| Author |
Message
|
| riyaz_tak |
 Posted: Sun Aug 25, 2019 11:00 pm Post subject: SSL Authentication issue between JAVA 8 client and IBM MQ 8 |
 |
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Hi
Name: WebSphere MQ
Version: 8.0.0.4
Level: p800-004-151017
BuildType: IKAP - (Production)
Platform: WebSphere MQ for Solaris (SPARC platform)
Mode: 64-bit
O/S: SunOS 5.10
InstName: Installation1
I have java 8 installed on my machine.
I have defined java jceks database at java client end and cms mq key database at MQ server side.
I have used sslcipher TLS_RSA_WITH_AES_128_CBC_SHA256 at both the java client and MQ end.
But when I start both the application I get below error :
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is 'XXXX' (if '????' it is unknown at this stage in the SSL
processing).
The remote host is 'localhost (127.0.0.1)'.
The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.
I have defined created and stored correct keys but still getting the error.
If I disable SSL authentication then it works without any error.
Please let me know if more information is needed. |
|
| Back to top |
|
 |
| HubertKleinmanns |
| Posted: Mon Aug 26, 2019 1:05 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
Did you have a look at this site?
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113210_.htm
The CipherSpec "TLS_RSA_WITH_AES_128_CBC_SHA256" is equivalent to the CipherSuite "SSL_RSA_WITH_AES_128_CBC_SHA256" when you use IBM Java, and equivalent to the CipherSuite "TLS_RSA_WITH_AES_128_CBC_SHA256" when you use Oracle Java.
You should look at the client's log. Did the Java app load the keystore successfully?
_________________
Regards
Hubert |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Mon Aug 26, 2019 2:10 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Hi,
Thanks for the reply.
I have already looked at the site but still getting error.
SSL cipher at MQ Side :
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
SSL ciphersuit at JAVA client side :
SSL_RSA_WITH_AES_128_CBC_SHA256
Error at JAVA client end :
JMSException: JMSWMQ0018: Failed to connect to queue manager 'xxx' with connection mode 'Client' and host name 'localhost(51410)'.
Mon Aug 26 10:08:17 2019 ERROR !com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'xxx' with connection mode 'Client' and host name 'localhost(51410)'. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Mon Aug 26, 2019 2:50 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Mon Aug 26, 2019 4:51 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
Do you use IBM Java or Oracle Java?
_________________
Regards
Hubert |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Mon Aug 26, 2019 5:00 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
For IBM Java Runtime Environment you have to
- use CipherSuite "SSL_RSA_WITH_AES_256_CBC_SHA256".
For Oracle Java Runtime Environment you have to
- use CipherSuite "TLS_RSA_WITH_AES_256_CBC_SHA256"
- and upgrade the MQ Client to 8.0.0.5
Hope this helps.
_________________
Regards
Hubert |
|
| Back to top |
|
|
| tczielke |
| Posted: Mon Aug 26, 2019 12:19 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Mon Aug 26, 2019 8:00 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Thanks everyone for the response.
I am using Oracle JAVA.
I will upgrade my MQ server to 8.0.0.5 and let you know the result. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Tue Aug 27, 2019 1:22 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Wed Aug 28, 2019 2:26 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Hi ,
I have upgraded MQ to 8.0.0.5 but now java client is throwing error .
JMS Common Client First Failure Symptom Report
Product :- IBM WebSphere MQ classes for JMS Date/Time :- Wed Aug 28 09:24:59 GMT 2019 System time :- 1566984299972 Operating System :- SunOS UserID :- root Java Vendor :- Oracle Corporation Java Version :- 25.191-b12
Source Class :- com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection Source Method :- getNonFipsSocketFactory() ProbeID :- 03 Thread :- name=xxx priority=5 group=main ccl=sun.misc.Launcher$AppClassLoader@6e0be858
Data
----
| Description :- Cannot open keystore file | Exception message :- Invalid keystore format
I can run /opt/mqm/bin/runmqckm utility to list all the certificate stored in keystore but java client is still throwing error. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Wed Aug 28, 2019 2:46 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
It's essential, that the Java application is able to open its keystore. upgrading the MQ Client does'n effect the keystore  .
You have to exchange a couple of jar-files named "com.ibm.mq.*"
_________________
Regards
Hubert |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Wed Aug 28, 2019 9:22 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
ERR JMSException: JMSWMQ0018: Failed to connect to queue manager 'xxxxx' with connection mode 'Client' and host name 'null'.
Thu Aug 29 05:14:26 2019 ERR Ops!com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager xxxx with connection mode 'Client' and host name 'null'.
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.
when I set TLS_RSA_WITH_AES_256_CBC_SHA256 as ciphersuit and cipherspec ,I get above error in java client log.
If while starting java client ,I put -Dcom.ibm.mq.cfg.useIBMCipherMappings=false as JVM argument then FFDC file is created stating invalid keystore so I removed that line and started java client but again I received above error.
So should I set -Dcom.ibm.mq.cfg.useIBMCipherMappings=false as jvm argument or not ?
I used TLS_RSA_WITH_AES_256_CBC_SHA256 as well as TLS_RSA_WITH_AES_128_CBC_SHA but both doesn't seems to be working. |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Aug 28, 2019 11:37 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| riyaz_tak wrote: |
Description :- Cannot open keystore file
Exception message :- Invalid keystore format |
Please confirm the format of your keystore. It should be JKS. Is it?
| rivaz_tak wrote: |
| So should I set -Dcom.ibm.mq.cfg.useIBMCipherMappings=false as jvm argument or not ? |
Since you are using an Oracle JVM, then yes, you should be setting the above argument. When you don't set this, other errors would appear to be masking your real problem.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Thu Aug 29, 2019 12:33 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Yes it's JKS (key.jck).
When I am trying to run Java client ,I am getting below error :
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'xxxxx' with connection mode 'Client' and host name 'localhost(xxxx)'.
I am using TLS_RSA_WITH_AES_256_CBC_SHA256 as ssl ciphersuite.
I am setting the said JVM parameter butalways getting error and not able to connect. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Aug 29, 2019 1:19 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| riyaz_tak wrote: |
| Yes it's JKS (key.jck) |
Odd extension to use for a JKS file?
| riyaz_tak wrote: |
| I can run /opt/mqm/bin/runmqckm utility to list all the certificate stored in keystore but java client is still throwing error. |
Can you show us the command you use that works to list all the certificates?
| riyaz_tak wrote: |
When I am trying to run Java client ,I am getting below error :
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'xxxxx' with connection mode 'Client' and host name 'localhost(xxxx)'. |
Is this a different error? Did you change something to get rid of the "Invalid keystore format" error you previously reported?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
