| Author |
Message
|
| tczielke |
 Posted: Tue Sep 03, 2019 3:39 am Post subject: |
 |
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| riyaz_tak wrote: |
| tczielke wrote: |
| Can you also explain how you are setting the keystore type to be a jceks. Is it through a Java system property? Programmatically? |
I have created makefile which is creating keystore.
runmqckm -keydb -create \
-db key.jck -pw xxxx \
-type jceks |
No, I mean in your JMS application that uses this jck file, how are you explicitly setting the keystore type to be jceks? If you don't set the keystore type explicitly, it will default to jks. That at least has been my experience.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
 |
| tczielke |
| Posted: Tue Sep 03, 2019 1:25 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
I played around with this some this afternoon, and I could not get the IBM MQ Classes for JMS or Java to work with a JCEKS keystore when using the javax.net.ssl system properties to set the keystore. I could only get it to work when I programmatically created a Keystore that was a JCEKS instance and then set the MQEnvironment.sslSocketFactory accordingly. If I had to guess, the IBM MQ software is defaulting to a JKS Keystore, if the MQEnvironment.sslSocketFactory is not set, and you are not currently able to use a JCEKS with the javax.net.ssl system properties. If someone is able to do that, I would like to know.
riyaz_tak - If you are trying to do this using the javax.net.ssl system properties, that might be your issue that IBM MQ does not seem to support this for a JCEKS keystore. At least that is what I have found, so far, with my testing.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Tue Sep 03, 2019 8:38 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| tczielke wrote: |
| riyaz_tak wrote: |
| tczielke wrote: |
| Can you also explain how you are setting the keystore type to be a jceks. Is it through a Java system property? Programmatically? |
I have created makefile which is creating keystore.
runmqckm -keydb -create \
-db key.jck -pw xxxx \
-type jceks |
No, I mean in your JMS application that uses this jck file, how are you explicitly setting the keystore type to be jceks? If you don't set the keystore type explicitly, it will default to jks. That at least has been my experience. |
I am creating jceks keystore explicitly and copying the keystore to the file system using package.
I am not setting it programmatically but the same scenario was working perfectly fine with IBM MQ 7.5.
So is it because of IBM MQ 8 ?
In java code I have used JNDI to get the values
def qcf(mq) qmanager(xxxx) transport(client) hostname(localhost) port(51410) channel(xxxxx) sslciphersuite(TLS_RSA_WITH_AES_256_CBC_SHA256)
Here channel is srvconn .I am creating QueueConnectionFactory and then after that I am trying to get the QueueConnection,but at the moment I get Invalid KeyStore exception. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 03, 2019 10:37 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| tczielke wrote: |
I played around with this some this afternoon, and I could not get the IBM MQ Classes for JMS or Java to work with a JCEKS keystore when using the javax.net.ssl system properties to set the keystore. I could only get it to work when I programmatically created a Keystore that was a JCEKS instance and then set the MQEnvironment.sslSocketFactory accordingly. If I had to guess, the IBM MQ software is defaulting to a JKS Keystore, if the MQEnvironment.sslSocketFactory is not set, and you are not currently able to use a JCEKS with the javax.net.ssl system properties. If someone is able to do that, I would like to know.
riyaz_tak - If you are trying to do this using the javax.net.ssl system properties, that might be your issue that IBM MQ does not seem to support this for a JCEKS keystore. At least that is what I have found, so far, with my testing. |
Have you tried with -Djavax.net.ssl.keystoretype="JECKS" or something like it?? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Tue Sep 03, 2019 10:43 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| fjb_saper wrote: |
| tczielke wrote: |
I played around with this some this afternoon, and I could not get the IBM MQ Classes for JMS or Java to work with a JCEKS keystore when using the javax.net.ssl system properties to set the keystore. I could only get it to work when I programmatically created a Keystore that was a JCEKS instance and then set the MQEnvironment.sslSocketFactory accordingly. If I had to guess, the IBM MQ software is defaulting to a JKS Keystore, if the MQEnvironment.sslSocketFactory is not set, and you are not currently able to use a JCEKS with the javax.net.ssl system properties. If someone is able to do that, I would like to know.
riyaz_tak - If you are trying to do this using the javax.net.ssl system properties, that might be your issue that IBM MQ does not seem to support this for a JCEKS keystore. At least that is what I have found, so far, with my testing. |
Have you tried with -Djavax.net.ssl.keystoretype="JECKS" or something like it?? |
Yes I have.
