is a HTTPS URL. I am getting SSLHandshakeException in SOAP Request node. I have imported the certificates in my keystore and restarted the EG after the import. PFB the Exception Tree:

Code:

ExceptionList
   RecoverableException
         File:CHARACTER:/build/slot1/S900_P/src/DataFlowEngine/MessageServices/ImbDataFlowNode. cpp
         Line:INTEGER:1140
         Function:CHARACTER:ImbDataFlowNode::createExceptionList
         Type:CHARACTER:ComIbmSOAPRequestNode
         Name:CHARACTER:AMDMVendorInbound#FCMComposite_1_17
         Label:CHARACTER:AMDMVendorInbound. SOAP Request
         Catalog:CHARACTER:BIPmsgs
         Severity:INTEGER:3
         Number:INTEGER:2230
         Text:CHARACTER:Node throwing exception
         Insert
               Type:INTEGER:14
               Text:CHARACTER:AMDMVendorInbound. SOAP Request
         RecoverableException
               File:CHARACTER:/build/slot1/S900_P/src/WebServices/WSLibrary/ImbSOAPRequestNode. cpp
               Line:INTEGER:846
               Function:CHARACTER:ImbSOAPRequestNode::requestData
               Type:CHARACTER:ComIbmSOAPRequestNode
               Name:CHARACTER:AMDMVendorInbound#FCMComposite_1_17
               Label:CHARACTER:AMDMVendorInbound. SOAP Request
               Catalog:CHARACTER:BIPmsgs
               Severity:INTEGER:3
               Number:INTEGER:3754
               Text:CHARACTER:Error occurred in ImbSOAPRequestHelper::makeSOAPRequest()
               RecoverableException
                     File:CHARACTER:/build/slot1/S900_P/src/WebServices/WSLibrary/ImbSOAPRequestHelper. cpp
                     Line:INTEGER:3676
                     Function:CHARACTER:ImbSOAPRequestHelper::logWebServiceInvocationException
                     Type:CHARACTER:
                     Name:CHARACTER:
                     Label:CHARACTER:
                     Catalog:CHARACTER:BIPmsgs
                     Severity:INTEGER:3
                     Number:INTEGER:3162
                     Text:CHARACTER:WebService Request Exception
                     Insert
                           Type:INTEGER:12
                           Text:CHARACTER:436f6e74656e742d4c656e6774683a203330390d0a417574686f72697a6174696f6e3a2042617369632063335a6a625752745a574670
4d4449365532566a64584a7064486b780d0a436f6e74656e742d547970653a20746578742f786d6c3b20636861727365743d7574662d380d0a486f7374
3a2062706d2d7161322e737973636f2e636f6d0d0a534f4150416374696f6e3a2022687474703a2f2f7777772e6578616d706c652e6f72672f4541495365
72766963652f4e65774f7065726174696f6e220d0a436f6e6e656374696f6e3a204b6565702d416c6976650d0a0d0a
                     Insert
                           Type:INTEGER:12
                           Text:CHARACTER:3c736f6170656e763a456e76656c6f706520786d6c6e733a
736f6170656e763d22687474703a2f2f736368656d61732e786d6c736f6170
2e6f72672f736f61702f656e76656c6f70652f2220786d6c6e733a656169733d22687474703a2f2f737973636f2e636f6d2f454149536572766963652f223e3c736f6170656e763a4865616465723e3c2f736f6170656e763a4865616465
723e3c736f6170656e763a426f64793e3c656169733a4e65774f7065726174696f6e3e3c73617056656e646f724e756d6265723e34303032343831373c2f
73617056656e646f724e756d6265723e3c737576634e756d6265723e3138373c2f737576634e756d6265723e3c2f656169733a4e65774f7065726174696
f6e3e3c2f736f6170656e763a426f64793e3c2f736f6170656e763a456e76656c6f70653e
                     Insert
                           Type:INTEGER:5
                           Text:CHARACTER:
                     Insert
                           Type:INTEGER:5
                           Text:CHARACTER:
                     Insert
                           Type:INTEGER:5
                           Text:CHARACTER:POST /bpm/*****com/mdm/vendor/mgmt/prc/maintvend/***Msg HTTP/1. 1

