ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Continuous Deployment Integration API(CMP) IIBv10.0.0.13

Post new topic  Reply to topic
 Continuous Deployment Integration API(CMP) IIBv10.0.0.13 « View previous topic :: View next topic » 
Author Message
bond02
PostPosted: Thu Dec 06, 2018 6:36 am    Post subject: Continuous Deployment Integration API(CMP) IIBv10.0.0.13 Reply with quote

Newbie

Joined: 06 Dec 2018
Posts: 6

Hello Experts,
Do anyone could confirm me if Integration API(CMP) of IIBv10.0.0 worked ever to connect to Webadmin port of IIBv10.0.0 using HTTPS.

I have successfully setup the PKI in my Server(Linux Based) and Client machine(local Windows based) with self-signed certificate for test in test environment.

I'm perfectly able to to access webadmin port using HTTPS via Chrome Browser and do admin operation from there.

But when I do connect to the same port from my java code(using IntegrationAPI), it is throwing below error : 2018-12-06 13:51:06 ERROR BrokerConnectionManager:42 - com.ibm.broker.config.proxy.ConfigManagerProxyLoggedException: The Integration Node could not be reached. Please check that the Integration Node has been started and check that the Web Admin Listener has started

Content of my .broker file :
-------------------------------

<IntegrationNodeConnectionParameters Version="10.0.0" host="<hostname>" integrationNodeName="IIBNODE01" listenerPort="4415" sslTrustStorePassword="changeit" sslTrustStorePath="C:\IIBCDTrustStoreDev.jks" useSsl="true" xmlns=".......IntegrationNodeConnectionParameters[/url]"/>


So , I have following question on this :
    Has it been proven by IBM to work it ever ?
    Is there any debugging Technic to troubleshoot what could be the issue.


My observation :
-------------------
1) To verify if the .broker file is being parsed correctly, I given incorrect sslTrustStorePassword and saw the justified error. This means no issue in parsing the .broker file.

2) No log entry is being reflected in Sever's log about this unsuccessful connection attempt.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Dec 06, 2018 6:42 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Once you have set up the connection parameters and before you try to access the broker proxy, check the username / password on the connection parameters...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bond02
PostPosted: Thu Dec 06, 2018 6:58 am    Post subject: Reply with quote

Newbie

Joined: 06 Dec 2018
Posts: 6

fjb_saper wrote:
Once you have set up the connection parameters and before you try to access the broker proxy, check the username / password on the connection parameters...


Could you please share me a link where it states that username and password is mandatory in .Broker file even when I'm trying to authenticate using keystore/trustore(two way ssl) ?

I tried with supplying username & password , it looks no effect on those attributes from .broker file . I'm getting exactly same error .


Last edited by bond02 on Thu Dec 06, 2018 7:06 am; edited 1 time in total
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Dec 06, 2018 7:04 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

bond02 wrote:
fjb_saper wrote:
Once you have set up the connection parameters and before you try to access the broker proxy, check the username / password on the connection parameters...


Could you please share me a link where it states that username and password is mandatory in .Broker file even when I'm trying to authenticate using keystore/trustore(two way ssl) ?

Well usually you don't have user name and password in the .broker file.

Assuming that all the values in the .broker file are correct (and sometimes you need to edit it a little bit for it to work) I'd expect that the failure might be related either to SSLCipher (remove it from the .broker file and try again) or to the lack of username passwd...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bond02
PostPosted: Thu Dec 06, 2018 7:11 am    Post subject: Reply with quote

Newbie

Joined: 06 Dec 2018
Posts: 6

fjb_saper wrote:
bond02 wrote:
fjb_saper wrote:
Once you have set up the connection parameters and before you try to access the broker proxy, check the username / password on the connection parameters...


Could you please share me a link where it states that username and password is mandatory in .Broker file even when I'm trying to authenticate using keystore/trustore(two way ssl) ?

Well usually you don't have user name and password in the .broker file.

Assuming that all the values in the .broker file are correct (and sometimes you need to edit it a little bit for it to work) I'd expect that the failure might be related either to SSLCipher (remove it from the .broker file and try again) or to the lack of username passwd...



Back to top
View user's profile Send private message
bond02
PostPosted: Thu Dec 06, 2018 7:24 am    Post subject: Reply with quote

Newbie

Joined: 06 Dec 2018
Posts: 6

fjb_saper wrote:
bond02 wrote:
fjb_saper wrote:
Once you have set up the connection parameters and before you try to access the broker proxy, check the username / password on the connection parameters...


Could you please share me a link where it states that username and password is mandatory in .Broker file even when I'm trying to authenticate using keystore/trustore(two way ssl) ?

Well usually you don't have user name and password in the .broker file.

Assuming that all the values in the .broker file are correct (and sometimes you need to edit it a little bit for it to work) I'd expect that the failure might be related either to SSLCipher (remove it from the .broker file and try again) or to the lack of username passwd...



