| Author |
Message
|
| sandydxb |
 Posted: Tue Sep 29, 2015 2:22 am Post subject: SSL configuration Error |
 |
|
Newbie
Joined: 29 Sep 2015
Posts: 8
|
Dear Experts,
I am trying to configure ssl on Websphere MQ and trying access the Queue Manager from java code.
steps followed:
Server Side:
1) created keystore of type cms and stored the password in stash file.
2) created a personal certificate with label "ibmwebspheremqssltestqm"
3) extracted the file ".arm" to add it in client trust store
4)assigned keystore to the Queue manager path D:\MQSSL\
5)assigned cipher spec to the server connection channel
Client Side: java code
MQEnvironment.hostname = ipaddress;
MQEnvironment.port = portNumber;
MQEnvironment.channel = channelName(Server connection channel where cipher spec specified);
System.setProperty("javax.net.ssl.trustStore","E:\\Client\\trust.kdb");
System.setProperty("javax.net.ssl.keyStore", keystore);
System.setProperty("javax.net.ssl.keyStorePassword", trustStorePassword);
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_NULL_MD5";
MQEnvironment.sslFipsRequired = false;
Error details:
MQJE001: Completion Code '2', Reason '2397'.
Error while initializing/connecting to MQ Queue Manager. Reason= MQRC_JSSE_ERROR
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host '192.168.0.2(1419)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=java.net.SocketException[java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: IBMJSSE2, class: com.ibm.jsse2.ec)],3=SreeSandy-PC/192.168.0.2:1419 (SreeSandy-PC),4=SSLSocket.createSocket,5=default]],3=192.168.0.2(1419),5=RemoteTCPConnection.makeSocketSecure]
Please suggest. |
|
| Back to top |
|
 |
| sandydxb |
| Posted: Tue Sep 29, 2015 5:31 am Post subject: Re: SSL configuration Error |
|
|
Newbie
Joined: 29 Sep 2015
Posts: 8
|
I understand that System.setProperty("javax.net.ssl.trustStore","E:\\Client\\trust.kdb"); is unable to read the truststore I am wokring on winodws machine and changed the file path to "E:/Client/trust.kdb" still its not working.
the error code amq9204
Cause 4 Missing client signer on server
SystemOut.log or Console Output JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
Stack includes:
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'localhost(1414)' rejected.
[1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed.
[1=java.net.SocketException[Software caused connection abort: socket write error],
3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.startHandshake,5=default]],
3=localhost(1414),5=RemoteTCPConnection.protocolConnect]
at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect
(RemoteFAP.java:2010)
at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect
(RemoteFAP.java:1227)
at com.ibm.msg.client.wmq.internal.WMQConnection.
(WMQConnection.java:355)
... 6 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed.
[1=java.net.SocketException[Software caused connection abort: socket write error],
3=localhost/127.0.0.1:1414 (localhost),4=SSLSocket.startHandshake,5=default]
at com.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect
(RemoteTCPConnection.java:1020)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect
(RemoteConnection.java:1112)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool
.getConnection(RemoteConnectionPool.java:350)
at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect
(RemoteFAP.java:1599)
... 8 more
Caused by: java.net.SocketException: Software caused connection abort: socket write error
Queue Manager
Error Logs AMQ9633: Bad SSL certificate for channel '????'.
Solution Add the certificate used to sign the queue manager's personal certificate to the client's truststore
but I have added the cert to the client trust store
| sandydxb wrote: |
Dear Experts,
I am trying to configure ssl on Websphere MQ and trying access the Queue Manager from java code.
steps followed:
Server Side:
1) created keystore of type cms and stored the password in stash file.
2) created a personal certificate with label "ibmwebspheremqssltestqm"
3) extracted the file ".arm" to add it in client trust store
4)assigned keystore to the Queue manager path D:\MQSSL\
5)assigned cipher spec to the server connection channel
Client Side: java code
MQEnvironment.hostname = ipaddress;
MQEnvironment.port = portNumber;
MQEnvironment.channel = channelName(Server connection channel where cipher spec specified);
System.setProperty("javax.net.ssl.trustStore","E:\\Client\\trust.kdb");
System.setProperty("javax.net.ssl.keyStore", keystore);
System.setProperty("javax.net.ssl.keyStorePassword", trustStorePassword);
MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_NULL_MD5";
MQEnvironment.sslFipsRequired = false;
Error details:
MQJE001: Completion Code '2', Reason '2397'.
Error while initializing/connecting to MQ Queue Manager. Reason= MQRC_JSSE_ERROR
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host '192.168.0.2(1419)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=java.net.SocketException[java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: IBMJSSE2, class: com.ibm.jsse2.ec)],3=SreeSandy-PC/192.168.0.2:1419 (SreeSandy-PC),4=SSLSocket.createSocket,5=default]],3=192.168.0.2(1419),5=RemoteTCPConnection.makeSocketSecure]
Please suggest. |
 |
|
| Back to top |
|
|
| vennela |
| Posted: Tue Sep 29, 2015 6:14 am Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
|
| Back to top |
|
|
| sandydxb |
| Posted: Tue Sep 29, 2015 6:23 am Post subject: |
|
|
Newbie
Joined: 29 Sep 2015
Posts: 8
|
Thanks for the reply.
