| Author |
Message
|
| Partha.Baidya |
 Posted: Tue Nov 21, 2017 8:39 pm Post subject: IIB v10 One Way SSL handshake_failure with SOAP Request/HTTP |
 |
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
Trying an One way SSL with IIB v10.0.0.7 with SOAPRequat/http node as client. There is another SOAPINput/Reply node as Provider flow.
Created the necessary keystore in Provider and Truststore in Consume.
Getting Exception as
| Code: |
| Text:CHARACTER:javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure |
Collected a JSSE trace to debug HTTPS problems. Which says
| Code: |
| nable to negotiate SSL connection. Client key alias supplied was []. |
Could you please let me know what could be the issue with Handshake?
Why the client key alias in empty? |
|
| Back to top |
|
 |
| zpat |
| Posted: Wed Nov 22, 2017 12:17 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
The client key alias is the label of the personal certificate in the keystore.
If blank it should use the first one in the keystore.
You can set the client key alias value in node properties if you want.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| Partha.Baidya |
| Posted: Wed Nov 22, 2017 5:24 am Post subject: |
|
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
Is this an optional field?
Personal certificate of Provider has to mention here? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 22, 2017 5:48 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
The broker is not a browser and as such has no default private key.
You need to create a private public key pair for the broker to be able to present an X509 cert... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Partha.Baidya |
| Posted: Wed Nov 22, 2017 6:06 am Post subject: |
|
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
I have already created a keystone & truststore in the provider broker. Created a trustore in consumer broker.
I am using Soap/http in the consumer broker flow in soap requst node.
My question was in soap request http connection which personal key level has to given in the key alias field? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 22, 2017 6:21 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Partha.Baidya wrote: |
I have already created a keystone & truststore in the provider broker. Created a trustore in consumer broker.
I am using Soap/http in the consumer broker flow in soap requst node.
My question was in soap request http connection which personal key level has to given in the key alias field? |
From what you described your client only has a truststore. The server is requesting the cert of the client and there is none. It is not like the server is going to verify the cert of the client but it needs one to finish the handshake.
So your client needs to have an SSL cert to provide to the server. (basic browser functionality).
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Partha.Baidya |
| Posted: Wed Nov 22, 2017 7:13 am Post subject: |
|
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
But I am using One way SSL with SOAP nodes.
For one way SSL, client certificate is not required to present to Server.
Is it like the SOAP nodes in WMB does not support One way SSL? |
|
| Back to top |
|
|
| Partha.Baidya |
| Posted: Wed Nov 22, 2017 7:30 am Post subject: |
|
|
Voyager
Joined: 05 Nov 2009
Posts: 97
|
I added the Server label in the alias name.
Now am not getting alias [] error.
But the ssl handshake failing.
| Code: |
| 2017-11-22 09:23:16.903 97 unable to negotiate SSL connection. Client key alias supplied was [wmbcert]. |
| Code: |
Exception in thread "Thread-53" 2017-11-22 09:23:16.905 97 javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure |
What is the other option to check why the handshake fails?[/code] |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 22, 2017 11:13 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
did you try running the JVM with -Djavax.net.ssl="debug" and what did the debug level trace say?
Do you have the full trustchain in the truststore?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Nov 22, 2017 11:59 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
The blank alias was not actually an error.
You need to find the actual problem by looking at a SSL trace in the execution group stdout/stderr.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
|
|
