ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportConnecting to MQ with Groovy

Post new topicReply to topic
Connecting to MQ with Groovy View previous topic :: View next topic
Author Message
jon.austen
PostPosted: Mon Aug 03, 2020 9:45 am Post subject: Reply with quote

Newbie

Joined: 03 Aug 2020
Posts: 9

I have put together an example project using JMeter to performance test IBM MQ9.

In GitHub, my project is at: djangofan/jmeter-ibm-mq9

So, in the example I am using JMeter with Groovy script to connect to MQ. The Non-ssl version of it works great.

BUT, I am having trouble creating a SSL cert in a way that I am able to match a MQ client , having the correct Cipher Spec in order to get it to work. Is it possible someone could help me create a "example cert+key" (with password 'changeit') that I can use, and tell me which cipher spec I can use with it?

In other words, I just need a "simple recipe" , as an example, that I can get working in my example project. No matter what I tried, I cannot figure out which is the correct cipher spec to use after I create my cert. I even tried using ikeyman tool. Is my problem because I am creating cert with openssl tool?

Is there an example hidden somewhere in these forums?

Help?
Back to top
View user's profile Send private message
bruce2359
PostPosted: Mon Aug 03, 2020 10:10 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8769
Location: US: west coast, almost. Otherwise, enroute.

Are you following some How-to step-by-step document? Have you searched for one?
_________________
My life flows on in endless song;
How can I keep from singing?
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Aug 03, 2020 4:09 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1486
Location: Bay of Plenty, New Zealand

Could you show us one example if what you have tried and the error that you get.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
jon.austen
PostPosted: Wed Aug 12, 2020 4:41 pm Post subject: Reply with quote

Newbie

Joined: 03 Aug 2020
Posts: 9

To answer your questions:
1. There are lots of examples of doing this with non-SSL, but that is not my question here.
2. If you check out my project file, the code is all correct, as long as I get the correct cert into place on the server side and the corrrect matching keystore on the client side. (Permalink: https://github.com/djangofan/jmeter-ibm-mq9/blob/28f018dfceeacf9cf3a8f6b4326f6a23431feeef/sslExample.jmx#L167-L248 )


--------------


    1. All I need to get this working is simple instructions to create the server side key and cert and the client side Java keystore file.
    2. I know how to configure Docker-IBM-MQ to use the cert, as you can see in the README file of my example project.
    3. What I don't know, and is the hard part, is being able to create a cert that has a particular cipher-spec that would work with a client connection.
    4. The code in my example works with MQ servers that exist at my employer BUT I just don't know the magic sauce of creating the certificate in the correct fashion to match a supported ciper-spec.
    5. A link to such documentation would be awesome but I couldn't find anything.
    6. When I am done with this example project, it might be the only such documentation that exists, if I manage to do this.


--------------

The ERROR that I get is just the typical error you get when SSL is not setup correctly.

Code:

javax.script.ScriptException: com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'QM1' with connection mode 'Client' and host name 'localhost(1414)'.
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.
javax.script.ScriptException: com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'QM1' with connection mode 'Client' and host name 'localhost(1414)'.
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.
Caused by: com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'QM1' with connection mode 'Client' and host name 'localhost(1414)'.
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR')
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'localhost(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed.


Last edited by jon.austen on Wed Aug 12, 2020 4:47 pm; edited 1 time in total
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed Aug 12, 2020 4:47 pm Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8769
Location: US: west coast, almost. Otherwise, enroute.

Look here: https://www.ibm.com/support/pages/troubleshooting-javajms-ssl-configurations
_________________
My life flows on in endless song;
How can I keep from singing?
Back to top
View user's profile Send private message
jon.austen
PostPosted: Wed Aug 12, 2020 6:15 pm Post subject: Reply with quote

Newbie

Joined: 03 Aug 2020
Posts: 9

I managed to create a certificate and check it into the Git repository (above) and so you should be able to try it yourself although it would take a little bit of time to setup as described in the README .

The error I get now is:
2020-08-12 19:10:02,568 ERROR o.a.j.p.j.s.J.JMS Connection Setup: Error loading SSL context.
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[?:1.8.0_231]
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[?:1.8.0_231]
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[?:1.8.0_231]


I assume this error is because I must use a valid cert chain with a known certificate authority rather than a pure self-signed test certificate?
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Aug 12, 2020 9:32 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1486
Location: Bay of Plenty, New Zealand

Hi again,

Thank you for showing the error you get, could you also show the command you are using to generate the certificate and run the application. That would make it easier for us to answer on here than to trawl through a GitHub repository looking for the commands you are issuing.

To your specific questions - a certificate is not tied to one specific cipherspec, but it is tied to a class of cipherspecs as you can read here.

The trustanchor error is not about CA-signed vs self-signed but likely the attributes you are supplying on the command to launch your Java application - perhaps you could show us an example of that command and we could point out what was missing.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Thu Aug 13, 2020 4:19 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20382
Location: LI,NY

jon.austen wrote:
I managed to create a certificate and check it into the Git repository (above) and so you should be able to try it yourself although it would take a little bit of time to setup as described in the README .