I am setting below JVM arguments at the time of starting JAVA Client :
-Djavax.net.ssl.trustStorePassword=xxxx \
-Djavax.net.ssl.trustStoreType=jceks \
-Djavax.net.ssl.keyStore=/dir/key.jck \
-Djavax.net.ssl.keyStorePassword=xxxx \
-Djavax.net.ssl.keyStoreType=jceks \ |
|
| Back to top |
|
|
| tczielke |
| Posted: Wed Sep 04, 2019 7:24 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| riyaz_tak wrote: |
| fjb_saper wrote: |
| tczielke wrote: |
I played around with this some this afternoon, and I could not get the IBM MQ Classes for JMS or Java to work with a JCEKS keystore when using the javax.net.ssl system properties to set the keystore. I could only get it to work when I programmatically created a Keystore that was a JCEKS instance and then set the MQEnvironment.sslSocketFactory accordingly. If I had to guess, the IBM MQ software is defaulting to a JKS Keystore, if the MQEnvironment.sslSocketFactory is not set, and you are not currently able to use a JCEKS with the javax.net.ssl system properties. If someone is able to do that, I would like to know.
riyaz_tak - If you are trying to do this using the javax.net.ssl system properties, that might be your issue that IBM MQ does not seem to support this for a JCEKS keystore. At least that is what I have found, so far, with my testing. |
Have you tried with -Djavax.net.ssl.keystoretype="JECKS" or something like it?? |
Yes I have.
I am setting below JVM arguments at the time of starting JAVA Client :
-Djavax.net.ssl.trustStorePassword=xxxx \
-Djavax.net.ssl.trustStoreType=jceks \
-Djavax.net.ssl.keyStore=/dir/key.jck \
-Djavax.net.ssl.keyStorePassword=xxxx \
-Djavax.net.ssl.keyStoreType=jceks \ |
I was using something similar, as well, for the keyStoreType and trustStoreType. I tried both jceks and JCEKS. I am not sure if this is an issue introduced at v8, but I can confirm that I see the same issue with MQ 9.1.0.1 of getting an invalid keystore when relying on the javax.net.ssl system properties to set the keystore and type for a jceks.
I am able to get this to work with JMS by using the IBM MQ JMS Extensions and creating my own sslSocketFactory that has a properly built JCEKS Keystore. Of course, this does move you away from portable JMS, if that is something you care about.
You might want to open a PMR with IBM on what you are experiencing here, because it looks like a potential defect, to me.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Sep 04, 2019 9:49 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| riyaz_tak wrote: |
| fjb_saper wrote: |
Have you tried with -Djavax.net.ssl.keystoretype="JECKS" or something like it?? |
Yes I have.
I am setting below JVM arguments at the time of starting JAVA Client :
-Djavax.net.ssl.trustStorePassword=xxxx \
-Djavax.net.ssl.trustStoreType=jceks \
-Djavax.net.ssl.keyStore=/dir/key.jck \
-Djavax.net.ssl.keyStorePassword=xxxx \
-Djavax.net.ssl.keyStoreType=jceks \ |
I hope this is not a cut and paste. Because I believe the format should be
| Code: |
| java -D<propertyname>="<value>" |
Notice that the value is in between double quotes, which you do not seem to have done in your example here...
Thus it should read
| Code: |
-Djavax.net.ssl.trustStorePassword="xxxx" \
-Djavax.net.ssl.trustStoreType="jceks" \
-Djavax.net.ssl.keyStore="/dir/key.jck" \
-Djavax.net.ssl.keyStorePassword="xxxx" \
-Djavax.net.ssl.keyStoreType="jceks" \
|
Enjoy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Wed Sep 04, 2019 10:02 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| fjb_saper wrote: |
| riyaz_tak wrote: |
| fjb_saper wrote: |
Have you tried with -Djavax.net.ssl.keystoretype="JECKS" or something like it?? |
Yes I have.
I am setting below JVM arguments at the time of starting JAVA Client :
-Djavax.net.ssl.trustStorePassword=xxxx \
-Djavax.net.ssl.trustStoreType=jceks \
-Djavax.net.ssl.keyStore=/dir/key.jck \
-Djavax.net.ssl.keyStorePassword=xxxx \
-Djavax.net.ssl.keyStoreType=jceks \ |
I hope this is not a cut and paste. Because I believe the format should be
| Code: |
| java -D<propertyname>="<value>" |
Notice that the value is in between double quotes, which you do not seem to have done in your example here...
