| Author |
Message
|
| bond02 |
 Posted: Thu Dec 06, 2018 6:36 am Post subject: Continuous Deployment Integration API(CMP) IIBv10.0.0.13 |
 |
|
Newbie
Joined: 06 Dec 2018
Posts: 6
|
Hello Experts,
Do anyone could confirm me if Integration API(CMP) of IIBv10.0.0 worked ever to connect to Webadmin port of IIBv10.0.0 using HTTPS.
I have successfully setup the PKI in my Server(Linux Based) and Client machine(local Windows based) with self-signed certificate for test in test environment.
I'm perfectly able to to access webadmin port using HTTPS via Chrome Browser and do admin operation from there.
But when I do connect to the same port from my java code(using IntegrationAPI), it is throwing below error : 2018-12-06 13:51:06 ERROR BrokerConnectionManager:42 - com.ibm.broker.config.proxy.ConfigManagerProxyLoggedException: The Integration Node could not be reached. Please check that the Integration Node has been started and check that the Web Admin Listener has started
Content of my .broker file :
-------------------------------
<IntegrationNodeConnectionParameters Version="10.0.0" host="<hostname>" integrationNodeName="IIBNODE01" listenerPort="4415" sslTrustStorePassword="changeit" sslTrustStorePath="C:\IIBCDTrustStoreDev.jks" useSsl="true" xmlns=".......IntegrationNodeConnectionParameters[/url]"/>
So , I have following question on this :
Has it been proven by IBM to work it ever ?
Is there any debugging Technic to troubleshoot what could be the issue.
My observation :
-------------------
1) To verify if the .broker file is being parsed correctly, I given incorrect sslTrustStorePassword and saw the justified error. This means no issue in parsing the .broker file.
2) No log entry is being reflected in Sever's log about this unsuccessful connection attempt. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Dec 06, 2018 6:42 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Once you have set up the connection parameters and before you try to access the broker proxy, check the username / password on the connection parameters... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bond02 |
| Posted: Thu Dec 06, 2018 6:58 am Post subject: |
|
|
Newbie
Joined: 06 Dec 2018
Posts: 6
|
| fjb_saper wrote: |
| Once you have set up the connection parameters and before you try to access the broker proxy, check the username / password on the connection parameters... |
Could you please share me a link where it states that username and password is mandatory in .Broker file even when I'm trying to authenticate using keystore/trustore(two way ssl) ?
I tried with supplying username & password , it looks no effect on those attributes from .broker file . I'm getting exactly same error .
Last edited by bond02 on Thu Dec 06, 2018 7:06 am; edited 1 time in total |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Dec 06, 2018 7:04 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| bond02 wrote: |
| fjb_saper wrote: |
| Once you have set up the connection parameters and before you try to access the broker proxy, check the username / password on the connection parameters... |
Could you please share me a link where it states that username and password is mandatory in .Broker file even when I'm trying to authenticate using keystore/trustore(two way ssl) ? |
Well usually you don't have user name and password in the .broker file.
Assuming that all the values in the .broker file are correct (and sometimes you need to edit it a little bit for it to work) I'd expect that the failure might be related either to SSLCipher (remove it from the .broker file and try again) or to the lack of username passwd...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bond02 |
| Posted: Thu Dec 06, 2018 7:11 am Post subject: |
|
|
Newbie
Joined: 06 Dec 2018
Posts: 6
|
| fjb_saper wrote: |
| bond02 wrote: |
| fjb_saper wrote: |
| Once you have set up the connection parameters and before you try to access the broker proxy, check the username / password on the connection parameters... |
Could you please share me a link where it states that username and password is mandatory in .Broker file even when I'm trying to authenticate using keystore/trustore(two way ssl) ? |
Well usually you don't have user name and password in the .broker file.
Assuming that all the values in the .broker file are correct (and sometimes you need to edit it a little bit for it to work) I'd expect that the failure might be related either to SSLCipher (remove it from the .broker file and try again) or to the lack of username passwd... |
|
|
| Back to top |
|
|
| bond02 |
| Posted: Thu Dec 06, 2018 7:24 am Post subject: |
|
|
Newbie
Joined: 06 Dec 2018
Posts: 6
|
| fjb_saper wrote: |
| bond02 wrote: |
| fjb_saper wrote: |
| Once you have set up the connection parameters and before you try to access the broker proxy, check the username / password on the connection parameters... |
Could you please share me a link where it states that username and password is mandatory in .Broker file even when I'm trying to authenticate using keystore/trustore(two way ssl) ? |
Well usually you don't have user name and password in the .broker file.
Assuming that all the values in the .broker file are correct (and sometimes you need to edit it a little bit for it to work) I'd expect that the failure might be related either to SSLCipher (remove it from the .broker file and try again) or to the lack of username passwd... |
I really could not catch the statement when you said
| Quote: |
| related either to SSLCipher (remove it from the .broker file and try again) |
. I'm trying to establish HTTPS connection. I did not see any parameter which can be used to provide SSLCipher . Could you please let me know about that parameter name ? |
|
| Back to top |
|
|
| bond02 |
| Posted: Thu Dec 06, 2018 8:20 am Post subject: |
|
|
Newbie
Joined: 06 Dec 2018
Posts: 6
|
| bond02 wrote: |
| fjb_saper wrote: |
| bond02 wrote: |
| fjb_saper wrote: |
| Once you have set up the connection parameters and before you try to access the broker proxy, check the username / password on the connection parameters... |
Could you please share me a link where it states that username and password is mandatory in .Broker file even when I'm trying to authenticate using keystore/trustore(two way ssl) ? |
Well usually you don't have user name and password in the .broker file.
