| Author |
Message
|
| kash3338 |
 Posted: Thu Mar 24, 2011 11:53 pm Post subject: HTTPS in SOAPInput |
 |
|
Shaman
Joined: 08 Feb 2009
Posts: 709
Location: Chennai, India
|
Hi,
I am trying to use HTTPS in my SOAP Input node, but when i deploy my flow and try to invoke the service through soapUI tool, i get the error "SSL Handshake error".
Version of Broker: 6.1 |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Fri Mar 25, 2011 12:57 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Have you setup all the key, keystores, policies, configurable services and all the myriad other things you have to do to get this working?
OR
Are you just using encrypted HTTP and relying on the fact that the two ends have the same set of default keys loaded. Just like a browser does...
We really do need a bit more detail here.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Jun 10, 2011 1:47 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I have the same question about a soapinput node.
How does the broker decide which certificate to use for HTTPS? I can configure references to a keystore location/password - but which personal (server) cert does it use, if there is more than one?
Is a policy needed for this? When you say key - what do you mean?
Can I just get encryption without a personal (server) cert - how would this work? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jun 10, 2011 3:37 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
You are only allowed to configure a single personal certificate.
There is no method of choosing from more than one.
So if you have a keystore (not a trust store) that has more than one, you can't guarantee which one will get presented. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Jun 10, 2011 3:40 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
OK, this could be a problem because the flow already uses a personal cert for a soaprequest call. This is referenced by a label.
Now it needs a different one for a soapinput with https. So I don't know how this can be accomodated unless a label can be referenced.
Does the soaprequest node get the personal cert from the truststore or keystore? (currently I have used the same JKS file as both the keystore and the truststore). |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jun 10, 2011 5:22 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| zpat wrote: |
OK, this could be a problem because the flow already uses a personal cert for a soaprequest call. This is referenced by a label.
Now it needs a different one for a soapinput with https. So I don't know how this can be accomodated unless a label can be referenced.
Does the soaprequest node get the personal cert from the truststore or keystore? (currently I have used the same JKS file as both the keystore and the truststore). |
I believe you can use a different keystore for the soaprequest node, but I have alas forgotten the details.
Also remember that the keystore and certstore can be specified at the EG level rather than just the Broker level - particularly for SOAP traffic. |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Jun 13, 2011 6:26 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Like this I think (and related other values for https connector)
mqsichangeproperties <brkname> -e <egname> -o HTTPSConnector -n keystoreFile - v /path/KeyFile.jks |
|
| Back to top |
|
|
|
|
