| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL error communicating with STS |
View previous topic :: View next topic |
| Author |
Message
|
| fenway_frank |
 Posted: Wed Jan 11, 2012 11:31 am Post subject: SSL error communicating with STS |
 |
|
Apprentice
Joined: 21 Oct 2011
Posts: 43
Location: Boston, MA USA
|
I followed this (very well written..) developer works article to configure secure connections between STS and message broker http://www.ibm.com/developerworks/websphere/library/techarticles/1104_katagall/1104_katagall.html?ca=drs-.
For context, my use case is slightly different than described in the article but directionally very similar..
• Web service provider is Message Broker v7.0.0.3 message flow which requires SAML 2.0 token in security header. The Message flow is configured to validate the inbound assertion with a security profile (ws-trust 1.3 sts), policy set (saml 2.0 passthru) and “provider” bindings as documented in your article
• STS is PingFederate, not Tivoli product
• Communication between message flow and STS is HTTPS, not HTTP as described in the article sample.
Therein is my current problem. I cannot establish a secure communication between message flow SOAPInput node and the STS and it appears to be SSL related. Here’s the error as reported in win7 event log:
( MB7BROKER.CDS_ONLINE01 ) An error occurred whilst performing an SSL socket operation.
Operation: 'createSocket'. Error Text: 'java.net.SocketException: java.security.NoSuchAlgorithmException: SSLContext Default implementation not found: '.
I configured the execution group with trust and key store containing the CA certs that must be present to communicate with STS and I assume the security profile is using this configuration. Here’s output from mqsireportproperties on the execution group that contains the message flow with the error:
>mqsireportproperties <broker_name> -o ComIbmJVMManager -a -e <execution_group>
ComIbmJVMManager
uuid='ComIbmJVMManager'
userTraceLevel='none'
traceLevel='none'
userTraceFilter='none'
traceFilter='none'
resourceStatsReportingOn='inactive'
resourceStatsMeasurements='<ResourceStatsSwitches ResourceType="JVM" version='1'> <Measurement name="InitialMemoryInMB
" collect="on" /> <Measurement name="UsedMemoryInMB" collect="on" /> <Measurement name="CommittedMemoryInMB" collect="on
" /> <Measurement name="MaxMemoryInMB" collect="on" /> <Measurement name="CumulativeGCTimeInSeconds" collect="on" /> <Me
asurement name="CumulativeNumberOfGCCollections" collect="on" /> </ResourceStatsSwitches>'
jvmVerboseOption='none'
jvmDisableClassGC='false'
jvmShareClasses='false'
jvmNativeStackSize='-1'
jvmJavaOSStackSize='-1'
jvmMinHeapSize='33554432'
jvmMaxHeapSize='-1'
jvmDebugPort='223'
jvmSystemProperty=''
keystoreType=''
keystoreFile='cdsKeystore.jks'
keystorePass='brokerKeystore::password'
truststoreType=''
truststoreFile='cdsTruststore.jks'
truststorePass='brokerTruststore::password'
as you can see, the keystore and truststore are loaded with a jks. i am confident the jks has the cert needed to negotiate with the STS.
Any other suggestions? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Jan 11, 2012 2:03 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
you might want to specify the keystore type (jks).
Also are you sure you are setting this up in the eg that is running this flow?
Did you restart the eg after the changes? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| fenway_frank |
| Posted: Wed Jan 11, 2012 2:38 pm Post subject: |
|
|
Apprentice
Joined: 21 Oct 2011
Posts: 43
Location: Boston, MA USA
|
hi, updated ComIbmJVMManager truststoreType and keystoreType to JKS and no effect. yes, the broker was restarted and there is only 1 EG.
i wonder if the filesystem location of the .jks listed in ComIbmJVMManager is important?? 'cdsTruststore.jks' and 'cdsKeystore.jks' are currently located in $MQSI_FILEPATH/jre/bin (where keytool is found). perhaps the jks files should be in the $MQSI_FILEPATH/jre/lib/security directory instead? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 11, 2012 6:07 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| fenway_frank wrote: |
hi, updated ComIbmJVMManager truststoreType and keystoreType to JKS and no effect. yes, the broker was restarted and there is only 1 EG.
i wonder if the filesystem location of the .jks listed in ComIbmJVMManager is important?? 'cdsTruststore.jks' and 'cdsKeystore.jks' are currently located in $MQSI_FILEPATH/jre/bin (where keytool is found). perhaps the jks files should be in the $MQSI_FILEPATH/jre/lib/security directory instead? |
No, I would try an put them in $MQSI_FILEPATH/Components/broker/eg/ssl or some such... For this purpose it is immaterial where keytool is found. You could just as well be using ikeyman to create the stores... Just make sure that the sslstores are accessible to the user/group running the broker. Make the permissions on the sslstores be u+rw,g+r,o-rx
Hope this helps
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
