ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportHow to access a HTTPS REST webservice

Post new topicReply to topic
How to access a HTTPS REST webservice View previous topic :: View next topic
Author Message
Bichu
PostPosted: Tue Dec 13, 2016 4:30 am Post subject: How to access a HTTPS REST webservice Reply with quote

Centurion

Joined: 16 Oct 2011
Posts: 113
Location: London

Hi Guys,

I have configured a message flow in order to access a HTTPS REST webservice. My flow is like

MQ INput -> HTTPRequest -> Compute -> MQ Output.

I have downloaded the certificate from the browser and added to the cacerts file in the location
C:\Program Files (x86)\IBM\IntegrationToolkit90\jdk\jre\lib\security.

I have configured the HTTPRequest node web service url with full url since the method is GET.
Do I need to configure anything else in the runtime or in the HTTPRequest node. I am getting a time out error.

When tried the same url from browser, I got the output.

Request your thoughts on this.
Back to top
View user's profile Send private message
smdavies99
PostPosted: Tue Dec 13, 2016 5:03 am Post subject: Re: How to access a HTTPS REST webservice Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6077
Location: Somewhere over the Rainbow this side of Never-never land.

Bichu wrote:


I have downloaded the certificate from the browser and added to the cacerts file in the location
C:\Program Files (x86)\IBM\IntegrationToolkit90\jdk\jre\lib\security.


Why do I get the feeling that this is not a good idea?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Dec 13, 2016 5:32 am Post subject: Re: How to access a HTTPS REST webservice Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25552
Location: Ohio, USA

Bichu wrote:
Request your thoughts on this.


So you downloaded the certificates from the browser and added them to the security path the Toolkit is using.

You then ran your flow in the runtime and were surprised when it didn't work.

You don't want my thoughts on this. They're not very polite.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Bichu
PostPosted: Tue Dec 13, 2016 5:52 am Post subject: Reply with quote

Centurion

Joined: 16 Oct 2011
Posts: 113
Location: London

Thanks Vitor. But I have updated the certificate in the path C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security\cacerts; but still its the same.

Do i need to generate a truststore jks file and associate with the broker or EG just to access the webservice?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Dec 13, 2016 6:03 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19921
Location: LI,NY

Bichu wrote:
Thanks Vitor. But I have updated the certificate in the path C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security\cacerts; but still its the same.

Do i need to generate a truststore jks file and associate with the broker or EG just to access the webservice?


The same way you would do it to access any other https endpoint...
And lucky you, it's all described in the IIB infocenter!...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Vitor
PostPosted: Tue Dec 13, 2016 6:11 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25552
Location: Ohio, USA

Bichu wrote:
Do i need to generate a truststore jks file and associate with the broker or EG just to access the webservice?


Unless you have the Magic Pixies support pac.

Seriously - you're asking if you need to set up the the SSL configuration within IIB to access an SSL secured end point?

Just because all that configuration is done under the covers in the average browser doesn't mean that it's not been done, which is why it's working from your browser.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Bichu
PostPosted: Wed Dec 14, 2016 2:40 am Post subject: Reply with quote

Centurion

Joined: 16 Oct 2011
Posts: 113
Location: London

I have configured the broker for accessing HTTPS webservice now by running the below commands.

Code:
keytool -genkey -alias Broker -keystore Broker.jks -keysize 2048

mqsichangeproperties Broker -e default -o HTTPSConnector -n sslProtocol -v SSLv3
mqsichangeproperties Broker -e default -o HTTPSConnector -n explicitlySetPortNumber -v 7043
mqsichangeproperties Broker -e default -o ComIbmJVMManager -n truststoreFile -v "C:\Program Files\IBM\MQSI\9.0.0.0\Broker.jks"
mqsichangeproperties Broker -e default -o ComIbmJVMManager -n truststoreType -v JKS
mqsichangeproperties Broker -e default -o ComIbmJVMManager -n truststorePass -v default::password


mqsisetdbparms Broker -n default::password -u temp -p changeit


But I am getting ssl handshake exception now.

Code:

