| Author |
Message
|
| mqmike |
 Posted: Wed Apr 06, 2005 2:55 am Post subject: Base Java MQ classes and SSL |
 |
|
Acolyte
Joined: 09 Jul 2004
Posts: 63
|
What do I need to do to enable SSL with the base Java MQ classes. We have a Java written client component which we need to authenticate to qmgrs using certificates.
I've read about setting MQEnvironment.sslCipherSuite but can't find any information on where the certs will be stored for MQClient and how to reference this store in the code.
Any info would be much appreciated. |
|
| Back to top |
|
 |
| Tibor |
| Posted: Wed Apr 06, 2005 6:29 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
mqmike,
Steps:
(1) creating a JKS keystore
- if you have a PKCS12 certfile you can use the GSKit when creating keystore:
| Code: |
gsk6cmd -keydb -create -db key.jks -type jks -pw mq123
gsk6cmd -cert -import -file test.p12 -type pkcs12 -pw test123 -target key.jks -target_type jks -target_pw mq123 |
- or any other like keytool, etc
(2) handling of keystore and truststore is depending on your JSSE provider. In the simplest way these are runtime properties:
java -Djavax.net.ssl.keyStore=key.jks -Djavax.net.ssl.keyStorePassword=mQ1234 -Djavax.net.ssl.trustStore=key.jks -Djavax.net.ssl.trustStorePassword=mQ1234 ...
But in this case your stores' password are visible in the process list  My recommendation: place it into the source or a config file:
| Code: |
System.setProperty( "javax.net.ssl.keyStore", "key.jks");
System.setProperty( "javax.net.ssl.keyStorePassword", "mq123" );
System.setProperty( "javax.net.ssl.trustStore", "key.jks");
System.setProperty( "javax.net.ssl.trustStorePassword", "mq123"); |
(3) selecting a cipher:
| Code: |
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_RC4_128_MD5";
|
The full list of cipherspecs is in the "MQ for Java" manual.
HTH,
Tibor |
|
| Back to top |
|
|
| mqmike |
| Posted: Wed Apr 06, 2005 7:10 am Post subject: |
|
|
Acolyte
Joined: 09 Jul 2004
Posts: 63
|
Thanks Tibor
I'd read this in the MQ docs...
"Alternatively, a WebSphere MQ client application can specify its location in the KeyRepository field of the SSL configuration options structure, MQSCO, on an MQCONNX call"
I'm unsure as to where I can code this in Java though. As far as I understand MQCONNX is achieved when connecting to a queue manager - e.g. MQQueueManager qmgr = new MQQueueManager("null", java.util.Hashtable properties). The hashtable in this call can hold parameters such as ip, port number etc - basically any parameter from MQC class. But MQC doesn't have a property for SSLKeyRepository.
Any ideas? |
|
| Back to top |
|
|
| fschofer |
| Posted: Wed Apr 06, 2005 9:26 am Post subject: |
|
|
Knight
Joined: 02 Jul 2001
Posts: 524
Location: Mainz, Germany
|
| Quote: |
Enabling SSL
SSL is supported only for client connections. To enable SSL, you must specify the
CipherSuite to use when communicating with the queue manager, and this must
match the CipherSpec set on the target channel. Additionally, the named
CipherSuite must be supported by your JSSE provider. However, CipherSuites are
distinct from CipherSpecs and so have different names. Appendix H, “SSL
CipherSuites supported by WebSphere MQ” on page 429 contains a table mapping
the CipherSpecs supported by WebSphere MQ to their equivalent CipherSuites as
known to JSSE.
To enable SSL, specify the CipherSuite using the sslCipherSuite static member
variable of MQEnvironment. The following example attaches to a SVRCONN
channel named SECURE.SVRCONN.CHANNEL, which has been set up to require
SSL with a CipherSpec of RC4_MD5_EXPORT:
MQEnvironment.hostname = "your_hostname";
MQEnvironment.channel = "SECURE.SVRCONN.CHANNEL";
MQEnvironment.sslCipherSuite = "SSL_RSA_EXPORT_WITH_RC4_40_MD5";
MQQueueManager qmgr = new MQQueueManager("your_Q_manager");
Note that, although the channel has a CipherSpec of RC4_MD5_EXPORT, the Java
application must specify a CipherSuite of SSL_RSA_EXPORT_WITH_RC4_40_MD5.
For more information about CipherSpecs and CipherSuites, see the WebSphere MQ
Security book. See Appendix H, “SSL CipherSuites supported by WebSphere MQ”
on page 429 for a list of mappings between CipherSpecs and CipherSuites.
The sslCipherSuite property can also be set using the
MQC.SSL_CIPHER_SUITE_PROPERTY in the Hash table of connection properties.
To successfully connect using SSL, the JSSE TrustStore must be set up with
Certificate Authority root certificates from which the certificate presented by the
queue manager can be authenticated. Similarly, if SSLClientAuth on the SVRCONN
channel has been set to MQSSL_CLIENT_AUTH_REQUIRED, the JSSE KeyStore
must contain an identifying certificate that is trusted by the queue manager.
|
|
|
| |
Greetings
Frank[/quote] |
|
| Back to top |
|
|
| Tibor |
| Posted: Wed Apr 06, 2005 8:54 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
mqmike, I think you need some JSSE specific info:
| Quote: |
Supplying a customized SSLSocketFactory
Different JSSE implementations can provide different features. For example, a specialized JSSE implementation could allow configuration of a particular model of encryption hardware. Additionally, some JSSE providers allow customization of KeyStores and TrustStores by program, or allow the choice of identity certificate from the KeyStore to be altered. In JSSE, all these customizations are abstracted into a factory class, javax.net.ssl.SSLSocketFactory. |
And the MQ specific part:
| Quote: |
javax.net.ssl.SSLSocketFactory sf = sslContext.getSocketFactory();
MQEnvironment.sslSocketFactory = sf;
WebSphere MQ classes for Java then use this SSLSocketFactory to connect to the WebSphere MQ queue manager. |
Tibor |
|
| Back to top |
|
|
| mqmike |
| Posted: Thu Apr 07, 2005 1:14 am Post subject: |
|
|
Acolyte
Joined: 09 Jul 2004
Posts: 63
|
Going back to Tibor's original reply.
