Author |
Message
|
HSarwan |
Posted: Sun Feb 14, 2021 7:49 am Post subject: SSL configuration via CACERT certificate using IIBv10 |
|
|
Novice
Joined: 14 Feb 2021 Posts: 11
|
Hello,
Quote: |
Working on linux machine, trying to securing inbound requests to an Integration Server's embedded HTTP Listener but it throws exception:
keystore was tempared with, or password was incorrect. |
I performed following config:
Code: |
keytool -importcert -alias test -file abc.cer -keystore TestKeystore
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n keystoreType -v JKS
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n truststoreType -v JKS
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n explicitlySetPortNumber -v 8542
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n sslProtocol -v TLSv1.2
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n keystoreFile -v /u01/esbuser/CACERT/TestKeystore.jks
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n truststoreFile -v /u01/esbuser/CACERT/TestTruststore.jks
mqsisetdbparms TestBroker -n brokerKeystore::password -u ignore -p admin123
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n keystorePass -v brokerKeystore::password
mqsisetdbparms TestBroker -n brokerTruststore::password -u ignore -p admin123
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n truststorePass -v brokerTruststore::password
mqsistop TestBroker
mqsistart TestBroker
|
Quote: |
I have tested it via client and server application deployed at SSL configured server. when client invoke to the https url it throws above exception. |
Quote: |
I am sure, i am missing something as i am new to config SSL. Please help. |
|
|
Back to top |
|
 |
bruce2359 |
Posted: Sun Feb 14, 2021 8:15 am Post subject: |
|
|
 Poobah
Joined: 05 Jan 2008 Posts: 9469 Location: US: west coast, almost. Otherwise, enroute.
|
Hello. You’ve used Quote option in your post. Who or what are you quoting? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
 |
HSarwan |
Posted: Sun Feb 14, 2021 8:23 am Post subject: |
|
|
Novice
Joined: 14 Feb 2021 Posts: 11
|
Thanx for reply.
Quoting the exception mainly. what else is required to overcome the exception ? |
|
Back to top |
|
 |
bruce2359 |
Posted: Sun Feb 14, 2021 11:23 am Post subject: Re: SSL configuration via CACERT certificate using IIBv10 |
|
|
 Poobah
Joined: 05 Jan 2008 Posts: 9469 Location: US: west coast, almost. Otherwise, enroute.
|
HSarwan wrote: |
keystore was tempared with, or password was incorrect. |
Is this the error message? Where do you see this?
Errors from IBM products usually have a message identifier. Please post the complete error message including the message identifirer? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
 |
gbaddeley |
Posted: Sun Feb 14, 2021 2:33 pm Post subject: Re: SSL configuration via CACERT certificate using IIBv10 |
|
|
 Jedi Knight
Joined: 25 Mar 2003 Posts: 2538 Location: Melbourne, Australia
|
bruce2359 wrote: |
HSarwan wrote: |
keystore was tempared with, or password was incorrect. |
Is this the error message? Where do you see this?
Errors from IBM products usually have a message identifier. Please post the complete error message including the message identifirer? |
Also, IBM messages usually have correct spelling: tampered _________________ Glenn |
|
Back to top |
|
 |
HSarwan |
Posted: Sun Feb 14, 2021 9:16 pm Post subject: |
|
|
Novice
Joined: 14 Feb 2021 Posts: 11
|
Here is exception:
<exceptionList>
<RecoverableException>
<File>/build/slot3/S1000_P/src/DataFlowEngine/MessageServices/ImbDataFlowNode.cpp</File>
<Line>1251</Line>
<Function>ImbDataFlowNode::createExceptionList</Function>
<Type>ComIbmWSRequestNode</Type>
<Name>RRR#FCMComposite_1_2</Name>
<Label>RRR.HTTP Request</Label>
<Catalog>BIPmsgs</Catalog>
<Severity>3</Severity>
<Number>2230</Number>
<Text>Node throwing exception</Text>
<Insert>
<Type>14</Type>
<Text>RRR.HTTP Request</Text>
</Insert>
<RecoverableException>
<File>/build/slot3/S1000_P/src/WebServices/WSLibrary/ImbWSRequestNode.cpp</File>
<Line>1147</Line>
<Function>ImbWSRequestNode::evaluate</Function>
<Type/>
<Name/>
<Label/>
<Catalog>BIPmsgs</Catalog>
<Severity>3</Severity>
<Number>3162</Number>
<Text>WebService Request Exception</Text>
<Insert>
<Type>12</Type>