Assuming that all the values in the .broker file are correct (and sometimes you need to edit it a little bit for it to work) I'd expect that the failure might be related either to SSLCipher (remove it from the .broker file and try again) or to the lack of username passwd... |
I really could not catch the statement when you said
| Quote: |
| related either to SSLCipher (remove it from the .broker file and try again) |
. I'm trying to establish HTTPS connection. I did not see any parameter which can be used to provide SSLCipher . Could you please let me know about that parameter name ? |
At last I got the clue about where the IIB 10's limitation and lack of IBM documentation for use of IntegrationAPI from any custom java application.
It is kind of hit and trial method from my side. It is solved by changing from sslProtocol='TLSv1.2' to sslProtocol='TLS' . I tried to use sslProtocol='TLSv1.3' as well but no luck because IIB 10 doesn't support that(Case#TS001676026).
Could you please , let me know if IBM has any plan to enhance this IntegrationAPI to throw relevant exception instead of some generic one? |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Dec 06, 2018 8:36 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bond02 wrote: |
| Could you please , let me know if IBM has any plan to enhance this IntegrationAPI to throw relevant exception instead of some generic one? |
If any of the IBMers on this board knew that, the odds are they'd not be allowed to mention it.
As someone who's struggled with IBM error messages (which are still better than Microsoft ones) for some decades, I feel your pain and suggest your best course of action is an RFE. I'd vote for it.
(Bending the ear of your account manager is a viable alternative you may prefer)
Lastly, thank you for sharing your solution for the benefit of future readers.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Dec 06, 2018 8:59 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You may check if SSLProtocol=TLSv1.0 succeeds.
You may also try SSLProtocol=TLSv12 and see if that succeeds.
In any case I would want to check if TLSv1.0 or TLSv1.2 is used.
You may get this information running your java program with -Djavax.net=debug ...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bond02 |
| Posted: Fri Dec 07, 2018 1:25 am Post subject: |
|
|
Newbie
Joined: 06 Dec 2018
Posts: 6
|
| fjb_saper wrote: |
You may check if SSLProtocol=TLSv1.0 succeeds.
You may also try SSLProtocol=TLSv12 and see if that succeeds.
In any case I would want to check if TLSv1.0 or TLSv1.2 is used.
You may get this information running your java program with -Djavax.net=debug ... |
Option : with TLSv1.0
Dec 7 09:19:25 hostname IIB[17939]: IBM Integration Bus v100013 (IIBNODE01) [Thread 18020] (Msg 1/1) BIP7049E: Unexpected Java exception WebAdmin Listener java.lang.Exception: Unrecognised sslProtocol 'TLSv1.0' specified for connector. java.security.NoSuchAlgorithmException: TLSv1.0 SSLContext not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:171) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:6) at com.ibm.broker.httplistener.TomcatWrapper.startSecureHTTPSConnector(TomcatWrapper.java:230) at com.ibm.broker.httplistener.WebAdminManager.ensureServletContainer(WebAdminManager.java:763)
Option : with TLSv12
Dec 7 09:21:21 hostname IIB[18393]: IBM Integration Bus v100013 (IIBNODE01) [Thread 18472] (Msg 1/1) BIP7049E: Unexpected Java exception WebAdmin Listener java.lang.Exception: Unrecognised sslProtocol 'TLSv12' specified for connector. java.security.NoSuchAlgorithmException: TLSv12 SSLContext not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:171) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:6)
Option : with TLSv1.0
Unexpected Java exception WebAdmin Listener java.lang.Exception: Unrecognised sslProtocol 'TLSv1.0' specified for connector. java.security.NoSuchAlgorithmException: TLSv1.0 SSLContext not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:171) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:6) at com.ibm.broker.httplistener.TomcatWrapper.startSecureHTTPSConnector(TomcatWrapper.java:230) at com.ibm.broker.httplistener.WebAdminManager.ensureServletContainer(WebAdminManager.java:763)
Option: with TLSv1.2 . This is accepted at Server side But client can't talk. Is there any way to enforce client(java API) to use TLSv1.2 ?
Dec 7 09:24:18 hostname IIB[19607]: IBM Integration Bus v100013 (IIBNODE01) [Thread 19690] (Msg 1/1) BIP3132I: The HTTP Listener has started listening on port '4415' for 'WebAdmin https' connections.
Finally this(TLSv1.2) has worked as guided in IBM document over here
http://www-01.ibm.com/support/docview.wss?uid=swg1IT19681
Local fix:
Add the following to a .broker file:
sslIncludeProtocols="TLSv1.2"
and then use that .broker file to create a remote connection to the broker. |
|
| Back to top |
|
|
|
|