The error I get now is:
2020-08-12 19:10:02,568 ERROR o.a.j.p.j.s.J.JMS Connection Setup: Error loading SSL context.
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[?:1.8.0_231]
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[?:1.8.0_231]
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[?:1.8.0_231]


I assume this error is because I must use a valid cert chain with a known certificate authority rather than a pure self-signed test certificate?

The error is most probably because when using your self signed cert you did not export the public certificate and add it to your trust store... assuming of cource you did specify a key store and a trust store
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
jon.austen
PostPosted: Thu Aug 13, 2020 8:02 am Post subject: Reply with quote

Newbie

Joined: 03 Aug 2020
Posts: 9

The command I am using to execute is documented below, and in my README.md file.

Here is how I setup the cert. The keystore contains the cert, and therefore contains the public key and the private key that the MQ server was launched with.

Here is how I documented it:
Code:

##### What I did

Use the Java `Keytool Explorer` app.   Here are the steps I used:

* Create a new `Server keypair` as `mq_client.jks` ,  2048 bit RSA and 10 years long.
* Export the `certificate chain` as `tls.crt` in DER format.
* Export the PKCS#8 `private key` as `tls.key`
* Load those two files into the mykey folder shown in the Docker config above.


##### If you setup MQ to be SSL

Start JMeter like so, using the included `sslExample.jmx` project file:

    ./bin/jmeter -J"jmsPassword=passw0rd" -J"jksPassword=changeme"
   
When you start JMeter, the `mq_client.jks` must be in the same folder as the project file.
[/code]

Also, I included a new screenshot in my README.md that provides more info without you needing to startup the project.

The work I am doing here can be shared forward with great value. I hope you can help. I'll try to use the runmqakm to prove my CipherSpec is supported and paste that below.
Back to top
View user's profile Send private message
jon.austen
PostPosted: Thu Aug 13, 2020 8:46 am Post subject: Reply with quote

Newbie

Joined: 03 Aug 2020
Posts: 9

I suspect I should have created my cert with runmqakm tool instead of "java keytool explorer"? (ref: http://www.mqseries.net/phpBB2/viewtopic.php?t=77064 ) I am very experienced with certs but this IBM context is throwing me for a loop.

If you help me with this, I will fully document it.

Right now I am trying to locate the runmqakm tool, which I cannot find in my 8.x SDK. Maybe I need to download a 9.x SDK?
Back to top
View user's profile Send private message
jon.austen
PostPosted: Thu Aug 13, 2020 12:40 pm Post subject: Reply with quote

Newbie

Joined: 03 Aug 2020
Posts: 9

Ok, I am getting closer. Now it appears i need to create the Circular cert with the runmqakm tool. So, I need to find documentation for that. Any help would be great.

Code:
13:39 $ runmqakm -cert -details -db mq_client.jks -pw changeit -label self-signed
CTGSK3026W The key file "mq_client.jks" does not exist or cannot be read.
CTGSK2017W An invalid database file type was encountered.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Aug 14, 2020 5:43 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20382
Location: LI,NY

jon.austen wrote:
Ok, I am getting closer. Now it appears i need to create the Circular cert with the runmqakm tool. So, I need to find documentation for that. Any help would be great.

Code:
13:39 $ runmqakm -cert -details -db mq_client.jks -pw changeit -label self-signed
CTGSK3026W The key file "mq_client.jks" does not exist or cannot be read.
CTGSK2017W An invalid database file type was encountered.

For a jks file you need to use runmqckm.
For the keystore for the qmgr (.kdb) use runmqakm

You can also create the client as .kdb with runmqakm and then convert it all into a jks using runmqckm...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
jon.austen
PostPosted: Fri Aug 14, 2020 9:09 am Post subject: Reply with quote

Newbie

Joined: 03 Aug 2020
Posts: 9

Ok, I will look for that information and get back to you after I try again. I do need it in .jks format since I am using Java on the client side. Also, i need it to be self-signed so i can enable SSL on my local Docker container. I hope I don't run into an issue with it being self-signed. Do you think I would?

I did manage to locate the comand line tool runmqakm on my system. I am on a mac, and i put it at /var/mqm
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sat Aug 15, 2020 11:44 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20382
Location: LI,NY

jon.austen wrote:
Ok, I will look for that information and get back to you after I try again. I do need it in .jks format since I am using Java on the client side. Also, i need it to be self-signed so i can enable SSL on my local Docker container. I hope I don't run into an issue with it being self-signed. Do you think I would?

I did manage to locate the comand line tool runmqakm on my system. I am on a mac, and i put it at /var/mqm

it is supposed to be at /opt/mqm/bin[64]
If you did not set a preferred installation, you'd need to source the setmqenv file in each session before executing any commands:
Code:
. /opt/mqm/bin/setmqenv -s

_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportConnecting to MQ with Groovy
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.