| Author |
Message
|
| antota1 |
 Posted: Tue Nov 30, 2004 11:00 am Post subject: JMS and SSL to MQSeries |
 |
|
Newbie
Joined: 30 Nov 2004
Posts: 2
|
I am having a problem authenticating to MQSeries from a JMS client using client user certificates.
I am using jdk1.4.2 and MQSeries JMS version 5.3. I am not using administered object but rather I am creating the com.ibm.mq.jms.MQQueueConnectionFactory() class directly in my code. I set the cipher spec on the connection factory.
qcf.setSSLCipherSuite("SSL_RSA_WITH_3DES_EDE_CBC_SHA");
I have installed the certificates into the java keystore – cacerts file. I have been able to successfully do SSL encryption without user authentication. When I change the MQ channel to require authentication, I am not able to establish the JMS connection.
I am not sure how to specify which user certificate JMS should use to connect to the queue manager. I have tried issuing the createQueuConnection without passing in a user id and password and I have tried by referencing the alias the user certificate was installed into the key store with and null for the password. Neither seems to work.
Can anyone please tell me how to tell JMS which user certificate it should use when trying to connect? Here are the API calls I am using.
QueueConnection queueConnection = qcf.createQueueConnection("key_store_alias",null);
QueueConnection queueConnection = qcf.createQueueConnection();
I am getting this linked exception:
com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect
Closure reason = 2009
Thanks,
Tom |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Nov 30, 2004 4:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You need to read the manual about security and check your security trace. Something is not right in your security setup
Enjoy  |
|
| Back to top |
|
|
| antota1 |
| Posted: Fri Dec 03, 2004 11:58 am Post subject: JMS and SSL to MQSeries |
|
|
Newbie
Joined: 30 Nov 2004
Posts: 2
|
Thanks for the tip. Yes, I have been reading anything I can get my hands on that seems related. Unfortunately, I am not able to find any clear procedures for setting up the environment.
Is there a document you could point me at on IBM’s site or anywhere else on the net?
How about an answer to this question? How do you specify which user certificate you want to use when establishing a JMS client connection?
Thanks,
Tom |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Dec 03, 2004 12:11 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
|
| Back to top |
|
|
| billybong |
| Posted: Mon Apr 10, 2006 11:27 pm Post subject: |
|
|
Disciple
Joined: 22 Jul 2005
Posts: 150
Location: Stockholm, Sweden
|
Actually, its not in there. The only thing mentioned about JSSE in that manual is a forward to SUN's JSSE page.
I'm having the same problem, does anyone hava a solution to this?
The problem is as stated above that I'm using JSSE and keytool to import CA's but there is no way to import a private certificate for the JMS client into JSSE. Do you have to create the certificate by yourself inside JSSE or is there some other way?
If I'm not using Client Authentication on the channel everything works perfect and I've been able to use SSL with other client applications.
_________________
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Integration Developer V6.0
IBM Certified System Administrator - WebSphere MQ V6.0
IBM Certified Solution Developer - WebSphere DataPower |
|
| Back to top |
|
|
| billybong |
| Posted: Tue Apr 11, 2006 12:28 am Post subject: |
|
|
Disciple
Joined: 22 Jul 2005
Posts: 150
Location: Stockholm, Sweden
|
Think I found the problem so I might as well answer my own question.
The cacerts is as it sounds just used for containing CA's not private keys. If you want to use client authorization you have to use a separate keystore outside the truststore(the cacerts).
_________________
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Integration Developer V6.0
IBM Certified System Administrator - WebSphere MQ V6.0
IBM Certified Solution Developer - WebSphere DataPower |
|
| Back to top |
|
|
| mvic |
| Posted: Tue Apr 11, 2006 12:43 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| billybong wrote: |
Think I found the problem so I might as well answer my own question.
The cacerts is as it sounds just used for containing CA's not private keys. If you want to use client authorization you have to use a separate keystore outside the truststore(the cacerts). |
I think this is correct. Providing you're running MQ v6 on Windows, the following might work for you:
You can create a suitable key repository (called myappj.jks) using
| Code: |
| runmqckm -keydb -create -db myappj.jks -type jks |
You can receive a CA-signed certificate into the key repository using
| Code: |
| runmqckm -cert -receive -db myappj.jks -type jks -file singedcertificatefile.cer |
|
|
| Back to top |
|
|
|
|
