| Author |
Message
|
| oluies |
 Posted: Thu Feb 19, 2015 2:42 am Post subject: JSSE certificate |
 |
|
Newbie
Joined: 19 Feb 2015
Posts: 9
|
Hi,
When using Oracle JVM with Oracle JSSE to do SSL auth with MQ... how is the client certificate selected?
Thanks,
ÖL |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Feb 19, 2015 6:14 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
How does standard java SSL select a particular cert from the store?
I believe the answer is, it tries until successful, or running out of certs?
You can give it a hint by having a cert label of "ibmwebspheremquserid"
And look at Morag's post here on that same subject:
http://www.mqseries.net/phpBB2/viewtopic.php?t=69536
Also depending on your version of MQ you may need an APAR or 2.
MQ does not deal so well with non IBM JVMs when it comes to JMS and SSL in version 7.5 ... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| oluies |
| Posted: Thu Feb 19, 2015 8:39 am Post subject: |
|
|
Newbie
Joined: 19 Feb 2015
Posts: 9
|
Yes I know about the "not to well" part and I have a prepatch for that based on RFE 61798
If I use the same certstore with MQ Exporer all is fine and i use the ...<userid> |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Feb 19, 2015 9:28 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| oluies wrote: |
Yes I know about the "not to well" part and I have a prepatch for that based on RFE 61798
If I use the same certstore with MQ Exporer all is fine and i use the ...<userid> |
Looks like the PMR route is the answer for you...
As an afterthought run with -Djavax.net.debug="true" and check which keystore / certstore is being used... I have had bad surprises in that area, where java defaulted to the key/certstore in the JRE/security directory...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| oluies |
| Posted: Fri Feb 20, 2015 12:31 am Post subject: |
|
|
Newbie
Joined: 19 Feb 2015
Posts: 9
|
Yeah, I have been PMRing for a while.
The JDK home/security is a great idea 
The debug flag has changed from true to a level so :
-Djavax.net.debug=all -com.ibm.msg.client.commonservices.trace.status=ON
-Djavax.net.debug=help gives you
all turn on all debugging
ssl turn on ssl debugging
The following can be used with ssl:
record enable per-record tracing
handshake print each handshake message
keygen print key generation data
session print session activity
defaultctx print default SSL initialization
sslctx print SSLContext tracing
sessioncache print session cache tracing
keymanager print key manager tracing
trustmanager print trust manager tracing
pluggability print pluggability tracing
handshake debugging can be widened with:
data hex dump of each handshake message
verbose verbose handshake message printing
record debugging can be widened with:
plaintext hex dump of record plaintext
packet print raw SSL/TLS packets |
|
| Back to top |
|
|
| oluies |
| Posted: Fri Feb 20, 2015 12:38 am Post subject: |
|
|
Newbie
Joined: 19 Feb 2015
Posts: 9
|
Well I was pointing to the trust/keystore with
javax.net.ssl.keyStore/trustStore so no luck |
|
| Back to top |
|
|
| oluies |
| Posted: Fri Feb 20, 2015 3:42 am Post subject: |
|
|
Newbie
Joined: 19 Feb 2015
Posts: 9
|
Noted that the JSSE keytool can display the MQ manager SSL Certs
% keytool -printcert -sslserver server:port
neat |
|
| Back to top |
|
|
| oluies |
| Posted: Mon Apr 06, 2015 12:35 pm Post subject: |
|
|
Newbie
Joined: 19 Feb 2015
Posts: 9
|
|
| Back to top |
|
|
|
|