                     RecoverableException
                           File:CHARACTER:/build/slot1/S900_P/src/WebServices/WSLibrary/ImbWSRequest. cpp
                           Line:INTEGER:474
                           Function:CHARACTER:ImbWSRequest::makeWSRequest
                           Type:CHARACTER:
                           Name:CHARACTER:
                           Label:CHARACTER:
                           Catalog:CHARACTER:BIPmsgs
                           Severity:INTEGER:3
                           Number:INTEGER:3152
                           Text:CHARACTER:A Web Service request has detected a SOCKET error whilst invoking a web service located at host &1, on port &2, on path &3.
                           Insert
                                 Type:INTEGER:5
                                 Text:CHARACTER:***-qa2. *****. com
                           Insert
                                 Type:INTEGER:2
                                 Text:CHARACTER:443
                           Insert
                                 Type:INTEGER:5
                                 Text:CHARACTER:/bpm/*****com/mdm/vendor/mgmt/prc/maintvend/***Msg
                           SocketException
                                 File:CHARACTER:/build/slot1/S900_P/src/WebServices/WSLibrary/ImbSocket. cpp
                                 Line:INTEGER:1314
                                 Function:CHARACTER:ImbSocketJNIManager::handleGeneralJavaException
                                 Type:CHARACTER:
                                 Name:CHARACTER:
                                 Label:CHARACTER:
                                 Catalog:CHARACTER:BIPmsgs
                                 Severity:INTEGER:3
                                 Number:INTEGER:3165
                                 Text:CHARACTER:An error occurred whilst performing an SSL socket operation
                                 Insert
                                       Type:INTEGER:5
                                       Text:CHARACTER:connect
                                 Insert
                                       Type:INTEGER:5
                                       Text:CHARACTER:javax. net. ssl. SSLHandshakeException: Received fatal alert: handshake_failure


Please note that I have other flows calling other HTTPS URLs running in the same server and they are all working fine. Please help me find what I am doing wrong here.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sat Aug 26, 2017 11:21 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Well you got a handshake failure....
So I would check that the right certificate is available in the keystore. Are those other calls originating from the same integration server (eg) using the same certificate? is the trustchain available in the truststore?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
andrewfemin
PostPosted: Sat Aug 26, 2017 11:50 pm    Post subject: Reply with quote

Acolyte

Joined: 26 Aug 2017
Posts: 54

Thanks for the reply.

Please note that this used to work fine without any issues earlier when the broker version running was 9.0.0.1. Then we upgraded to IIB 9.0.0.7. That is when we suddenly started getting this error. This is weird because all other HTTPS calls are working fine. I checked the keystore and I can see the Root certificate, intermediate certificate and the URL certificate for this URL are present there.

The other calls are originating from the same integration server but different URLs using different certificates.
Back to top
View user's profile Send private message
mqjeff
PostPosted: Sun Aug 27, 2017 6:35 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

... anything involving external entries should be in the truststore not the keystore.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
andrewfemin
PostPosted: Mon Aug 28, 2017 12:11 am    Post subject: Reply with quote

Acolyte

Joined: 26 Aug 2017
Posts: 54

My truststore and keystore are the same. PFB the output when I run this command:

[b]Command:[/b]
[code]
mqsireportproperties <BrokerName> -o BrokerRegistry -a
[/code]

[b]Output:[/b]
[code]
BrokerRegistry
uuid='BrokerRegistry'
brokerKeystoreType='JKS'
brokerKeystoreFile='/opt/IBM/mqsi/9.0.0.1/jre17/lib/security/cacerts'
brokerKeystorePass='********'
brokerTruststoreType='JKS'
brokerTruststoreFile='/opt/IBM/mqsi/9.0.0.1/jre17/lib/security/cacerts'
brokerTruststorePass='********'
brokerCRLFileList=''
httpConnectorPortRange=''
httpsConnectorPortRange=''
allowSSLv3=''
brokerKerberosConfigFile=''
brokerKerberosKeytabFile=''
modeExtensions=''
operationMode='enterprise'
shortDesc=''
longDesc=''
[/code]

And the certificates are present in this keystore.

Please note that IIB is running 9.0.0.7 but the keystore and truststore being referred is from 9.0.0.1. Is that an issue?
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Mon Aug 28, 2017 7:52 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

andrewfemin wrote:
Please note that IIB is running 9.0.0.7 but the keystore and truststore being referred is from 9.0.0.1. Is that an issue?

No, but why would you put your key/trust store where the product was installed? Wouldn't it make more sense to put it where the Integration Bus is located (say if you specified the -e when you created it (and then in a directory named pki))?

Is the cipher you are attempting supported at IIB 9 FP7?
Back to top
View user's profile Send private message AIM Address
fjb_saper
PostPosted: Mon Aug 28, 2017 7:10 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Are you sure that the cipher you are attempting is supported by the certificate?
Elliptic curve ciphers especially may need a different certificate from the usual RSA one...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
andrewfemin
PostPosted: Tue Aug 29, 2017 5:12 am    Post subject: Reply with quote

Acolyte

Joined: 26 Aug 2017
Posts: 54

Thanks everyone for the help. The issue was with the SSLProtocol. I had selected TLS in SOAPRequest Node. When I tried with TLSv1.2, it worked.

Still I don't understand why it was working in 9.0.0.1, but not in 9.0.0.7.
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Tue Aug 29, 2017 7:25 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

Did you read the "read me" file with FP7?
I bet they deprecated the cipher you were using...

Since it is after the fact, now would be a good time to read the "readme" file.
Back to top
View user's profile Send private message AIM Address
mqjeff
PostPosted: Tue Aug 29, 2017 7:26 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

JosephGramig wrote:
I bet they deprecated the cipher you were using...


Or anything other than TLS1.2...
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SSLHandshakeException in IIB 9.0.0.7
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.