| Author |
Message
|
| ashwgupt |
 Posted: Tue Dec 17, 2013 4:25 am Post subject: Setup for 2-way SSL for WMB WebService |
 |
|
Novice
Joined: 31 Oct 2011
Posts: 12
|
Hi,
We have a requirement of setting up a HTTPS Webservice using SOAP Nodes. The need is to set it up with 2-way SSL.
For that purpose, we have setup the PKI at EG level. The Client side Singer Certificates are added to the WMB truststore/keystore, and the ones used by Broker are imported on the client services (WAS based).
But the SSL connection fails with errors like belowin stdout/stderr files of the EG, whenever the client service tries to connect to Broker service:-
stderr-
2013-12-17 05:07:36.387 48 at com.ibm.broker.plugin.MbNode.evaluate(MbNode.java:1480)
Exception in thread "Thread-36" 2013-12-17 05:07:42.870 55 javax.net.ssl.SSLHandshakeException: Remote host clo
sed connection during handshake
2013-12-17 05:07:42.870 55 at com.ibm.jsse2.qc.a(qc.java:577)
2013-12-17 05:07:42.871 55 at com.ibm.jsse2.qc.h(qc.java:809)
2013-12-17 05:07:42.871 55 at com.ibm.jsse2.qc.a(qc.java:106)
2013-12-17 05:07:42.872 55 at com.ibm.jsse2.qc.startHandshake(qc.java:586)
2013-12-17 05:07:42.872 55 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeoutInternalNoProxy(MbSslSocke
t.java:316)
2013-12-17 05:07:42.873 55 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeout(MbSslSocket.java:168)
2013-12-17 05:07:42.874 55 at com.ibm.broker.plugin.MbOutputTerminal._propagate(Native Method)
2013-12-17 05:07:42.874 55 at com.ibm.broker.plugin.MbOutputTerminal.propagate(MbOutputTerminal.java:133)
2013-12-17 05:07:42.875 55 at com.ibm.broker.plugin.MbOutputTerminal.propagate(MbOutputTerminal.java:8
2013-12-17 05:07:42.875 55 at com.fidintl.bs.soap.TargetEndPointSelector.evaluate(TargetEndPointSelector.java:
91)
2013-12-17 05:07:42.876 55 at com.ibm.broker.javacompute.MbRuntimeJavaComputeNode.evaluate(MbRuntimeJavaComput
eNode.java:281)
2013-12-17 05:07:42.876 55 at com.ibm.broker.plugin.MbNode.evaluate(MbNode.java:1480)
2013-12-17 05:07:42.877 55 Caused by: java.io.EOFException: SSL peer shut down incorrectly
2013-12-17 05:07:42.878 55 at com.ibm.jsse2.a.a(a.java:105)
2013-12-17 05:07:42.878 55 at com.ibm.jsse2.qc.a(qc.java:619)
stdout -
unable to negotiate SSL connection. Client key alias supplied was []
However, when the 'extracted certificate' (for Personal Cert used in broker's truststore/keystore), extracted using iKeyMan or IE Browser, is imported on the client side, the SSL connection works.
Can someone comment, if that's really required?
Shall not just the CA certs exchange work for the 2-way SSL handshake?
