| Author |
Message
|
| Bichu |
 Posted: Thu Oct 13, 2016 5:57 am Post subject: Error in WS invocation with HTTP Request Node for https url |
 |
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
Guys,
I am trying to call a WS using HTTP Request node and the url starts with https. Hence I am implementing SSL in IIB. I have downloaded the .CER file using Chrome from their website and add it to keystore cacerts file using the below command.
keytool -import -alias mykey -file D:\test\test.cer -keystore "C:\Program Files (x86)\IBM\IntegrationToolkit90\jdk\jre\lib\security\cacerts" -storepass changeit
But I got connection timed out error and I run the below commands too.
mqsichangeproperties BROKER1 -b httplistener -o HTTPListener -n enableSSLConnector -v true
mqsichangeproperties BROKER1 -b httplistener -o HTTPSConnector -n keystoreFile -v D:\test\test.cer
mqsichangeproperties BROKER1 -b httplistener -o HTTPSConnector -n keystorePass -v changeit
mqsichangeproperties BROKER1 -b httplistener -o HTTPSConnector -n port -v 7083
mqsichangeproperties BROKER1 -b httplistener -o HTTPConnector -n port -v 7080
mqsichangeproperties BROKER1 -b httplistener -o HTTPSListener -n startListener -v true
But now I am getting invalid keystore fomat error.
What needs to be added more? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Oct 13, 2016 6:00 am Post subject: Re: Error in WS invocation with HTTP Request Node for https |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Bichu wrote: |
| What needs to be added more? |
Nothing more, but you need to do something right.
| Bichu wrote: |
| mqsichangeproperties BROKER1 -b httplistener -o HTTPSConnector -n keystoreFile -v D:\test\test.cer |
That's the certificate file, not the key store file. That's why the -n parameter says "keystore" and why the error message says "invalid keystore format". A certificate has a different format to a key store.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Oct 13, 2016 6:05 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
On a more general level, I don't think adding their public cert to your cacerts list is going to get you very far. I'd expect that you'd need to give broker a personal cert to present and trust their signer.
Which is the more standard way of implementing SSL in IIB, and the one documented in the KC
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Bichu |
| Posted: Thu Oct 13, 2016 8:26 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 13, 2016 8:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
Er... I am getting more confused by the minute here.
You are talking about .cer and .der formats which represent the certificate.
The tools provide you with means of loading either type of cert into a keystore/truststore...
As Vitor already told you you need to focus on KEYSTORE and TRUSTSTORE.
the formats for those should be .jks...
So which part are you not understanding?? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Bichu |
| Posted: Thu Oct 13, 2016 8:58 am Post subject: |
|
|
Centurion
Joined: 16 Oct 2011
Posts: 124
Location: London
|
I have added truststore and keystore to the broker...but still I am getting connection timed out error.
| Code: |
C:\Program Files\IBM\MQSI\9.0.0.0>mqsireportproperties BROKER1 -b httplistener -
o HTTPSConnector -a
HTTPSConnector
uuid='HTTPSConnector'
algorithm='Platform Default'
clientAuth='Platform Default'
keystoreFile='C:\Program Files\IBM\MQSI\9.0.0.0\BROKER1.jks'
keystorePass='********'
keystoreType='Platform Default'
truststoreFile='C:\Program Files\IBM\MQSI\9.0.0.0\BROKER1.jks'
truststorePass='********'
truststoreType='Platform Default'
sslProtocol='Platform Default'
ciphers='Platform Default'
keyAlias=''
keypass='********'
keyAlias='Platform Default'
crlFile='Platform Default'
propagateClientCert='Platform Default'
address=''
port='7083'
maxPostSize=''
acceptCount=''
compressableMimeTypes=''
compression=''
connectionLinger=''
connectionTimeout=''
maxHttpHeaderSize=''
maxKeepAliveRequests=''
maxThreads=''
minSpareThreads=''
noCompressionUserAgents=''
restrictedUserAgents=''
socketBuffer=''
tcpNoDelay=''
enableLookups='false'
|
In the steps to do this, they have mentioned to upload a .der file(a signed certificate) to the keystore, but since I have only .cer file, I used the same to the keystore.
I am still not sure where I am missing... |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 13, 2016 9:07 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
A signed certificate (X509) can have multiple formats.
The most common is ASCII (.cer).
The next most common is a binary format and uses the .der extension.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Oct 13, 2016 9:17 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Bichu wrote: |
| I am still not sure where I am missing... |
The right steps.
The certificate you've downloaded is their certificate from their website.
So you're trying to connect to the endpoint and claim you're them. This claim is probably viewed with some skepticism.
You need to give broker it's own certificate so it can connect as itself.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 13, 2016 10:15 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
| Vitor wrote: |
| Bichu wrote: |
| I am still not sure where I am missing... |
The right steps.
The certificate you've downloaded is their certificate from their website.
So you're trying to connect to the endpoint and claim you're them. This claim is probably viewed with some skepticism.
You need to give broker it's own certificate so it can connect as itself. |
Even worse here. The downloaded cert is a public cert. i.e. it is very unlikely the broker has the corresponding private key. So there is no way of impersonating them...
Without your own private key all you can achieve is a one way SSL connection.
So you will know they are who they say they are... They won't know you are who you say you are...
Hope this helps
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Oct 13, 2016 11:14 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
Even worse here. The downloaded cert is a public cert. i.e. it is very unlikely the broker has the corresponding private key. So there is no way of impersonating them... |
Doh!
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
