| Author |
Message
|
| ivanachukapawn |
 Posted: Tue Mar 07, 2006 6:09 am Post subject: enabling SVRCONN SSL and Java Client connection |
 |
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
I have a SVRCONN Channel setup for SSL. This channel is usable when I run a C-language client.
However, a Java Client gets this error message:
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:184)CAUSE + :javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
It appears that the Java client cannot find the sender kdb.
Anybody have some help for this problem? |
|
| Back to top |
|
 |
| mvic |
| Posted: Tue Mar 07, 2006 6:16 am Post subject: Re: enabling SVRCONN SSL and Java Client connection |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| Quote: |
| unable to find valid certification path to requested target |
This text ("certification path") looks like a failure to find a CA certificate. Have you installed the necessary certificate, including the certificate of its signing CA? |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 07, 2006 6:22 am Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
| Yes, both client and server side certificates were created, extracted, and exchanged. This SSL channel works when the client is C language. The message is encountered only when client is Java. I believe the message is accurate - i.e. its a "path" problem. I do not see any way for the Java client code to specify this path. |
|
| Back to top |
|
|
| mvic |
| Posted: Tue Mar 07, 2006 6:37 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 07, 2006 7:03 am Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
Thanks for the link! I thought that this information would solve everything but unfortunately, not the case.
Here's what happened.
My Truststore and Keystore (the same) already existed and contained certificates.
So I entered this code in my Java Client.
System.setProperty("javax.net.ssl.trustStore","D:\\aaSSL\\KeyringSdr.kdb");
System.setProperty("javax.net.ssl.keyStore","D:\\aaSSL\\KeyringSdr.kdb");
System.setProperty("javax.net.ssl.keyStorePassword","mqm!mqm");
and ran the client. I now get 2059 - MQJE013: Error accessing socket streams -
I also tried the setProperty code to just the directory (i.e. D:\\aaSSL)
but that had same result (2059).
Do you know whether it should be set to the .kdb file or the directory?
generic 2059 means QMGR is not available, but this queue manager is running.[/code] |
|
| Back to top |
|
|
| fehners |
| Posted: Tue Mar 07, 2006 8:09 am Post subject: |
|
|
Newbie
Joined: 07 Mar 2006
Posts: 2
Location: IBM Hursley
|
| ivanachukapawn wrote: |
System.setProperty("javax.net.ssl.trustStore","D:\\aaSSL\\KeyringSdr.kdb");
System.setProperty("javax.net.ssl.keyStore","D:\\aaSSL\\KeyringSdr.kdb");
System.setProperty("javax.net.ssl.keyStorePassword","mqm!mqm");
and ran the client. I now get 2059 - MQJE013: Error accessing socket streams -
I also tried the setProperty code to just the directory (i.e. D:\\aaSSL)
but that had same result (2059).
Do you know whether it should be set to the .kdb file or the directory?
generic 2059 means QMGR is not available, but this queue manager is running.[/code] |
The Location of the TrustStore should point to the actual file and not just the directory.
I notice your TrustStores have the extension .kdb. Java uses a different format of type JKS, which is different to the Queue Managers CMS format.
Section 1 of my DeveloperWorks article, which has already been linked to here shows how to create a TrustStore of the correct type. |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 07, 2006 10:15 am Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
Your article instructs the reader to run a GUI tool found on the Start menu. My Java Client resides on a Solaris server.
I also have a test Java Client on windows.
I had used a wizard to create the keystore (mo04). My plan is to redo the keystore creation (using db-type=jks) and re-exchange certificates using this new keystore. Then I'll modify my Java client code to
System.setProperty("javax.net.ssl.trustStore","D:\\aaSSL\\KeyringSdr.jks");
Does this sound like the right approach to you?
Thanks |
|
| Back to top |
|
|
| fehners |
| Posted: Wed Mar 08, 2006 5:40 am Post subject: |
|
|
Newbie
Joined: 07 Mar 2006
Posts: 2
Location: IBM Hursley
|
| ivanachukapawn wrote: |
My plan is to redo the keystore creation (using db-type=jks) and re-exchange certificates using this new keystore. Then I'll modify my Java client code to
System.setProperty("javax.net.ssl.trustStore","D:\\aaSSL\\KeyringSdr.jks");
Does this sound like the right approach to you?
Thanks |
Yup that sounds like you're on the right lines |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Wed Mar 08, 2006 5:49 am Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
Thank you so much for the help.
I did get it to work by following the plan outlined in my last post.
 |
|
| Back to top |
|
|
|
|
