MQSeries.net :: View topic

avinashpandit · Posted: Tue Aug 30, 2005 4:03 am Post subject:

I have enabled SSL and added all the certificates as per http://www-128.ibm.com/developerworks/websphere/techjournal/0211_yusuf/yusuf.html#configureMQSSL

But still when i connect my java client to MQ , i get following error

***
main, SEND SSLv3 ALERT: fatal, description = certificate_unknown
main, WRITE: SSLv3 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
2005-08-30 17:15:39,122 ERROR main Error connecting to broker
javax.jms.JMSException: MQJMS2005: failed to create MQQueueManager for 'badrinath:QM1'
at com.ibm.mq.jms.services.ConfigEnvironment.newException(ConfigEnvironment.java:556)
at com.ibm.mq.jms.MQConnection.createQM(MQConnection.java:1775)
at com.ibm.mq.jms.MQConnection.createQMNonXA(MQConnection.java:1168)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:170)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:80)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:145)
at com.integral.jmsx.er.webspheremq.STPDownloadTestC.login(STPDownloadTestC.java:203)
at com.integral.jmsx.er.webspheremq.STPDownloadTestC.connect(STPDownloadTestC.java:158)
at com.integral.jmsx.er.webspheremq.STPDownloadTestC.main(STPDownloadTestC.java:63)

The whole SSL debug info is as follows

SSL initialized
Connecting to broker badrinath:1415[channel=SSL.CHANNEL,queueManager=QM1,user=null,password=null]...
keyStore is : jmskeystore
keyStore type is : jks
init keystore
init keymanager of type SunX509
***
found key for : jmsclient
chain [0] = [
[
Version: V1
Subject: CN=JMSClient, OU=Test, O=IBM, C=US, ST=MD
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
c73f7746 aeaa5d12 aef08f01 31156aa1 cdc9d243 5783272b a77266c6 8815165c
1bff73c5 49bc0d01 6dd57c58 8b8db236 478da7db 117192e0 c1673457 52e4cb47
a5997110 9a4d4ed0 c1c23f2d 15f787d5 a5f999b7 104029c0 196fe345 20c986b4
921de63c ea94198e ae5af80f 13e89489 9ec842be 214d794e b6484e5d 7d912a22
4c63b835 463a84eb 934a93bd 88468799 e5d779af 489ca86c 76343c2a 809e7272
e7dceb57 43fea13a b5b07223 07486f07 26fad4ed 603c659f 178333e1 3c00d01f
642dc41b 4bce013e 98277ca1 b7aabc15 e789aa60 855bc6d7 31d7ac7c 45a10d91
18f07f65 10895938 ffe070b8 992bd868 8f15a8f6 9bff430f ddcaac3c 641bf62b
Validity: [From: Tue Aug 30 16:10:39 GMT+05:30 2005,
To: Mon Nov 28 16:10:39 GMT+05:30 2005]
Issuer: CN=JMSClient, OU=Test, O=IBM, C=US, ST=MD
SerialNumber: [ 431437a7]

]
Algorithm: [MD5withRSA]
Signature:
0000: 59 C4 80 BD B2 88 10 F8 A5 40 D2 17 3F 84 6B 2D Y........@..?.k-
0010: 33 1D FD E5 E9 55 F9 D8 67 73 F1 9C 8D B4 8E D5 3....U..gs......
0020: F2 5A 4E 59 D6 07 A5 C6 6F 0E 73 1D 37 4D C7 72 .ZNY....o.s.7M.r
0030: 48 0F 74 D1 AE 76 17 3A 61 D9 71 3E E0 EE DA 44 H.t..v.:a.q>...D
0040: 0E 76 9E 8D BE 5D 37 7B A5 5A 4A 4C BE A7 12 C4 .v...]7..ZJL....
0050: D0 66 86 C1 0E 65 D0 80 A8 CE 3C 2F 37 3D 22 BF .f...e....</7=".
0060: DB EE F2 5B 6B C7 62 02 44 14 4A E8 D6 01 1D 46 ...[k.b.D.J....F
0070: 8A 96 25 9C 1A 6E CC 28 4B 09 E5 95 73 43 22 63 ..%..n.(K...sC"c
0080: 07 6A D2 62 14 F0 18 57 8C F0 4B B7 2A 23 DA 40 .j.b...W..K.*#.@
0090: 29 9C 76 B0 33 79 C7 1C 9C DC 26 16 E0 29 5D F8 ).v.3y....&..)].
00A0: 78 F7 1E 13 7E 66 1F 23 A0 D9 5F BB E2 64 87 F3 x....f.#.._..d..
00B0: 6C B1 55 8E CA 9B 07 D0 39 F1 2E 5C E2 25 62 C6 l.U.....9..\.%b.
00C0: 80 BC DE 9A 15 A3 F4 29 4F 3C 96 70 85 26 48 72 .......)O<.p.&Hr
00D0: 14 4B 2B FE 90 08 B2 ED 3F 8F 72 53 80 45 5E EC .K+.....?.rS.E^.
00E0: 7B 2F BE EB 60 C9 8E 3D 81 C5 2D 34 63 FF 5A B3 ./..`..=..-4c.Z.
00F0: F9 FF 15 3D 33 73 D2 28 CD 0C 04 B7 17 63 8C E9 ...=3s.(.....c..

