| Author |
Message
|
| karthik_ps |
 Posted: Thu Sep 19, 2013 8:39 am Post subject: digital certificate handshake error on MB8 |
 |
|
Apprentice
Joined: 10 Dec 2008
Posts: 43
|
| In the solaris sparc server, we are upgraded MB 8 and MQ 7 recently. we have interface running on an broker where digital certificate used for security. broker is configured to JKS file that contains multiple keys. one certificate is expiring in a week's time. we have added the new public key and deleted the existing one. Along with that, we have added it in the cacert files as well. After that we started receiving certificate handshake error from the source vendor. We have applied new certificates multiple times on MB6 without any issues. Is there any special change on MB 8 on applying digital cert ? |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Thu Sep 19, 2013 9:21 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
If you are speaking about the keystore, the keystore must be created from scratch and the root certificate must be the first certificate loaded into the file.
If you are speaking about the truststore, you should post the exact error from the syslog that will identify the root cause which is likely that your root authority changed with the new cert you added and you have not added the root.
You should not ever use the same file for both keystore and truststore. Keystore should always be separate from the truststore.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| karthik_ps |
| Posted: Thu Sep 19, 2013 3:09 pm Post subject: |
|
|
Apprentice
Joined: 10 Dec 2008
Posts: 43
|
Hi lancelotlinc,
thanks for the reply. we have public key that has to be installed. we have JKS file where we have added it using keytool import command. I have a doubt whether same public key needs to be added under cacerts (trust store) or not. In case, if we add public key into trust store(cacerts) , will it create any problem ?
As you guessed, pratik (prat31) is my team. |
|
| Back to top |
|
|
| karthik_ps |
| Posted: Thu Sep 19, 2013 3:27 pm Post subject: |
|
|
Apprentice
Joined: 10 Dec 2008
Posts: 43
|
| One more information we would like to add here. We are using same JKS file for keystore and truststore. Apart from this, we are adding public key in cacerts as well. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Sep 20, 2013 3:21 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
mqjeff gave me words of wisdom back years ago:
Keystore identifies you to the rest of the world.
Truststore contains certs of people you trust.
As stated above, you should never use the same file to be the keystore and the truststore. Who suggested you do that ? Keep them far away from your systems as their lack of knowledge is dangerous to your system health.
As also identified above, the keystore's cert and root authority must be the first chain in the file. I find ikeyman works well in creating keystores.
Good luck.
P. S. Broker's implementation of SSL is really fully derived from the underlying JRE. You can learn alot about it by reading Sun's Java SSL guide.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| karthik_ps |
| Posted: Fri Sep 20, 2013 7:19 am Post subject: |
|
|
Apprentice
Joined: 10 Dec 2008
Posts: 43
|
Hi lancelotlinc,
sorry to say this. we have been using JKS file which has been stored with keystore and truststore. And it has been working for more than 4 years. Now, we are just trying to add new public key as existing one expires shortly. I doubt if MB 8 behaves any where different than MB6. Because when we were using MB6, it was working fine.
Since we are at the target side, source is getting below error while sending data.
com.wm.app.b2b.server.ServiceException: java.io.IOException: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure
Thanks for your reply. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Fri Sep 20, 2013 7:30 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
WMB V8 uses JRE 6 which has SSL upgrades built within. WMB V6 used JRE 5 IIRC.
Also note per the documentation the requirement that the keystore and truststore be different files.
| Quote: |
mqsichangeproperties broker_name -e execution_group -o ComIbmJVMManager
–n keystoreFile
-v c:\keystore\server.keystore,JKS
where c:\keystore\server.keystore,JKS is a Javaâ„¢ keystore (JKS).
mqsichangeproperties broker_name -e execution_group -o ComIbmJVMManager
–n truststoreFile
-v c:\truststore\server.truststore
where c:\truststore\server.truststore is the truststore to be referenced. |
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Sep 20, 2013 8:05 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| karthik_ps wrote: |
| sorry to say this. we have been using JKS file which has been stored with keystore and truststore. And it has been working for more than 4 years. |
Granted.
| karthik_ps wrote: |
| I doubt if MB 8 behaves any where different than MB6. Because when we were using MB6, it was working fine. |
Because you doubt if anything has significantly changed between 2 major versions of WMB and/or the underlying Java?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| karthik_ps |
| Posted: Fri Sep 20, 2013 8:44 am Post subject: |
|
|
Apprentice
Joined: 10 Dec 2008
Posts: 43
|
Dear Poobah,
Yes. i have that doubt. Another query, is there any need to add public key into cacerts file ?
Thanks for your reply. |
|
| Back to top |
|
|
| karthik_ps |
| Posted: Thu Sep 26, 2013 4:30 am Post subject: Resolved : digital certificate handshake error on MB8 |
|
|
Apprentice
Joined: 10 Dec 2008
Posts: 43
|
While updating the certificate, we need to provide the existing private key’s alias name instead of giving new alias name. Then the new public key will extend the validity of the existing private key.
It should not be added as new entry in the JKS file. At any cost, private key should not be removed from JKS.
Thanks all for the suggestion and help.
Regards,
Karthik |
|
| Back to top |
|
|
|
|
