| Author |
Message
|
| jinie |
 Posted: Mon Sep 09, 2013 2:29 am Post subject: Specify TLS certificate for TCP/IP Client Output Node |
 |
|
Novice
Joined: 10 Jul 2013
Posts: 13
|
Hey
I'm creating a flow for delivering Apple iOS push notifications for multiple customers/apps.
My initial thought was to use a TCP/IP Client Output Node along with a keystore containing all certificates, and specify a connection name/certificate through localenv.
Looking through the configurable service properties ( http://publib.boulder.ibm.com/infocenter/wmbhelp/v7r0m0/index.jsp?topic=%2Fcom.ibm.etools.mft.doc%2Fan60170_.htm ) for TCPIPClient, i notice there is no way specify which TLS certificate i want to use.
TCPIPServer has "SSLKeyAlias", which is basically what i need on the Client 
I there a better way to solve this ? or do i need to revert to writing my own TCP/IP Client in a Java compute node ?
/J |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Mon Sep 09, 2013 3:28 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Sep 09, 2013 4:28 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Well, in my last position we had to front end broker with a bit of java that allowed us yo set the correct TLS cert we used. This was with 7.0.0.1 and we couldn't find a way to make what the OP wants work.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Sep 09, 2013 4:34 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| smdavies99 wrote: |
| Well, in my last position we had to front end broker with a bit of java that allowed us yo set the correct TLS cert we used. This was with 7.0.0.1 and we couldn't find a way to make what the OP wants work. |
Not much of anything regarding SSL working in 7.0.0.1. Fixpack 2 changed that.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| jinie |
| Posted: Mon Sep 09, 2013 4:35 am Post subject: |
|
|
Novice
Joined: 10 Jul 2013
Posts: 13
|
I'm on version WMB 7.0
I read the articles, but i can't seem to find any examples/settings that allows me to do what i want.
I have around 40 different TLS certificates that each corresponds to a clients iOS app, which then receives push notifications from a centralized source.
I'd like to avoid implementing 40 different TCPIPClient nodes, and instead manage this programatically by looking up the client id, and selecting the corresponding certificate, and telling TCPIPClient which certificate to use, but from what i can find there doesn't seem to be a way to set the certificate or keystore on the TCPIPClient.
A possible "solution" would be to configure 40 execution groups, and deploy a keystore in each, which won't be pretty. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Sep 09, 2013 4:36 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| jinie wrote: |
| I'm on version WMB 7.0 |
WMB versions have four digits. What version are you on ?
Again, not much of any SSL functions worked in 7.0.0.1. You need the latest fixpack, which is 7.0.0.6 today.
Didn't you read about the SSL key alias in the InfoCentre?
| Quote: |
Using an SSL key alias
A key alias identifies the key that is to be used for the SSL connection, if the keystore for your broker or execution group contains more than one key. Use the mqsichangeproperties or mqsicreateconfigurableservice as appropriate, with the SSLKeyAlias property. The default value "" or none, means that an SSL key alias is not used. Any other string identifies the alias.
Note: If the keystore contains more than one key, and no key alias is defined, the Javaâ„¢ virtual machine arbitrarily chooses a key at run time. |
| jinie wrote: |
| A possible "solution" would be to configure 40 execution groups, and deploy a keystore in each, which won't be pretty. |
Don't be silly.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| jinie |
| Posted: Mon Sep 09, 2013 5:02 am Post subject: |
|
|
Novice
Joined: 10 Jul 2013
Posts: 13
|
I'm on 7.0.0.6
| lancelotlinc wrote: |
Didn't you read about the SSL key alias in the InfoCentre?
| Quote: |
Using an SSL key alias
A key alias identifies the key that is to be used for the SSL connection, if the keystore for your broker or execution group contains more than one key. Use the mqsichangeproperties or mqsicreateconfigurableservice as appropriate, with the SSLKeyAlias property. The default value "" or none, means that an SSL key alias is not used. Any other string identifies the alias.
Note: If the keystore contains more than one key, and no key alias is defined, the Javaâ„¢ virtual machine arbitrarily chooses a key at run time. |
|
I read about SSLKeyAlias, sadly it is only defined on the TCPIPServer property, and not on the TCPIPClient. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Sep 09, 2013 5:05 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| jinie wrote: |
I'm on 7.0.0.6
| lancelotlinc wrote: |
Didn't you read about the SSL key alias in the InfoCentre?
| Quote: |
Using an SSL key alias
A key alias identifies the key that is to be used for the SSL connection, if the keystore for your broker or execution group contains more than one key. Use the mqsichangeproperties or mqsicreateconfigurableservice as appropriate, with the SSLKeyAlias property. The default value "" or none, means that an SSL key alias is not used. Any other string identifies the alias.
Note: If the keystore contains more than one key, and no key alias is defined, the Javaâ„¢ virtual machine arbitrarily chooses a key at run time. |
|
I read about SSLKeyAlias, sadly it is only defined on the TCPIPServer property, and not on the TCPIPClient. |
The example in the InfoCentre is for the Server, but AFAIK, it works for all keystores, regardless of server or client node usage. WMB's SSL implementation is based on Oracle's SSL JVM implementation.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| jinie |
| Posted: Mon Sep 09, 2013 5:24 am Post subject: |
|
|
Novice
Joined: 10 Jul 2013
Posts: 13
|
No dice.
| Code: |
C:\Program Files\IBM\MQSI\7.0>mqsicreateconfigurableservice TBRK -c TCPIPClient -o myTCPIPClientService -n SSLKeyAlias -v mykey
BIP8984W: Configurable service object name 'TCPIPClient : myTCPIPClientService : SSLKeyAlias' was not found.
The user has tried to delete or modify a configurable service object name that does not exist, or is not valid for UserDefined types.
Check the names of the existing configurable services using the mqsireportproperties command. Then modify the external resource object name and reissue the command. |
|
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Sep 09, 2013 5:30 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| jinie wrote: |
No dice.
| Code: |
C:\Program Files\IBM\MQSI\7.0>mqsicreateconfigurableservice TBRK -c TCPIPClient -o myTCPIPClientService -n SSLKeyAlias -v mykey
BIP8984W: Configurable service object name 'TCPIPClient : myTCPIPClientService : SSLKeyAlias' was not found.
The user has tried to delete or modify a configurable service object name that does not exist, or is not valid for UserDefined types.
Check the names of the existing configurable services using the mqsireportproperties command. Then modify the external resource object name and reissue the command. |
|
Ok, nice try. Can you open a PMR to see what the official word is on SSL key alias for TCP/IP client nodes ? Seems like if you could do it for server nodes, you could also do it for client nodes without much effort.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Sep 09, 2013 7:11 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
SSLKeyAlias is there on V8.0.0.2 ONLY on the TCPIP server Configurable service.
The same goes for 9.0.0.0
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| jinie |
| Posted: Mon Sep 09, 2013 11:51 pm Post subject: |
|
|
Novice
Joined: 10 Jul 2013
Posts: 13
|
Looks like my only option (for now) is to code it by hand in Java or PHP.
I'll raise a PMR on the issue, and perhaps try to broaden the scope of it a bit, since we often need support specifying a different keystore/keyalias in our solutions.
Now if only we had Python compute nodes |
|
| Back to top |
|
|
|
|