<Text>436f6e74656e742d4c656e6774683a20300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f782d7777772d666f726d2d75726c656e636f6465640d0a4163636570743a20746578742f68746d6c2c20696d6167652f6769662c20696d6167652f6a7065672c202a3b20713d2e322c202a2f2a3b20713d2e320d0a557365722d4167656e743a204a6176612f312e382e305f3138310d0a486f73743a2031302e3230302e3133312e3132313a373834330d0a534f4150416374696f6e3a2022220d0a0d0a</Text>
</Insert>
<Insert>
<Type>12</Type>
<Text/>
</Insert>
<Insert>
<Type>5</Type>
<Text/>
</Insert>
<Insert>
<Type>5</Type>
<Text/>
</Insert>
<Insert>
<Type>5</Type>
<Text>POST /ttt/yy HTTP/1.0
</Text>
</Insert>
<RecoverableException>
<File>/build/slot3/S1000_P/src/WebServices/WSLibrary/ImbWSRequest.cpp</File>
<Line>657</Line>
<Function>ImbWSRequest::makeWSRequest</Function>
<Type/>
<Name/>
<Label/>
<Catalog>BIPmsgs</Catalog>
<Severity>3</Severity>
<Number>3152</Number>
<Text>A Web Service request has detected a SOCKET error whilst invoking a web service located at host &1, on port &2, on path &3.</Text>
<Insert>
<Type>5</Type>
<Text>10.X.X.X</Text>
</Insert>
<Insert>
<Type>2</Type>
<Text>7843</Text>
</Insert>
<Insert>
<Type>5</Type>
<Text>/ttt/yy</Text>
</Insert>
<SocketException>
<File>/build/slot3/S1000_P/src/WebServices/WSLibrary/ImbSocket.cpp</File>
<Line>1305</Line>
<Function>ImbSocketJNIManager::handleGeneralJavaException</Function>
<Type/>
<Name/>
<Label/>
<Catalog>BIPmsgs</Catalog>
<Severity>3</Severity>
<Number>3165</Number>
<Text>An error occurred whilst performing an SSL socket operation</Text>
<Insert>
<Type>5</Type>
<Text>setSSLOptions</Text>
</Insert>
<Insert>
<Type>5</Type>
<Text>java.security.KeyStoreException: IBMKeyManager: Problem accessing key store java.io.IOException: Keystore was tampered with, or password was incorrect</Text>
</Insert>
</SocketException>
</RecoverableException>
</RecoverableException>
</RecoverableException>
</exceptionList
Last edited by HSarwan on Mon Feb 15, 2021 5:45 am; edited 1 time in total |
|
Back to top |
|
 |
abhi_thri |
Posted: Mon Feb 15, 2021 1:55 am Post subject: |
|
|
 Knight
Joined: 17 Jul 2017 Posts: 516 Location: UK
|
hi...one obvious question, have you crosschecked that the password used works against the keystore in question (/u01/esbuser/CACERT/TestTruststore.jks)?...eg:- by using the 'keytool list' command? |
|
Back to top |
|
 |
HSarwan |
Posted: Mon Feb 15, 2021 2:05 am Post subject: |
|
|
Novice
Joined: 14 Feb 2021 Posts: 11
|
Yes i had cross-checked using:
keytool -list -keystore /u01/esbuser/CACERT/TestKeystore.jks |
|
Back to top |
|
 |
abhi_thri |
Posted: Mon Feb 15, 2021 2:07 am Post subject: |
|
|
 Knight
Joined: 17 Jul 2017 Posts: 516 Location: UK
|
hi...ok, if the credentials are verified have you tried restarting the Broker as the keystore/truststore is changed at a Node level? |
|
Back to top |
|
 |
HSarwan |
Posted: Mon Feb 15, 2021 5:44 am Post subject: |
|
|
Novice
Joined: 14 Feb 2021 Posts: 11
|
Yes dear i have restarted also |
|
Back to top |
|
 |
abhi_thri |
Posted: Mon Feb 15, 2021 10:22 am Post subject: |
|
|
 Knight
Joined: 17 Jul 2017 Posts: 516 Location: UK
|
|
Back to top |
|
 |
HSarwan |
Posted: Tue Feb 16, 2021 11:47 pm Post subject: |
|
|
Novice
Joined: 14 Feb 2021 Posts: 11
|
Thanx for your reply's.
i have solved d issue by doing:
. cat root, intermediate, and signed certificate into single .pem file.
. convert .pfx to .pem file
. generate jks with single .pem and .pem private key.
At middleware, i configured:
Code: |
mqsichangeproperties BAHL_BROK2 -e default -o ComIbmJVMManager -n keystoreFile -v /u01/esbuser/AllCert/store.jks
mqsichangeproperties BAHL_BROK2 -e default -o ComIbmJVMManager -n keystoreType -v JKS
mqsichangeproperties BAHL_BROK2 -e default -o ComIbmJVMManager -n keystorePass -v defaultKeystore::password
mqsisetdbparms BAHL_BROK2 -n defaultKeystore::password -u ignore -p admin123/?
mqsichangeproperties BAHL_BROK2 -e default -o ComIbmJVMManager -n truststoreFile -v /u01/esbuser/AllCert/store.jks
mqsichangeproperties BAHL_BROK2 -e default -o ComIbmJVMManager -n truststorePass -v defaultTruststore::password
mqsichangeproperties BAHL_BROK2 -e default -o ComIbmJVMManager -n truststoreType -v JKS
mqsisetdbparms BAHL_BROK2 -n defaultTruststore::password -u ignore -p admin123/?
keytool -list -keystore /u01/esbuser/AllCert/store.jks -storepass admin123/?
mqsichangeproperties BAHL_BROK2 -e default -o HTTPSConnector -n sslProtocol -v TLS
mqsichangeproperties BAHL_BROK2 -e default -o HTTPSConnector -n explicitlySetPortNumber -v 7803
|
Thank you. |
|
Back to top |
|
 |
|