| Author |
Message
|
| liamf |
 Posted: Thu Apr 22, 2021 7:44 pm Post subject: Problem with using HTTPS in ACE |
 |
|
Novice
Joined: 22 Apr 2021
Posts: 13
|
I am using ACE11 in Linux, trying set https for HTTPInput node. But i met some problems. When i deploy the application to the server, the integration default https port 7083 has no lisntener( when i use netstat to gerp 7083, nothing shows). And the request to the 7083 port was refused. But when i use http instead of https in HTTPInput node there is a listener on port 7080.
1. The application is running
2. The process biphttplistener is running
3. I have set the keystore file and truststore file on intergration node
4. I am using the default configuration which is node listener and 7080 for http , 7083 for https
5. Firewall is disabled
6. The application runs well on my local machine which is Windows System.
7. Here is the step that i have done:
(1) generate integration node
| Code: |
//to create node and executiongroup
mqsicreatebroker [i]integrationNode [/i]-q [i]Qmgr[/i]
mqsistart [i]integrationNode[/i]
mqsicreateexecutiongroup [i]integrationNode [/i]-e [i]integrationServer[/i]
|
(2)setting up a public key
I am using strmqikm command to start key manager graphical tool to generate keys, and use the command to set keystore and truststore
| Code: |
mqsichangeproperties integrationNodeName
-o BrokerRegistry
-n brokerKeystoreFile
-v install_dir\MyBrokerKeystore.jks
mqsichangeproperties integrationNodeName
-o BrokerRegistry
-n brokerTruststoreFile
-v install_dir\MyBrokerTruststore.jks
mqsistop integrationNodeName
mqsisetdbparms integrationNodeName
-n brokerKeystore::password
-u ignore
-p keystore_pass
mqsisetdbparms integrationNodeName
-n brokerTruststore::password
-u ignore
-p truststore_pass
mqsistart integrationNodeName
|
what do i miss??please help |
|
| Back to top |
|
 |
| abhi_thri |
| Posted: Sat Apr 24, 2021 2:43 am Post subject: |
|
|
Knight
Joined: 17 Jul 2017
Posts: 516
Location: UK
|
hi...is the 'startListener' param set as true for the integration node HTTPListener? If so when you restart the Node you should see any errors reported when the Node tries to start the Https listener, check syslog and see.
| Quote: |
mqsireportproperties integrationNode -b NodeHttpListener -o HTTPListener -r
|
As per the below topic the listener should use the Node level PKI settings if the same is not configured at the listener level.
| Quote: |
| https://www.ibm.com/docs/en/app-connect/11.0.0?topic=authentication-setting-up-public-key-infrastructure#ap34020_60 |
|
|
| Back to top |
|
|
| liamf |
| Posted: Sun Apr 25, 2021 12:20 am Post subject: |
|
|
Novice
Joined: 22 Apr 2021
Posts: 13
|
Hi Abhi, thanks for your reply.
(1)The value of parameter startListener is true, and i have checked the sys log and found this error:
| Quote: |
IBM App Connect Enterprise v110011 (IntegrationNode.HTTPListener) [Thread 8558] (Msg 1/1) BIP3729E: A key store error has occurred with file '/var/mqsi/components/IntergrationNode/httplistener'.
|
I tried to re-create a keystore file ,but still not working.The jks file can be opened by ikeyman tool, and self-signed certificate was set too.
(2)First time i only set the Node level settings, now i set it both on Node and Node Listener level.
I think the problem would be the jks or p12 file, i will copy the file from another system which's IIB works fine and try again.
Thanks for your reply again, I'll post the result later. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Apr 25, 2021 12:28 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Not sure you have split your keystore and truststore right. I use the same file for keystore and truststore... but then that's just me... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| liamf |
| Posted: Sun Apr 25, 2021 2:03 am Post subject: |
|
|
Novice
Joined: 22 Apr 2021
Posts: 13
|
Hi Saper:
I found what cause the error of the httplistener, the keystore file.
After I copy my keystore file from my own pc to server. The https works well, but if i use the keystore file generated on the server. it won't work.
I don't know whether it is the system's bug or i made a wrong configuration.
Still, i'll try to use JAVA to generate the keystore file instead of IIB's ikeyman tool to find out where the problem is .
I will post the result later, thanks a lot. |
|
| Back to top |
|
|
| abhi_thri |
| Posted: Mon Apr 26, 2021 6:24 am Post subject: |
|
|
Knight
Joined: 17 Jul 2017
Posts: 516
Location: UK
|
hi...why don't you take a copy of the default keystore/trustore and add your keys/certs to it, the default (cacerts) sample path at v10 level for linux is as shown below.
/opt/ibm/iib-10.0.0.x/common/jdk/jre/lib/security/cacerts |
|
| Back to top |
|
|
|
|