2016-12-13 20:24:56.222      1 IBMJSSEProvider2 Build-Level: -20130410
2016-12-13 20:25:01.509     22 IBMJSSE2 will not enable CBC protection
2016-12-13 20:25:01.547     22 keyStore is: C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security\cacerts
2016-12-13 20:25:01.549     22 keyStore type is: JKS
2016-12-13 20:25:01.550     22 keyStore provider is:
2016-12-13 20:25:01.551     22 init keystore
2016-12-13 20:25:01.695     22 adding as trusted cert:
2016-12-13 20:25:01.695     22   Subject: CN=*.entsoe.eu, O=ENTSO-E, OU=D&I, L=Brussels, ST=Brussels, C=BE
2016-12-13 20:25:01.696     22   Issuer:  CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE
2016-12-13 20:25:01.696     22   Algorithm: RSA; Serial number: 0x3b1a8b7c3bfd777a02a92120
2016-12-13 20:25:01.701     22   Valid from Wed Jun 08 13:47:08 BST 2016 until Wed Feb 14 12:22:30 GMT 2018
2016-12-13 20:25:01.702     22
2016-12-13 20:25:01.702     22 adding as trusted cert:
2016-12-13 20:25:01.703     22   Subject: CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE
2016-12-13 20:25:01.703     22   Issuer:  CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
2016-12-13 20:25:01.704     22   Algorithm: RSA; Serial number: 0x40000000001444ef04247
2016-12-13 20:25:01.704     22   Valid from Thu Feb 20 10:00:00 GMT 2014 until Tue Feb 20 10:00:00 GMT 2024
2016-12-13 20:25:01.704     22
2016-12-13 20:25:01.705     22 adding as trusted cert:
2016-12-13 20:25:01.705     22   Subject: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
2016-12-13 20:25:01.706     22   Issuer:  CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
2016-12-13 20:25:01.706     22   Algorithm: RSA; Serial number: 0x40000000001154b5ac394
2016-12-13 20:25:01.707     22   Valid from Tue Sep 01 13:00:00 BST 1998 until Fri Jan 28 12:00:00 GMT 2028
2016-12-13 20:25:01.707     22
2016-12-13 20:25:01.710     22 SSLContextImpl:  Using X509ExtendedKeyManager com.ibm.broker.imbsslsocket.MbSslSocket$KeyChoiceX509KeyManager
2016-12-13 20:25:01.710     22 SSLContextImpl:  Using X509TrustManager com.ibm.jsse2.yc
2016-12-13 20:25:01.713     22 Installed Providers =
2016-12-13 20:25:01.720     22    IBMJSSE2
2016-12-13 20:25:01.720     22    IBMJCE
2016-12-13 20:25:01.720     22    IBMJGSSProvider
2016-12-13 20:25:01.721     22    IBMCertPath
2016-12-13 20:25:01.721     22    IBMSASL
2016-12-13 20:25:01.722     22    IBMXMLCRYPTO
2016-12-13 20:25:01.722     22    IBMXMLEnc
2016-12-13 20:25:01.723     22    IBMSPNEGO
2016-12-13 20:25:01.723     22    SUN
2016-12-13 20:25:01.724     22 JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
2016-12-13 20:25:01.724     22 trigger seeding of SecureRandom
2016-12-13 20:25:01.724     22 done seeding SecureRandom
2016-12-13 20:25:01.727     22 JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
2016-12-13 20:25:02.646     22 JsseJCE:  Using KeyAgreement ECDH from provider IBMJCE version 1.7
2016-12-13 20:25:02.646     22 JsseJCE:  Using signature SHA1withECDSA from provider TBD via init
2016-12-13 20:25:02.648     22 JsseJCE:  Using signature NONEwithECDSA from provider TBD via init
2016-12-13 20:25:02.649     22 JsseJCE:  Using KeyFactory EC from provider IBMJCE version 1.7
2016-12-13 20:25:02.651     22 JsseJCE:  Using KeyPairGenerator EC from provider TBD via init
2016-12-13 20:25:02.652     22 JsseJce:  EC is available
2016-12-13 20:25:02.666     22 JsseJCE:  Using cipher AES/CBC/NoPadding from provider TBD via init
2016-12-13 20:25:02.671     22 Thread-10, setSoTimeout(118828) called
2016-12-13 20:25:02.718     22 IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
2016-12-13 20:25:02.718     22 IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
2016-12-13 20:25:02.719     22 IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
2016-12-13 20:25:02.720     22
Is initial handshake: true
2016-12-13 20:25:02.721     22 Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.721     22 Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.722     22 Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.722     22 Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.723     22 Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.723     22 Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.723     22 Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
2016-12-13 20:25:02.724     22 Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.724     22 Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.725     22 Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.725     22 Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.726     22 Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.726     22 Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.726     22 Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA
2016-12-13 20:25:02.727     22 Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_RC4_128_SHA
2016-12-13 20:25:02.727     22 Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_RC4_128_SHA
2016-12-13 20:25:02.728     22 Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_RC4_128_SHA
2016-12-13 20:25:02.728     22 Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_RC4_128_SHA
2016-12-13 20:25:02.728     22 Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
2016-12-13 20:25:02.729     22 Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
2016-12-13 20:25:02.729     22 Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
2016-12-13 20:25:02.730     22 Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
2016-12-13 20:25:02.733     22 %% No cached client session
2016-12-13 20:25:02.734     22 *** ClientHello, SSLv3
2016-12-13 20:25:02.734     22 RandomCookie:  GMT: 1481660702 bytes = { 139, 40, 81, 202, 255, 147, 125, 18, 119, 188, 117, 193, 160, 240, 238, 78, 45, 187, 151, 41, 87, 0, 110, 102, 92, 19, 201, 208 }
2016-12-13 20:25:02.736     22 Session ID:  {}
2016-12-13 20:25:02.736     22 Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]
2016-12-13 20:25:02.737     22 Compression Methods:  { 0 }
2016-12-13 20:25:02.737     22 ***
2016-12-13 20:25:02.738     22 [write] MD5 and SHA1 hashes:  len = 55
2016-12-13 20:25:02.739     22 0000: 01 00 00 33 03 00 58 50  59 1e 8b 28 51 ca ff 93  ...3..XPY...Q...
0010: 7d 12 77 bc 75 c1 a0 f0  ee 4e 2d bb 97 29 57 00  ..w.u....N....W.
0020: 6e 66 5c 13 c9 d0 00 00  0c 00 ff 00 05 00 0a 00  nf..............
0030: 16 00 13 00 04 01 00                               .......