Thus it should read
| Code: |
-Djavax.net.ssl.trustStorePassword="xxxx" \
-Djavax.net.ssl.trustStoreType="jceks" \
-Djavax.net.ssl.keyStore="/dir/key.jck" \
-Djavax.net.ssl.keyStorePassword="xxxx" \
-Djavax.net.ssl.keyStoreType="jceks" \
|
Enjoy |
It's an old code and was working with MQ7.5 |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Wed Sep 04, 2019 10:03 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| tczielke wrote: |
| riyaz_tak wrote: |
| fjb_saper wrote: |
| tczielke wrote: |
I played around with this some this afternoon, and I could not get the IBM MQ Classes for JMS or Java to work with a JCEKS keystore when using the javax.net.ssl system properties to set the keystore. I could only get it to work when I programmatically created a Keystore that was a JCEKS instance and then set the MQEnvironment.sslSocketFactory accordingly. If I had to guess, the IBM MQ software is defaulting to a JKS Keystore, if the MQEnvironment.sslSocketFactory is not set, and you are not currently able to use a JCEKS with the javax.net.ssl system properties. If someone is able to do that, I would like to know.
riyaz_tak - If you are trying to do this using the javax.net.ssl system properties, that might be your issue that IBM MQ does not seem to support this for a JCEKS keystore. At least that is what I have found, so far, with my testing. |
Have you tried with -Djavax.net.ssl.keystoretype="JECKS" or something like it?? |
Yes I have.
I am setting below JVM arguments at the time of starting JAVA Client :
-Djavax.net.ssl.trustStorePassword=xxxx \
-Djavax.net.ssl.trustStoreType=jceks \
-Djavax.net.ssl.keyStore=/dir/key.jck \
-Djavax.net.ssl.keyStorePassword=xxxx \
-Djavax.net.ssl.keyStoreType=jceks \ |
I was using something similar, as well, for the keyStoreType and trustStoreType. I tried both jceks and JCEKS. I am not sure if this is an issue introduced at v8, but I can confirm that I see the same issue with MQ 9.1.0.1 of getting an invalid keystore when relying on the javax.net.ssl system properties to set the keystore and type for a jceks.
I am able to get this to work with JMS by using the IBM MQ JMS Extensions and creating my own sslSocketFactory that has a properly built JCEKS Keystore. Of course, this does move you away from portable JMS, if that is something you care about.
You might want to open a PMR with IBM on what you are experiencing here, because it looks like a potential defect, to me. |
I will open a PMR with IBM and let you know the resolution. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Sep 04, 2019 10:05 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
So it worked with Java 6 or java 7...
Doesn't mean that java 8 or java 12 will work without the quotes for the values...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Wed Sep 04, 2019 10:18 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| fjb_saper wrote: |
So it worked with Java 6 or java 7...
Doesn't mean that java 8 or java 12 will work without the quotes for the values... |
Not working even after putting "". |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Mon Sep 09, 2019 1:42 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Here key.kdb is keystore at MQ side and key.jks is keystore at Java client side.
1. runmqckm -keydb -create -db key.jck -pw xxx -type JKS
no issue here.
2. runmqckm -cert -export -db /mqDir/key.kdb -pw xxx -label javaclient -target key.jck -target_pw xxx -type JKS
An IO Exception has occurred:
Invalid keystore format
key.kdb keystore at MQ side was generated using gsk6kit and it contains couple of certificates.
When we are trying to export one of the certificate using runmqckm utility from /mqDir/key.kdb to key.jck (java client side keystore ) , we are getting error.
But if I remove -type jks at step 2 ,I am not getting any error.
runmqckm -cert -export -db /mqDir/key.kdb -pw xxx -label javaclient -target key.jck -target_pw xxx -type JKS
Why is it so ? How can I export the certificate? |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Sep 09, 2019 1:49 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| riyaz_tak wrote: |
2. runmqckm -cert -export -db /mqDir/key.kdb -pw xxx -label javaclient -target key.jck -target_pw xxx -type JKS
An IO Exception has occurred:
Invalid keystore format |
Remember that the runmqckm command has two types. If you forget the syntax remember you can use ? at any point. So to see the specific fields for -cert -export, just type in the following:-
| Code: |
| runmqckm -cert -export ? |
When you do this you'll see that there are two types. There's a -type for the type of the -db keystore. And then there's a -target_type for the -target keystore.
So your command is saying that the -db /mqDir/key.kdb is of -type JKS which is clearly not true. Try the following command instead:-
| Code: |
| runmqckm -cert -export -db /mqDir/key.kdb -type CMS -pw xxx -label javaclient -target key.jck -target_pw xxx -target_type JKS |
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Last edited by hughson on Wed Sep 11, 2019 2:04 am; edited 1 time in total |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Mon Sep 09, 2019 2:39 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Thanks A lot.
you are rockstart. This resolved my issue.I was getting incorrect keystore type error because my command was wrong.
Thanks a lot again. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Sep 09, 2019 2:44 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| riyaz_tak wrote: |
| Thanks A lot. |
You are welcome - glad it is working for you now.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
