MQSeries.net :: View topic - IIB 9.0.0.1: HTTPS keystore & keypassword password

MQSeries.net

Tech Exchange

Education

Certifications

Library

Info Center

SupportPacs

FAQÂ Â

Usergroups

RSS Feed - WebSphere MQ Support

RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » IIB 9.0.0.1: HTTPS keystore & keypassword password

IIB 9.0.0.1: HTTPS keystore & keypassword password

« View previous topic :: View next topic »

Author

Message

akil

Posted: Fri Jul 25, 2014 12:38 am Post subject: IIB 9.0.0.1: HTTPS keystore & keypassword password

Partisan

Joined: 27 May 2014
Posts: 338
Location: Mumbai

Hi

I am trying to get the SSL configured for the broker wide HTTP listener, using a self-signed certificate generated via keytool. I have created a new keystore (with one private key), a new truststore (that is currently empty).

I am facing two problems,
1. I am unable to use the broker registry for specifying the keystore password
2. I am unable to use a key password that is different than the keystore password

I am referring to the documentation here http://www-01.ibm.com/support/knowledgecenter/SSMKHH_9.0.0/com.ibm.etools.mft.doc/an09141_.htm?cp=SSMKHH_9.0.0

Details of problem #1

As per the documentation The keystore & trust store password can be specified in one of two ways -

(a) via the broker registry

Code:

mqsisetdbparms IB9NODE -n brokerKeystore::password -u temp -p myPassword
mqsichangeproperties IB9NODE -b httplistener -o HTTPSConnector -n keystorePass -v brokerKeystore::password

(b) without the broker registry

Code:

mqsichangeproperties IB9NODE -b httplistener -o HTTPSConnector -n keystorePass -v myPassword

Option (b) works like a charm.
Option (a) gives the following stack in the syslog.

Code:

Jul 25 11:34:48 iib IIB[16030]: IBM Integration Bus v9000 (IB9NODE.HTTPListener) [Thread 16105] (Msg 1/1) BIP3135S: An exception occurred while starting the servlet engine connector. Exception text is HTTP Listener java.io.IOException: Keystore was tampered with, or password was incorrect at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(KeyStore.java:1214) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:393) at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:617) at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:444) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1010) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at com.ibm.broker.httplistener.ConnectorWrapper.start(ConnectorWrapper.java:177) at com.ibm.broker.httplistener.TomcatWrapper.startSecureHTTPSConnector(TomcatWrapper.java:207) at com.ibm.broker.httplistener.HTTPListenerManager.ensureServletContainer(HTTPListenerManager.java:330) at com.ibm.broker.httplistener.HTTPListenerManager.run(HTTPListenerManager.java:168) at java.lang.Thread.run(Thread.java:780) Caused by: java.security.UnrecoverableKeyException: Password verification failed ... 18 more

Details of problem #2

If I generate a key with a password that is different than the keystore password,

Code:

keytool -genkey -keyalg RSA -alias devssl -keystore /var/mqsi/keys/mqbrkrs.keystore -storepass myPassword -validity 360 -keysize 2048 -keypass [b]myKeyPassword[/b] -dname 'CN=ADMIN,OU=IT,O=QG,L=Mumbai,C=IN'
mqsichangeproperties IB9NODE -b httplistener -o HTTPSConnector -n keyAlias -v devssl
mqsichangeproperties IB9NODE -b httplistener -o HTTPSConnector -n keypass -v [b]myKeyPassword[/b]

then I get the following trace

Code:

Jul 25 11:27:07 iib IIB[15300]: IBM Integration Bus v9000 (IB9NODE.HTTPListener) [Thread 15389] (Msg 1/1) BIP3135S: An exception occurred while starting the servlet engine connector. Exception text is HTTP Listener org.apache.catalina.LifecycleException: Failed to start component [Connector[com.ibm.broker.httplistener.BrokerProtocolHandler-7083]] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) at com.ibm.broker.httplistener.ConnectorWrapper.start(ConnectorWrapper.java:177) at com.ibm.broker.httplistener.TomcatWrapper.startSecureHTTPSConnector(TomcatWrapper.java:207) at com.ibm.broker.httplistener.HTTPListenerManager.ensureServletContainer(HTTPListenerManager.java:330) at com.ibm.broker.httplistener.HTTPListenerManager.run(HTTPListenerManager.java:168) at java.lang.Thread.run(Thread.java:780) Caused by: org.apache.catalina.LifecycleException: service.getName(): "null"; Protocol handler start failed at org.apache.catalina.connector.Connector.startInternal(Connector.java:1017) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ... 5 more Caused by: java.io.IOException: Cannot recover key at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:475) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:393) at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:617) at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:444) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1010) ... 6 more Caused by: java.security.UnrecoverableKeyException: Cannot recover key at com.ibm.crypto.provider.s.recover(Unknown Source) at com.ibm.crypto.provider.JavaKeyStore.engineGetKey(Unknown Source) at java.security.KeyStore.getKey(KeyStore.java:792) at com.ibm.jsse2.uc.<init>(uc.java:16) at com.ibm.jsse2.cc$a_.engineInit(cc$a_.java:24) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:16) at org.apach

All works fine, if I set the same password for the key and the keystore

Code:

keytool -genkey -keyalg RSA -alias devssl -keystore /var/mqsi/keys/mqbrkrs.keystore -storepass [b]myPassword[/b] -validity 360 -keysize 2048 -keypass [b]myPassword[/b] -dname 'CN=ADMIN,OU=IT,O=QG,L=Mumbai,C=IN'
mqsichangeproperties IB9NODE -b httplistener -o HTTPSConnector -n keyAlias -v devssl
mqsichangeproperties IB9NODE -b httplistener -o HTTPSConnector -n keypass -v [b]myPassword[/b]

What am I doing wrong?
_________________
Regards

fjb_saper

Posted: Fri Jul 25, 2014 4:30 am Post subject:

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

Forget keytool and use ikeyman. It comes with your MQ installation.
It will handle java keystores just fine. It may be a little bit more restrictive than keytool but then you won't run into the same problems you just did...

_________________
MQ & Broker admin

akil

Posted: Fri Jul 25, 2014 8:07 am Post subject:

Partisan

Joined: 27 May 2014
Posts: 338
Location: Mumbai

Hi

Ok, i'll try that, i would not have imagined that the keytool could result in broker registry password problems ..

Will post results ..
_________________
Regards

Display posts from previous:

Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » IIB 9.0.0.1: HTTPS keystore & keypassword password

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Protected by Anti-Spam ACP