ComIbmJVMManager
uuid='ComIbmJVMManager'
userTraceLevel='none'
traceLevel='none'
userTraceFilter='none'
traceFilter='none'
vrmfIntroducedAt='7.0.0.0'
resourceStatsReportingOn='inactive'
resourceStatsMeasurements='<ResourceStatsSwitches ResourceType="JVM" version='1'> <Measurement name="InitialMemoryInMB" collect="on" /> <Measurement name="UsedMemoryInMB" collect="on" /> <Measurement name="CommittedMemoryInMB" collect="on" /> <Measurement name="MaxMemoryInMB" collect="on" /> <Measurement name="CumulativeGCTimeInSeconds" collect="on" /> <Measurement name="CumulativeNumberOfGCCollections" collect="on" /> </ResourceStatsSwitches>'
activityLogSupported='no'
jvmVerboseOption='none'
jvmDisableClassGC='false'
jvmShareClasses='false'
jvmNativeStackSize='-1'
jvmJavaOSStackSize='-1'
jvmMinHeapSize='-1'
jvmMaxHeapSize='-1'
jvmDebugPort='-2930'
jvmSystemProperty=''
keystoreType='JKS'
keystoreFile='/opt/keystore.jks'
keystorePass='gateway::password'
truststoreType='JKS'
truststoreFile='/opt/keystore.jks'
truststorePass='gateway::password'
crlFileList=''
enableCRLDP=''
kerberosConfigFile=''
kerberosKeytabFile=''
HTTPSConnector
uuid='HTTPSConnector'
userTraceLevel='none'
traceLevel='none'
userTraceFilter='none'
traceFilter='none'
port='9350'
address=''
maxPostSize=''
acceptCount=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
explicitlySetPortNumber='9350'
enableLookups=''
enableMQListener=''
shutdownDelay=''
allowCrossConnectorPolling=''
autoRespondHTTPHEADRequests=''
algorithm=''
clientAuth='false'
keystoreFile='/opt/keystore.jks'
keystorePass='********'
keystoreType='JKS'
truststoreFile='/opt/keystore.jks'
truststorePass='********'
truststoreType='JKS'
sslProtocol=''
ciphers=''
keypass='********'
keyAlias=''
sslSessionTimeout=''
crlFile=''
propagateClientCert=''
Connector
port='9350'
type='Embedded'
URLRegistration
url='/services/default_sec/1'
outstandingRequests='0'
outstandingTimeoutRequests='0'
UsedBySOAPNNodes='TRUE'
UsedByHTTPNNodes='FALSE'
nodeLabel='GatewayInput'
URLRegistration
url='/rest/testcontextpath/*'
outstandingRequests='0'
outstandingTimeoutRequests='0'
UsedBySOAPNNodes='FALSE' |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Dec 17, 2013 5:38 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Whenever using SSL you always need the full cert chain... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ashwgupt |
| Posted: Tue Dec 17, 2013 5:59 am Post subject: |
|
|
Novice
Joined: 31 Oct 2011
Posts: 12
|
| Thanks for the reply. Yes, we have tried adding all the involved CA Certs which are always used for one way SSL set up in our org. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Dec 17, 2013 6:08 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
And for 2 way SSL you also need the partner's cert (public key) in your truststore.... (obviously with it's full chain)
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ashwgupt |
| Posted: Thu Dec 19, 2013 1:29 am Post subject: |
|
|
Novice
Joined: 31 Oct 2011
Posts: 12
|
How exactly do we obtain the Public key for WMB Certificate? I believe the 'extract certificate' option in iKeyman will do that, won't it?
And do we still need that to be added on client side even when our WMB used CA Certs are already added there? |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Dec 19, 2013 4:29 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| ashwgupt wrote: |
How exactly do we obtain the Public key for WMB Certificate? I believe the 'extract certificate' option in iKeyman will do that, won't it?
|
Extract will do it.
| Code: |
| runmqckm -cert -extract -db /myWMBkeystores/MyBroker.keystore.jks -pw SuperSecretPassword -label MyBrokersPrivateLabelname -target /myFolder/ssl/public/MyBrokersPublicCert.der -format binary |
Alternatively someone acting on behalf of the SSL Client can just use their FireFox browser to view and then save the public half of the broker cert.
| ashwgupt wrote: |
And do we still need that to be added on client side even when our WMB used CA Certs are already added there? |
If all the appropriate CA signer cert (including any intermediates) are in the client's trust store, then you don't need to extract the public cert from the Broker to give to the client just so that they can validate the Broker's cert.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Dec 22, 2013 8:16 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| PeterPotkay wrote: |
| ashwgupt wrote: |
And do we still need that to be added on client side even when our WMB used CA Certs are already added there? |
If all the appropriate CA signer cert (including any intermediates) are in the client's trust store, then you don't need to extract the public cert from the Broker to give to the client just so that they can validate the Broker's cert. |
Sorry but he's talking about 2 way SSL. The broker will need the client's public cert and the client may as well need the broker's cert. Not needing the other party's public cert works for one way SSL (it is flowed on the connection). ;innocent:
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Dec 23, 2013 5:25 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| fjb_saper wrote: |
| PeterPotkay wrote: |
| ashwgupt wrote: |
And do we still need that to be added on client side even when our WMB used CA Certs are already added there? |
If all the appropriate CA signer cert (including any intermediates) are in the client's trust store, then you don't need to extract the public cert from the Broker to give to the client just so that they can validate the Broker's cert. |
Sorry but he's talking about 2 way SSL. The broker will need the client's public cert and the client may as well need the broker's cert. Not needing the other party's public cert works for one way SSL (it is flowed on the connection). ;innocent: |
If both the SSL Server and the SSL Client are using certifcates signed by a public CA (i.e. Verisign), are you saying that it won't work even if both the client and the server have the correct public CA signer certs in their respective trust stores?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Dec 23, 2013 5:07 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
AFAIK with 2 way SSL you encode with the public key of the other party...