]
***
trustStore is: jmskeystore
trustStore type is : jks
init truststore
adding as trusted cert:
Subject: CN=GlobalSign Primary Class 1 CA, OU=Primary Class 1 CA, O=GlobalSign nv-sa, C=BE
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Algorithm: RSA; Serial number: 0x40000000000f0764e1b7f
Valid from Tue Sep 15 17:30:00 GMT+05:30 1998 until Wed Jan 28 17:30:00 GMT+05:30 2009

adding as trusted cert:
Subject: CN=GlobalSign PersonalSign Class 1 CA, OU=PersonalSign Class 1 CA, O=GlobalSign nv-sa, C=BE
Issuer: CN=GlobalSign Primary Class 1 CA, OU=Primary Class 1 CA, O=GlobalSign nv-sa, C=BE
Algorithm: RSA; Serial number: 0x40000000000fa3deee9d9
Valid from Thu Jan 22 14:30:00 GMT+05:30 2004 until Wed Jan 28 16:30:00 GMT+05:30 2009

adding as trusted cert:
Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Algorithm: RSA; Serial number: 0x20000000000d678b79405
Valid from Tue Sep 01 17:30:00 GMT+05:30 1998 until Tue Jan 28 17:30:00 GMT+05:30 2014

adding as trusted cert:
Subject: CN=JMSClient, OU=Test, O=IBM, C=US, ST=MD
Issuer: CN=JMSClient, OU=Test, O=IBM, C=US, ST=MD
Algorithm: RSA; Serial number: 0x431437a7
Valid from Tue Aug 30 16:10:39 GMT+05:30 2005 until Mon Nov 28 16:10:39 GMT+05:30 2005

init context
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1125402082 bytes = { 35, 88, 127, 199, 109, 59, 110, 199, 183, 123, 93, 93, 27, 50, 9, 253, 64, 169, 63, 12, 253, 126, 92, 173, 237, 101, 161, 151 }
Session ID: {}
Cipher Suites: [SSL_RSA_EXPORT_WITH_RC4_40_MD5]
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 45
main, WRITE: SSLv2 client hello message, length = 47
main, READ: SSLv3 Handshake, length = 3371
*** ServerHello, SSLv3
RandomCookie: GMT: 1125402082 bytes = { 179, 184, 167, 204, 60, 101, 47, 36, 192, 200, 113, 182, 6, 145, 189, 40, 205, 216, 105, 228, 159, 214, 72, 37, 104, 142, 85, 226 }
Session ID: {182, 31, 0, 0, 235, 85, 124, 187, 39, 212, 194, 220, 203, 109, 151, 183, 102, 98, 31, 249, 66, 142, 46, 232, 45, 33, 31, 201, 189, 193, 163, 35}
Cipher Suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
** SSL_RSA_EXPORT_WITH_RC4_40_MD5
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=contact admin.pandit@gmail.com, CN=contact admin.pandit@gmail.com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
c763fc59 a7da2f07 b9ec0c1d 0f64856e 5b5e8c6b 04ced7e8 9b2fa2d6 2fb895d5
39069d2c 44983b74 c7d8cbf9 2a9dd5fb 22fbe43a 28134129 86fe1f15 903d0fa0
509ae4dc f8ebb831 026e690e 6259e308 9217ee6e c0165c5d 11a67914 c5d48627
afa2f736 f9dc057d 75a263c5 5244f8c9 0e955b99 cc09ce33 fbd7ca54 412f6103
Validity: [From: Tue Aug 30 15:14:58 GMT+05:30 2005,
To: Fri Sep 30 15:14:58 GMT+05:30 2005]
Issuer: CN=GlobalSign PersonalSign Class 1 CA, OU=PersonalSign Class 1 CA, O=GlobalSign nv-sa, C=BE
SerialNumber: [ 01000000 00010606 c66cdd]

Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
S/MIME
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 75 EE F1 23 BD 75 42 EA B7 89 40 46 BD 92 D2 .u..#.uB...@F...
0010: 72 EB C5 E8 r...
]

]

[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.globalsign.net/PersonalSignClass1.crl]
]]

[4]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 45 74 EE 02 0A 64 21 F6 E1 BA 5C 05 94 40 B8 27 Et...d!...\..@.'
0010: 9A 95 C2 57 31 16 CE 4B 3F 1F 91 D7 91 2D 6E 66 ...W1..K?....-nf
0020: F4 99 B6 B9 5C 8D D3 82 F9 09 9F 9B D4 55 8C 51 ....\........U.Q
0030: E7 18 0F E4 DB 87 A9 8C 53 57 9B 81 DF 39 8B 7C ........SW...9..
0040: 64 B9 A2 89 3A D0 B9 EB 83 BD 64 39 15 0A 02 A3 d...:.....d9....
0050: 85 66 01 5C FC 90 D0 68 F0 8E C4 64 AD 19 18 05 .f.\...h...d....
0060: CB 60 CD D9 54 0A 24 4C E3 68 88 31 7E 6B F0 EF .`..T.$L.h.1.k..
0070: E7 22 DC 20 4D 0D BC FD 52 9F 64 50 63 9E 16 4F .". M...R.dPc..O
0080: C5 BB 8B 76 8C A9 DB 83 82 7E D5 E9 57 95 3B AC ...v........W.;.
0090: DF AF 3A 1F 0D E9 92 90 71 16 9E AD AA 99 2B F0 ..:.....q.....+.
00A0: A0 B9 FD 19 C3 D7 BE 06 F0 D5 72 51 B2 4D B5 74 ..........rQ.M.t
00B0: 92 80 CD 0D 5D C4 C8 62 12 97 83 CC 8C 23 98 A2 ....]..b.....#..
00C0: DB BE D7 64 75 8D 22 B7 22 A1 C8 BF B5 65 30 98 ...du."."....e0.
00D0: 5F 8E 61 75 D9 23 7F 4D 42 18 D4 08 89 B1 4C 5C _.au.#.MB.....L\
00E0: A4 C7 4E 45 D3 CA 93 AB 4F D2 22 F6 4F F3 C6 1C ..NE....O.".O...
00F0: C7 DD AE 77 5C CA 30 64 54 E3 7F 49 4F F8 6B 19 ...w\.0dT..IO.k.

]
***
main, SEND SSLv3 ALERT: fatal, description = certificate_unknown
main, WRITE: SSLv3 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
2005-08-30 17:15:39,122 ERROR main Error connecting to broker
javax.jms.JMSException: MQJMS2005: failed to create MQQueueManager for 'badrinath:QM1'
at com.ibm.mq.jms.services.ConfigEnvironment.newException(ConfigEnvironment.java:556)
at com.ibm.mq.jms.MQConnection.createQM(MQConnection.java:1775)
at com.ibm.mq.jms.MQConnection.createQMNonXA(MQConnection.java:1168)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:170)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:80)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:145)
at com.integral.jmsx.er.webspheremq.STPDownloadTestC.login(STPDownloadTestC.java:203)
at com.integral.jmsx.er.webspheremq.STPDownloadTestC.connect(STPDownloadTestC.java:158)
at com.integral.jmsx.er.webspheremq.STPDownloadTestC.main(STPDownloadTestC.java:63)

The same thing if I try without SSL then works fine. Please help me to get rid of this problem.

Thanks,
contact admin