2016-12-13 20:25:02.739     22 Thread-10, WRITE: SSLv3 Handshake, length = 55
2016-12-13 20:25:02.740     22 [Raw write]: length = 60
2016-12-13 20:25:02.741     22 0000: 16 03 00 00 37 01 00 00  33 03 00 58 50 59 1e 8b  ....7...3..XPY..
0010: 28 51 ca ff 93 7d 12 77  bc 75 c1 a0 f0 ee 4e 2d  .Q.....w.u....N.
0020: bb 97 29 57 00 6e 66 5c  13 c9 d0 00 00 0c 00 ff  ...W.nf.........
0030: 00 05 00 0a 00 16 00 13  00 04 01 00              ............

2016-12-13 20:25:02.780     22 [Raw read]: length = 5
2016-12-13 20:25:02.780     22 0000: 15 03 00 00 02                                     .....

2016-12-13 20:25:02.781     22 [Raw read]: length = 2
2016-12-13 20:25:02.781     22 0000: 02 28                                              ..

2016-12-13 20:25:02.782     22 Thread-10, READ: SSLv3 Alert, length = 2
2016-12-13 20:25:02.782     22 Thread-10, RECV TLSv1 ALERT:  fatal, handshake_failure
2016-12-13 20:25:02.783     22 Thread-10, called closeSocket()
2016-12-13 20:25:02.784     22 Thread-10, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2016-12-13 20:25:02.784     22 unable to negotiate SSL connection. Client key alias supplied was [].
Exception in thread "Thread-10" 2016-12-13 20:25:02.786     22 javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2016-12-13 20:25:02.787     22    at com.ibm.jsse2.j.a(j.java:9)
2016-12-13 20:25:02.787     22    at com.ibm.jsse2.j.a(j.java:32)
2016-12-13 20:25:02.787     22    at com.ibm.jsse2.qc.b(qc.java:5)
2016-12-13 20:25:02.788     22    at com.ibm.jsse2.qc.a(qc.java:645)
2016-12-13 20:25:02.788     22    at com.ibm.jsse2.qc.h(qc.java:809)
2016-12-13 20:25:02.789     22    at com.ibm.jsse2.qc.a(qc.java:106)
2016-12-13 20:25:02.789     22    at com.ibm.jsse2.qc.startHandshake(qc.java:586)
2016-12-13 20:25:02.789     22    at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeoutInternalNoProxy(MbSslSocket.java:316)
2016-12-13 20:25:02.790     22    at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeout(MbSslSocket.java:168)


I doubt whether the jks is accessible by the broker since I have the same exception as above even after I change the jks name in the directory.

please
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Dec 14, 2016 5:52 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25552
Location: Ohio, USA

Bichu wrote:
I doubt whether the jks is accessible by the broker since I have the same exception as above even after I change the jks name in the directory.


How can you "doubt" that, when it's probably the easiest thing in the world to check?

Bichu wrote:
please


Try thinking instead of randomly doing stuff in the hopes it works.

You've already stated in this post that you tried using the cacerts file, but tried to use it in the toolkit not the runtime. So explain why you thought generating a keystore yourself (badly) and using that would actually work?

My worthy associate has pointed out that the instructions you need are in the InfoCenter. While he failed to point out that you need to follow them all and not just the ones you think look pretty, that should have been self evident.

If you think you need the cacerts file in the runtime, put it in the runtime.

If you think you need a self signed cert to provide to the endpoint, create one and put it in the runtime.

If you think you need to explicitly trust the endpoint, add that to the runtime.

If you don't even know how to answer these questions, find someone on your site who understands SSL and get them to explain it to you.

Also a tip - if the endpoint you're calling is not local to your machine, you may find that even when you've figured this out it still doesn't work because SSLv3 traffic is being blocked by your network. SSLv3 is cracked and many network appliances routinely block packets so encrypted.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Dec 14, 2016 5:56 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19921
Location: LI,NY

Your config is not right or your permissions to the store file are not right ... because this is the file that's being loaded:
Code:
keyStore is: C:\Program Files\IBM\MQSI\9.0.0.0\jre17\lib\security\cacerts

Which would be the file if you did not configure anything.
After your config change did you bounce the broker twice?


_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportHow to access a HTTPS REST webservice
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.