MQSeries.net :: View topic - ssl connection failure from jboss mqclient to mq server v6

urspradeep330 · Posted: Sat May 07, 2011 3:41 am Post subject:

Hi,

Our application hosts an MQ server and provides java adapter to various end applications to connect to this server for MQ operations.

The channel used for each end application is SSL enabled with client authorization required. The cipher spec used is TRIPLE_DES_SHA_US. As part of the adapters, we provide trust store and key store files. The key store file has the 2 signer certificates (CA certificate and Queue Manager certificate signed by CA named ibmwebsphere<qm name>) and a personal certificate name ibmwebspheremqadapter. The adapter sets the required system properties (javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword, javax.net.ssl.trustStore) to point to the keystore and truststore files made available as part of the adapter.

All end applications are able to connect to our MQ server except one. This end application uses JBoss. A stand-alone stub program that invokes our adapter works absolutely fine on this end application server. But when the adapter is invoked from the code of that application we get the following exception at the client side.
Exception - MQJE001: An MQException occurred: Completion Code 2, Reason 2397
MQJE056: Initial negotiation failure
Cause - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

We get the following error at server side (/var/mqm/qmgrs/<QM>/errors/AMQERR01.LOG)
AMQ9665: SSL connection closed by remote end of channel '????'.
EXPLANATION: The SSL connection was closed by the remote end of the channel during the SSL handshake. The channel is '????'; in some cases its name cannot be determined and so is shown as '????'. The channel did not start.
ACTION: Check the remote end of the channel for SSL-related errors. Fix them and restart the channel.

We printed the system property after the exception is thrown at client side and the properties are set correctly. We then tried adding the signer certificates (CA certificate and QM certificate) to cacerts file (located in Java installation of JBoss in the directory Java\jre\lib\security) at the client application using the http://blogs.sun.com/andreas/resource/InstallCert.java

We now get the following exception at client side:
MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect
Closure reason = 2009

We now get the following error at server side:
AMQ9637: Channel is lacking a certificate.

EXPLANATION: The channel is lacking a certificate to use for the SSL handshake. The channel name is <channel name> (if '????' it is unknown at this stage in the SSL processing). The channel did not start.
ACTION: Make sure the appropriate certificates are correctly configured in the key repositories for both ends of the channel. If you have migrated from WebSphere MQ V5.3 to V6, it is possible that the missing certificate is due to a failure during SSL key repository migration. Check the relevant error logs. If these show that an orphan certificate was encountered then you should obtain the relevant missing certification authority (signer) certificates and then import these and the orphan certificate into the WebSphere MQ V6 key repository, and then re-start the channel..

We also tried creating a new cacerts and added all the certificates (CA certificate, QM certificate and the personal certificate) and we get the above exception.

Surprisingly, our adapter is able to connect to the QM from all other java based client applications. Even for this end application, the standalone program works.

Any help on this is highly appreciated.

Thanks
Pradeep