| Author |
Message
|
| lancelotlinc |
 Posted: Fri Jun 21, 2013 6:24 am Post subject: When Message Broker is the service provider, then.... |
 |
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
|
| Back to top |
|
 |
| McueMart |
| Posted: Fri Jun 21, 2013 7:07 am Post subject: |
|
|
Chevalier
Joined: 29 Nov 2011
Posts: 490
Location: UK...somewhere
|
| It's the user's task to fill in the blanks. Wouldn't want to make things too easy now...! |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jun 21, 2013 7:20 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I'm sure this is covered in the 9 day training.
Have you taken the 9 day training? Why not? |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Jun 21, 2013 7:28 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| mqjeff wrote: |
I'm sure this is covered in the 9 day training.
Have you taken the 9 day training? Why not? |
Ok, I deserve that remark.
The CRL command seems to not work either:
| Code: |
| mqsichangeproperties MB8BROKER -e execution_group -n crlFile -v file_path |
We've deployed an HTTPInput node and need to set up the EG-level listener to receive HTTPS requests.
When we try to send a request into the node, we get this back:
| Code: |
| Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error. |
We have set these :
| Code: |
mqsireportproperties <broker> -e <eg> -o HTTPSConnector -r
HTTPSConnector
uuid='HTTPSConnector'
userTraceLevel='none'
traceLevel='none'
userTraceFilter='none'
traceFilter='none'
port='7077'
address=''
allowTrace=''
maxPostSize=''
acceptCount=''
bufferSize=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxSpareThreads=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
explicitlySetPortNumber='7077'
enableLookups=''
enableMQListener=''
shutdownDelay=''
allowCrossConnectorPolling=''
autoRespondHTTPHEADRequests=''
algorithm=''
clientAuth=''
keystoreFile='<pathtokeystore>'
keystorePass='********'
keystoreType='JKS'
truststoreFile='<pathtotruststore>'
truststorePass='********'
truststoreType='JKS'
sslProtocol='SSL'
ciphers='SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA'
keypass='********'
keyAlias=''
sslSessionTimeout=''
Connector
port='7077'
type='Embedded'
URLRegistration
url='/xxxxx/resources/yyyy'
outstandingRequests='0'
UsedBySOAPNNodes='FALSE'
UsedByHTTPNNodes='TRUE'
nodeLabel='HTTP Input'
|
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jun 21, 2013 7:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
File a feedback on the info center page.
Use mqsichangeproperties to set the JVM properties mentioned on the page.
Open a PMR. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Jun 21, 2013 11:34 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
We filed feedback and opened a PMR. The response of the PMR was to refer to version 7 InfoCentre. When I perform this Google search on V7 InfoCentre (we use V8 but the V8 doc is incomplete; the V7 doc does not exist), no results are found:
http://goo.gl/3YPlJ
We will continue to talk to the support people on the PMR. If MGK ( or others familiar with the transport configurations ) can provide some pointers in the mean time, we are eager to see this flow work:
HTTPInput* -> Trace -> Compute -> Trace -> HTTPReply
*HTTPS enabled.
We believe we have configured every item in accordance with the documentation and this result still persists:
Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.
It seems that there may be some issue in the protocol code or the runtime configuration.
Following the InfoCentre documentation, we took a UserTrace and a ServiceTrace and found no exceptions in either. We may need the specific commands to turn on the debug info for EG-level HTTPS listener. Anyone know those?
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jun 21, 2013 11:52 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| lancelotlinc wrote: |
| Following the InfoCentre documentation, we took a UserTrace and a ServiceTrace and found no exceptions in either. We may need the specific commands to turn on the debug info for EG-level HTTPS listener. Anyone know those? |
It's not documented, but mqsireportproperties on the HTTPSConnector should show a trace option of some kind, that would then be enabled with the mqsichangeproperties command. I believe this would dump to service trace, but it might provide an option of specifying a trace file...
again, do an mqsireportproperties to show all available properties of the HTTPSConnector, and the HTTPConnector, then flail at them a bit.
The error in question however, doesn't appear to relate to using CRLs, unless the issue is that the CRL connection is also SSL enabled and needs an alternate cert/alternate SSL crypto provider/etc. But you'd hope a CA wouldn't configure their CRL service to use something not available with the cert they issue... |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Jun 24, 2013 6:21 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
L2 points us to V7 doc. JSSE operation is different between the JRE supplied with V7 and the JRE supplied with V8. This may imply that the settings on ComIbmJVMManager may need to be different between WMB V7 EG listener process and WMB V8 listener process, yes? V7 JRE operates JSSE differently than V8 JRE, or at least with different (additional) properties, yes? If true to both questions, it leads me to think that we need some errata to V7 docs that call out these new properties as our environment is V8.0.0.2.
Also - checking the SYSTEM.BROKER.WS.INPUT shows no Open Output Count/Open Input Count when sending in the request. This seems to confirm that the listener is not placing the request to the message flow and some configuration is missing on the EG-listener process. Right-clicking EG, the EG properties show that the EG is set to correctly listen to port 7077 and that HTTPS is enabled.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Jun 24, 2013 8:10 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Again, the error is complaining about the SSL negotiation, and it's complaining about a cipher spec, more or less.
So, given that no secure channel can be negotiated, it is not surprising that no exchange of business data is occurring.
Again, this doesn't appear to relate to CRLs, except if somehow the protocol for talking to the CA requires use of cipherspecs that are not supported - which you would hope would not be the case. because you would hope that a CA would support any cipherspecs for checking the revocation of a certificate that it offered where the cert supported that cipherspec. That is, you would hope they wouldn't require a cipherspec that wasn't supported by their certs.
Again, the eg level https connector has the following properties
| Code: |
traceLevel='none'
userTraceFilter='none'
traceFilter='none'
allowTrace='' |
I suspect that you can enable this with either mqsichangeproperties or with mqsichangetrace and that it will add information to service/user level trace.
Likewise the same properties exist on the HTTPConnector.
Last edited by mqjeff on Mon Jun 24, 2013 12:05 pm; edited 1 time in total |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Jun 24, 2013 12:02 pm Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Thanks for your suggestions. We started from scratch and reconfigured the EG-level listener a second time, which enabled the functionality.
This article was used by our WMB Admin as a guide (both times) and was helpful.
http://www.ibm.com/developerworks/websphere/library/techarticles/1205_bhat/1205_bhat.html
Also received an acknowledgement from IBM that the InfoCentre article in question is being reviewed/revised.
Going forward, for the benefit of the IBM developers, it would be helpful to have some errors in the WMB event log that describe the exact issues. No relevant messages were ever recovered from either the event log or the service trace regarding the listener process. : RFE :
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
|
|