I have tried using jks but when I did that I am getting below error in qmgr errors
AMQ9660: SSL key repository: password stash file absent or unusable.
EXPLANATION:
The SSL key repository cannot be used because MQ cannot obtain a password to
access it. Reasons giving rise to this error include:
(a) the key database file and password stash file are not present in the
location configured for the key repository,
(b) the key database file exists in the correct place but that no password
stash file has been created for it,
(c) the files are present in the correct place but the userid under which MQ is
running does not have permission to read them,
(d) one or both of the files are corrupt.
The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start. |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Sep 29, 2015 7:37 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
You could try to use a JKS with Java.
The truststore password will need to be set somewhere in your code.
What version of MQ do you have on the client and on the QM side?
Some ciphers have been removed in recent releases.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| sandydxb |
| Posted: Tue Sep 29, 2015 8:21 am Post subject: |
|
|
Newbie
Joined: 29 Sep 2015
Posts: 8
|
| zpat wrote: |
You could try to use a JKS with Java.
The truststore password will need to be set somewhere in your code.
What version of MQ do you have on the client and on the QM side?
Some ciphers have been removed in recent releases. |
Thank you zpat.
When I try to use jks file Queue manager's errors log showing that it's missing AMQ9660: SSL key repository: password stash file absent or unusable.
Then I moved to cms file type now the error log is not showing any thing.
now its showing different error when I have run the java program at client side and the QM error log is not updating.
Error while initializing/connecting to MQ Queue Manager. Reason= MQRC_JSSE_ERROR
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host '192.168.0.2(1419)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Sep 29, 2015 9:42 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Please answer all the questions asked.
No need to repeat previous answers - I already read them and suggested the JKS password would need to be supplied in your code.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| sandydxb |
| Posted: Tue Sep 29, 2015 9:56 am Post subject: |
|
|
Newbie
Joined: 29 Sep 2015
Posts: 8
|
| zpat wrote: |
Please answer all the questions asked.
No need to repeat previous answers - I already read them and suggested the JKS password would need to be supplied in your code. |
You could try to use a JKS with Java.
Yes..
The truststore password will need to be set somewhere in your code.
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
What version of MQ do you have on the client and on the QM side?
7.5.0.1
Thanks... |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Sep 29, 2015 11:29 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
|
| Back to top |
|
|
| vennela |
| Posted: Tue Sep 29, 2015 1:06 pm Post subject: |
|
|
Jedi Knight
Joined: 11 Aug 2002
Posts: 4055
Location: Hyderabad, India
|
| sandydxb wrote: |
When I try to use jks file Queue manager's errors log showing that it's missing [b]AMQ9660: SSL key repository: password stash file absent or unusable |
Use CMS keystore for QMGR and JKS for your Java application |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 29, 2015 4:10 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
SSL 101: You should never use the same keys / keystores to identify 2 different actors / principals. Each needs to have its own private key. Or at least the signers keys in the truststore for one way SSL. 2 way SSL is better with MQ as it allows to make sure of the client's identity via SSLPEER.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sandydxb |
| Posted: Tue Sep 29, 2015 6:14 pm Post subject: |
|
|
Newbie
Joined: 29 Sep 2015
Posts: 8
|
| vennela wrote: |
| sandydxb wrote: |
When I try to use jks file Queue manager's errors log showing that it's missing [b]AMQ9660: SSL key repository: password stash file absent or unusable |
Use CMS keystore for QMGR and JKS for your Java application |
I have tried that too... |
|
| Back to top |
|
|
| sandydxb |
| Posted: Wed Sep 30, 2015 10:52 pm Post subject: |
|
|
Newbie
Joined: 29 Sep 2015
Posts: 8
|
| vennela wrote: |
| sandydxb wrote: |
When I try to use jks file Queue manager's errors log showing that it's missing [b]AMQ9660: SSL key repository: password stash file absent or unusable |
Use CMS keystore for QMGR and JKS for your Java application |
Queue manager won't support JKS file type?
Thanks. |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Sep 30, 2015 11:40 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
You need two keystores - one the CMS type (four files) for the QM and one the JKS type (one file) for Java/JMS applications.
Make sure the JKS contains the CA signer cert for the QM personal cert (or the QM cert if self-signed) as a signer cert.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| sandydxb |
| Posted: Thu Oct 01, 2015 10:44 am Post subject: |
|
|
Newbie
Joined: 29 Sep 2015
Posts: 8
|
| sandydxb wrote: |
| vennela wrote: |
| sandydxb wrote: |
When I try to use jks file Queue manager's errors log showing that it's missing [b]AMQ9660: SSL key repository: password stash file absent or unusable |
Use CMS keystore for QMGR and JKS for your Java application |
Queue manager won't support JKS file type?
Thanks. |
Its working now.
I was trying with incorrect keystore file path on qmgr
alter qmgr sslkeyr('/tmp/myssl/') Instead of
alter qmgr sslkeyr('/tmp/myssl/keystorefile') without extension
Thank you All.. |
|
| Back to top |
|
|
|
|
