| Author |
Message
|
| prabhuoist |
 Posted: Wed Nov 08, 2017 2:46 am Post subject: TLSv1.2 protocol in message broker 7.0.0.8 |
 |
|
Apprentice
Joined: 10 Oct 2017
Posts: 39
|
Hi Team,
Is it possible to use TLSv1.2 protocol in message broker 7.0.0.8.
I am trying to call client which is having TLSv1.2 protocol but I am getting
"An error occurred whilst performing an SSL socket operation"
java.lang.NullPointerException.
I have set the SSL certificate as well.
However i am able to get the response from SOAPUI. |
|
| Back to top |
|
 |
| zpat |
| Posted: Wed Nov 08, 2017 3:00 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
"call client" is a vague term as is "set SSL certificate".
Which broker nodes are you using?
What did you set the SSL protocol to?
Is this one-way or two-way SSL?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| prabhuoist |
| Posted: Wed Nov 08, 2017 3:09 am Post subject: |
|
|
Apprentice
Joined: 10 Oct 2017
Posts: 39
|
Broker node - HTTP Request Node
I believe its one way ssl as they have given the SSL certificate to us and we have configured certificate on cacert file.
SSL protocol set to TLSv1.2 |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Nov 08, 2017 3:34 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
What type of certificate have they given you? A personal (server) cert or a Certificate Authority signer cert?
Are you trying to validate the server cert their web service presents to you, or are you trying to present a server certificate to their web service?
cacerts is only for signer (CA) certs and is best left alone as IBM replace this file with fixpacks etc.
You could create your own JKS and use it for the execution group keystore/truststore to keep your certs away from IBM's supplied ones.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| prabhuoist |
| Posted: Wed Nov 08, 2017 10:20 pm Post subject: |
|
|
Apprentice
Joined: 10 Oct 2017
Posts: 39
|
Hi,
It is self certified server certificate as the Server is in Private network.
We have got the certificate and we have import the same in Message broker using keytool -import command.
It was working till the time they have configured TLSv1 then client have changed it TLSV1.2 and strong cypher . |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Nov 08, 2017 11:53 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
Run a SSL debug trace on the broker.
export IBM_JAVA_OPTIONS="-Djavax.net.debug=ssl"
Restart broker, run the flow, look in the EG JVM directory for the trace.
Turn trace off afterwards as it affects the whole broker.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| prabhuoist |
| Posted: Thu Nov 09, 2017 5:16 am Post subject: |
|
|
Apprentice
Joined: 10 Oct 2017
Posts: 39
|
Hi There,
We are able to hit url successfully from local machine now(i.e. windows) but when we deploy same code and same certificate on test servers(i.e. AIX 6.1) we are getting SSL handshake error.
broker java version on local as well as on test server is same. |
|
| Back to top |
|
|
| prabhuoist |
| Posted: Thu Nov 09, 2017 10:46 pm Post subject: |
|
|
Apprentice
Joined: 10 Oct 2017
Posts: 39
|
Dear All,
Any suggestion. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Nov 09, 2017 11:07 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| prabhuoist wrote: |
Dear All,
Any suggestion. |
Upgrade.... that version is no longer supported... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Nov 09, 2017 11:11 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| prabhuoist wrote: |
Hi There,
We are able to hit url successfully from local machine now(i.e. windows) but when we deploy same code and same certificate on test servers(i.e. AIX 6.1) we are getting SSL handshake error.
broker java version on local as well as on test server is same. |
Don't have enough information about your cert.
But the reason could well be because you are using the same cert as on windows and it no longer describes adequately the server you're running on...
Each server needs to have it's own cert.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Nov 09, 2017 11:55 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
| prabhuoist wrote: |
| Any suggestion. |
Yes, run the trace, or alternatively rely on guesswork.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| prabhuoist |
| Posted: Mon Nov 13, 2017 12:48 am Post subject: |
|
|
Apprentice
Joined: 10 Oct 2017
Posts: 39
|
| We have ran this trace but trace files are not being created any where. |
|
| Back to top |
|
|
| prabhuoist |
| Posted: Mon Nov 13, 2017 1:05 am Post subject: |
|
|
Apprentice
Joined: 10 Oct 2017
Posts: 39
|
The same error we have recreated on another test(AIX) server and below are the trace log :
javax.net.ssl.SSLHandshakeException: No appropriate protocol
2017-11-13 14:28:37.561 26 at com.ibm.jsse2.lb.c(lb.java:433)
2017-11-13 14:28:37.562 26 at com.ibm.jsse2.SSLSocketImpl.i(SSLSocketImpl.java:476)
2017-11-13 14:28:37.563 26 at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:15)
2017-11-13 14:28:37.563 26 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:676)
2017-11-13 14:28:37.564 26 at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:620)
2017-11-13 14:28:37.565 26 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeoutInternalNoProxy(MbSslSocket.java:305)
2017-11-13 14:28:37.565 26 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeout(MbSslSocket.java:151)
2017-11-13 14:28:37.566 26 at com.ibm.broker.plugin.MbOutputTerminal._propagate(Native Method)
2017-11-13 14:28:37.567 26 at com.ibm.broker.plugin.MbOutputTerminal.propagate(MbOutputTerminal.java:107)
2017-11-13 14:28:37.567 26 at com.ibm.xsl.mqsi.XMLTransformNode.evaluate(XMLTransformNode.java:1015)
2017-11-13 14:28:37.568 26 at com.ibm.broker.plugin.MbNode.evaluate(MbNode.java:1469)
It is saying no appropriate protocol.
However same code is working on local (windows) machine. |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Nov 13, 2017 1:26 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
| prabhuoist wrote: |
| We have ran this trace but trace files are not being created any where. |
As already mentioned, the SSL trace will be in stdout or stderr in the execution group's JVM directory location.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| prabhuoist |
| Posted: Mon Nov 13, 2017 1:46 am Post subject: |
|
|
Apprentice
Joined: 10 Oct 2017
Posts: 39
|
After removing the cypher in "ALLOWED SSL CYPHER" in HTTP Request Node,
Now we are getting below error :
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2017-11-13 15:03:35.757 31 at com.ibm.jsse2.p.a(p.java:36)
2017-11-13 15:03:35.757 31 at com.ibm.jsse2.p.a(p.java:23)
2017-11-13 15:03:35.758 31 at com.ibm.jsse2.SSLSocketImpl.b(SSLSocketImpl.java:789)
2017-11-13 15:03:35.759 31 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:397)
2017-11-13 15:03:35.759 31 at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:320)
2017-11-13 15:03:35.760 31 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:676)
2017-11-13 15:03:35.761 31 at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:620)
2017-11-13 15:03:35.761 31 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeoutInternalNoProxy(MbSslSocket.java:305)
2017-11-13 15:03:35.763 31 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeout(MbSslSocket.java:151)
2017-11-13 15:03:35.763 31 at com.ibm.broker.plugin.MbOutputTerminal._propagate(Native Method)
2017-11-13 15:03:35.764 31 at com.ibm.broker.plugin.MbOutputTerminal.propagate(MbOutputTerminal.java:107)
2017-11-13 15:03:35.765 31 at com.ibm.xsl.mqsi.XMLTransformNode.evaluate(XMLTransformNode.java:1015)
2017-11-13 15:03:35.766 31 at com.ibm.broker.plugin.MbNode.evaluate(MbNode.java:1469)
Still our code works fine in local environment. |
|
| Back to top |
|
|
|
|
