ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Java / JMS » JSSE certificate

Post new topic  Reply to topic
 JSSE certificate « View previous topic :: View next topic » 
Author Message
oluies
PostPosted: Thu Feb 19, 2015 2:42 am    Post subject: JSSE certificate Reply with quote

Newbie

Joined: 19 Feb 2015
Posts: 9

Hi,

When using Oracle JVM with Oracle JSSE to do SSL auth with MQ... how is the client certificate selected?

Thanks,
ÖL
Back to top
View user's profile Send private message Send e-mail
fjb_saper
PostPosted: Thu Feb 19, 2015 6:14 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

How does standard java SSL select a particular cert from the store?
I believe the answer is, it tries until successful, or running out of certs?
You can give it a hint by having a cert label of "ibmwebspheremquserid"
And look at Morag's post here on that same subject:
http://www.mqseries.net/phpBB2/viewtopic.php?t=69536

Also depending on your version of MQ you may need an APAR or 2.
MQ does not deal so well with non IBM JVMs when it comes to JMS and SSL in version 7.5 ...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
oluies
PostPosted: Thu Feb 19, 2015 8:39 am    Post subject: Reply with quote

Newbie

Joined: 19 Feb 2015
Posts: 9

Yes I know about the "not to well" part and I have a prepatch for that based on RFE 61798

If I use the same certstore with MQ Exporer all is fine and i use the ...<userid>
Back to top
View user's profile Send private message Send e-mail
fjb_saper
PostPosted: Thu Feb 19, 2015 9:28 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

oluies wrote:
Yes I know about the "not to well" part and I have a prepatch for that based on RFE 61798

If I use the same certstore with MQ Exporer all is fine and i use the ...<userid>


Looks like the PMR route is the answer for you...

As an afterthought run with -Djavax.net.debug="true" and check which keystore / certstore is being used... I have had bad surprises in that area, where java defaulted to the key/certstore in the JRE/security directory...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
oluies
PostPosted: Fri Feb 20, 2015 12:31 am    Post subject: Reply with quote

Newbie

Joined: 19 Feb 2015
Posts: 9

Yeah, I have been PMRing for a while.

The JDK home/security is a great idea


The debug flag has changed from true to a level so :

-Djavax.net.debug=all -com.ibm.msg.client.commonservices.trace.status=ON

-Djavax.net.debug=help gives you

all turn on all debugging
ssl turn on ssl debugging

The following can be used with ssl:
record enable per-record tracing
handshake print each handshake message
keygen print key generation data
session print session activity
defaultctx print default SSL initialization
sslctx print SSLContext tracing
sessioncache print session cache tracing
keymanager print key manager tracing
trustmanager print trust manager tracing
pluggability print pluggability tracing

handshake debugging can be widened with:
data hex dump of each handshake message
verbose verbose handshake message printing

record debugging can be widened with:
plaintext hex dump of record plaintext
packet print raw SSL/TLS packets
Back to top
View user's profile Send private message Send e-mail
oluies
PostPosted: Fri Feb 20, 2015 12:38 am    Post subject: Reply with quote

Newbie

Joined: 19 Feb 2015
Posts: 9

Well I was pointing to the trust/keystore with

javax.net.ssl.keyStore/trustStore so no luck
Back to top
View user's profile Send private message Send e-mail
oluies
PostPosted: Fri Feb 20, 2015 3:42 am    Post subject: Reply with quote

Newbie

Joined: 19 Feb 2015
Posts: 9

Noted that the JSSE keytool can display the MQ manager SSL Certs

% keytool -printcert -sslserver server:port

neat
Back to top
View user's profile Send private message Send e-mail
oluies
PostPosted: Mon Apr 06, 2015 12:35 pm    Post subject: Reply with quote

Newbie

Joined: 19 Feb 2015
Posts: 9

I got it working and wrote up a note here http://stackoverflow.com/a/29471616/203968
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Java / JMS » JSSE certificate
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.