I know the broker needs the client cert in its truststore to establish that the client is saying he is who he is as the broker will compare the cert to the one in its truststore...
In MQ you just check the SSLPEER and that's it. No need for the public cert of the partner... Not so in the broker...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ashwgupt |
| Posted: Tue Dec 24, 2013 1:40 am Post subject: |
|
|
Novice
Joined: 31 Oct 2011
Posts: 12
|
So we are not 100% sure how does it work with WMB. There is an uncertaintity on need of Public part of each sides' certificate to be added on the other side.
Observation in our setup showed the need of the WMB cert's Public part to be added on the client side, which looked different from what is done for WMQ, and that triggered the original question.
I couldn't find any clear documentation or instruction in IBM infocenter as well.
Will keep investigating and searching. Please add if you find any further proofs or documentations on this topic.[/quote] |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Dec 24, 2013 6:24 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| fjb_saper wrote: |
AFAIK with 2 way SSL you encode with the public key of the other party...
I know the broker needs the client cert in its truststore to establish that the client is saying he is who he is as the broker will compare the cert to the one in its truststore...
In MQ you just check the SSLPEER and that's it. No need for the public cert of the partner... Not so in the broker...
|
So if you want to only accept connections from an SSL Client presenting a particular certificate, then you start with an empty trust store and yes, only add in the public half of the specific certificate you wish to accept connections with.
But if you add a signer certificate into the trust store for that Broker or Execution Group, then the SSL Server (the Broker or the EG) will accept any SSL CLient connections using certificates signed by that CA. You won't need the specific public half of the SSL Client's cert added into your trust store in this case. But in this case you may be allowing to wide an audience of SSL Clients in, due to the lack of SSLPEER like functionality in WMB.
On that last point I have a PMR open with IBM for the past few weeks to truly confirm there is no way to do SSLPEER like filtering at the Input node level...interesting developments potentially on the horizon.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Dec 24, 2013 7:34 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| PeterPotkay wrote: |
So if you want to only accept connections from an SSL Client presenting a particular certificate, then you start with an empty trust store and yes, only add in the public half of the specific certificate you wish to accept connections with.
But if you add a signer certificate into the trust store for that Broker or Execution Group, then the SSL Server (the Broker or the EG) will accept any SSL CLient connections using certificates signed by that CA. You won't need the specific public half of the SSL Client's cert added into your trust store in this case. But in this case you may be allowing to wide an audience of SSL Clients in, due to the lack of SSLPEER like functionality in WMB.
On that last point I have a PMR open with IBM for the past few weeks to truly confirm there is no way to do SSLPEER like filtering at the Input node level...interesting developments potentially on the horizon. |
That's why you have the policy. The policy will give you the 2 way SSL and only accept a cert if it is also in the truststore. Of course you will need the full cert chain in the truststore.
The downside of this approach is that you now need to maintain your truststore and look at your partner's cert expiration dates etc...
The cleaner approach would have been to allow you screening of the certs distinguished name, like the SSLPEER approach in WMQ...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Sep 18, 2014 2:13 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
We are getting this problem on IIB v9.
The broker has a CA signed personal cert. The other end has a self-signed cert (and holds the CA signer for our cert).
The broker holds the self-signed cert for the other end.
But we get this SSL handshake failure.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Sep 18, 2014 4:36 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Does the client also hold the public cert of the broker? (i.e. the full chain)
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Sep 18, 2014 5:06 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
We're using our own in-house CA, so the one signer cert should be enough.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
|
|