I really could not catch the statement when you said
Quote:
related either to SSLCipher (remove it from the .broker file and try again)
. I'm trying to establish HTTPS connection. I did not see any parameter which can be used to provide SSLCipher . Could you please let me know about that parameter name ?
Back to top
View user's profile Send private message
bond02
PostPosted: Thu Dec 06, 2018 8:20 am    Post subject: Reply with quote

Newbie

Joined: 06 Dec 2018
Posts: 6

bond02 wrote:
fjb_saper wrote:
bond02 wrote:
fjb_saper wrote:
Once you have set up the connection parameters and before you try to access the broker proxy, check the username / password on the connection parameters...


Could you please share me a link where it states that username and password is mandatory in .Broker file even when I'm trying to authenticate using keystore/trustore(two way ssl) ?

Well usually you don't have user name and password in the .broker file.

Assuming that all the values in the .broker file are correct (and sometimes you need to edit it a little bit for it to work) I'd expect that the failure might be related either to SSLCipher (remove it from the .broker file and try again) or to the lack of username passwd...



I really could not catch the statement when you said
Quote:
related either to SSLCipher (remove it from the .broker file and try again)
. I'm trying to establish HTTPS connection. I did not see any parameter which can be used to provide SSLCipher . Could you please let me know about that parameter name ?


At last I got the clue about where the IIB 10's limitation and lack of IBM documentation for use of IntegrationAPI from any custom java application.

It is kind of hit and trial method from my side. It is solved by changing from sslProtocol='TLSv1.2' to sslProtocol='TLS' . I tried to use sslProtocol='TLSv1.3' as well but no luck because IIB 10 doesn't support that(Case#TS001676026).

Could you please , let me know if IBM has any plan to enhance this IntegrationAPI to throw relevant exception instead of some generic one?
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Dec 06, 2018 8:36 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

bond02 wrote:
Could you please , let me know if IBM has any plan to enhance this IntegrationAPI to throw relevant exception instead of some generic one?


If any of the IBMers on this board knew that, the odds are they'd not be allowed to mention it.

As someone who's struggled with IBM error messages (which are still better than Microsoft ones) for some decades, I feel your pain and suggest your best course of action is an RFE. I'd vote for it.

(Bending the ear of your account manager is a viable alternative you may prefer)

Lastly, thank you for sharing your solution for the benefit of future readers.



_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Dec 06, 2018 8:59 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

You may check if SSLProtocol=TLSv1.0 succeeds.
You may also try SSLProtocol=TLSv12 and see if that succeeds.
In any case I would want to check if TLSv1.0 or TLSv1.2 is used.
You may get this information running your java program with -Djavax.net=debug ...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bond02
PostPosted: Fri Dec 07, 2018 1:25 am    Post subject: Reply with quote

Newbie

Joined: 06 Dec 2018
Posts: 6

fjb_saper wrote:
You may check if SSLProtocol=TLSv1.0 succeeds.
You may also try SSLProtocol=TLSv12 and see if that succeeds.
In any case I would want to check if TLSv1.0 or TLSv1.2 is used.
You may get this information running your java program with -Djavax.net=debug ...


Option : with TLSv1.0
Dec 7 09:19:25 hostname IIB[17939]: IBM Integration Bus v100013 (IIBNODE01) [Thread 18020] (Msg 1/1) BIP7049E: Unexpected Java exception WebAdmin Listener java.lang.Exception: Unrecognised sslProtocol 'TLSv1.0' specified for connector. java.security.NoSuchAlgorithmException: TLSv1.0 SSLContext not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:171) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:6) at com.ibm.broker.httplistener.TomcatWrapper.startSecureHTTPSConnector(TomcatWrapper.java:230) at com.ibm.broker.httplistener.WebAdminManager.ensureServletContainer(WebAdminManager.java:763)

Option : with TLSv12
Dec 7 09:21:21 hostname IIB[18393]: IBM Integration Bus v100013 (IIBNODE01) [Thread 18472] (Msg 1/1) BIP7049E: Unexpected Java exception WebAdmin Listener java.lang.Exception: Unrecognised sslProtocol 'TLSv12' specified for connector. java.security.NoSuchAlgorithmException: TLSv12 SSLContext not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:171) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:6)

Option : with TLSv1.0
Unexpected Java exception WebAdmin Listener java.lang.Exception: Unrecognised sslProtocol 'TLSv1.0' specified for connector. java.security.NoSuchAlgorithmException: TLSv1.0 SSLContext not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:171) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:6) at com.ibm.broker.httplistener.TomcatWrapper.startSecureHTTPSConnector(TomcatWrapper.java:230) at com.ibm.broker.httplistener.WebAdminManager.ensureServletContainer(WebAdminManager.java:763)

Option: with TLSv1.2 . This is accepted at Server side But client can't talk. Is there any way to enforce client(java API) to use TLSv1.2 ?
Dec 7 09:24:18 hostname IIB[19607]: IBM Integration Bus v100013 (IIBNODE01) [Thread 19690] (Msg 1/1) BIP3132I: The HTTP Listener has started listening on port '4415' for 'WebAdmin https' connections.



Finally this(TLSv1.2) has worked as guided in IBM document over here

http://www-01.ibm.com/support/docview.wss?uid=swg1IT19681

Local fix:

Add the following to a .broker file:
sslIncludeProtocols="TLSv1.2"
and then use that .broker file to create a remote connection to the broker.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Continuous Deployment Integration API(CMP) IIBv10.0.0.13
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.