If I add
System.setProperty( "javax.net.ssl.keyStore", "key.jks");
System.setProperty( "javax.net.ssl.keyStorePassword", "mq123" );
System.setProperty( "javax.net.ssl.trustStore", "key.jks");
System.setProperty( "javax.net.ssl.trustStorePassword", "mq123");
into my code and reference the correct cipher spec will that work?
Also what is the difference between a keyStore and a trustStore. In this example they seem to reference the same thing?
Regards Mike |
|
| Back to top |
|
|
| Tibor |
| Posted: Thu Apr 07, 2005 5:26 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| mqmike wrote: |
Going back to Tibor's original reply.
If I add
System.setProperty( "javax.net.ssl.keyStore", "key.jks");
System.setProperty( "javax.net.ssl.keyStorePassword", "mq123" );
System.setProperty( "javax.net.ssl.trustStore", "key.jks");
System.setProperty( "javax.net.ssl.trustStorePassword", "mq123");
into my code and reference the correct cipher spec will that work?" |
Yes, I'm running it in this way.
| Quote: |
| Also what is the difference between a keyStore and a trustStore. In this example they seem to reference the same thing? |
The trustStore contains the pulic keys of the root CA's certificates and the keyStore contains your private keys. However, the JVM has a default truststore (namely 'cacerts'). But I got a PKCS12 file from our own CA server that's why I created only one file with both keys.
Tibor |
|
| Back to top |
|
|
| mqmike |
| Posted: Fri Apr 08, 2005 2:57 am Post subject: |
|
|
Acolyte
Joined: 09 Jul 2004
Posts: 63
|
| Thanks Tibor - you've been most helpful! |
|
| Back to top |
|
|
| olekg |
| Posted: Wed May 04, 2005 2:45 pm Post subject: |
|
|
Newbie
Joined: 04 May 2005
Posts: 8
Location: Poznan, Poland
|
Hello,
I am trying to do the same. I have reached the point where I am able to connect to MQ via SSL when setting sslcauth(optional) for the CHANNEL. This means that my Java client is unable to take apropriate certificate from the store to get authorised by the server. I imported the client certificate uder a name "ibmwebspheremqclient" but it seems to be wrong.
The simple question arises:
While for the server we need "ibmwebspheremq<qm_name>" label for the server's certificate, how to mark a label for the client's certificate, and how to reference a certificate that the client shoul use ?
Any help would be hihgly appreciatted.
sincerely Olek |
|
| Back to top |
|
|
| olekg |
| Posted: Wed May 04, 2005 3:21 pm Post subject: |
|
|
Newbie
Joined: 04 May 2005
Posts: 8
Location: Poznan, Poland
|
Hello,
I have already solved the problem. I am able to connect to MQ via SSL from standalone Java client. I have a problem how to specify SSLCipherSuite for the ConnectionFactory defined in WebSphere Application Server.
The factoories we specify as -D definitions in process definition for the JVM of the particular server. But how to set CipherSuite ?
sincerely Olek |
|
| Back to top |
|
|
| Tibor |
| Posted: Thu May 05, 2005 3:50 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
It belongs to MQEnvironment class:
| Code: |
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_RC4_128_MD5";
|
Tibor |
|
| Back to top |
|
|
| olekg |
| Posted: Thu May 05, 2005 4:06 am Post subject: |
|
|
Newbie
Joined: 04 May 2005
Posts: 8
Location: Poznan, Poland
|
Nope, Tibor.
I have already explored the problem.
In WebSphere Application Server you have no access to MQEnvironment. You need to define Custom Property for Connection Factory, named "SSLCIPHERSUITE".
sincerely Olek |
|
| Back to top |
|
|
| olekg |
| Posted: Thu May 05, 2005 4:12 am Post subject: |
|
|
Newbie
Joined: 04 May 2005
Posts: 8
Location: Poznan, Poland
|
I have again a problem with client certificate. When we specify "-Djavax.net.ssl.keyStore" and there is some certificate that client should use for SSL, how client classes know which certificate to use ? I have JKS store with only one certificate but I can see my client is unable to use it for SSL authentication. In error logs on the server side I can see a message iddicating that client could not find apropriate certificate.
This problem communicates with my previous message, I think have already find a solution. It seems it worked only once for me.
sincerely Olek |
|
| Back to top |
|
|
| Tibor |
| Posted: Fri May 06, 2005 12:22 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
Olek,
Can you send an SSL trace? (-Djavax.net.debug=ssl)
Tibor |
|
| Back to top |
|
|
| olekg |
| Posted: Mon May 09, 2005 6:18 am Post subject: |
|
|
Newbie
Joined: 04 May 2005
Posts: 8
Location: Poznan, Poland
|
Hello Tibor,
I have already fixed the problem. I cannot summarize where it was. Big thanks for all that thread beacause without it it would be very hard to start with MQ via SSL.
BTW:
Anybody knows why the "-Djavax.net.debug" switch does not work with non-Sun VMs. (IBMs, Oracle 9i embedded) I thought that this is a property read by JSSE implemetation classes which decide wheather or not to log their debug messages.
sincerely Olek |
|
| Back to top |
|
|
|
|
