| Author |
Message
|
| hughson |
 Posted: Wed Jul 26, 2017 9:30 pm Post subject: JMS using TLS using Oracle JRE - SOLVED! |
 |
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Not being much of a Java person, I've rarely (if ever) played around with any JRE except the IBM one. However, today I find myself trying to set up a TLS Client connection for a JMS application using the Oracle JRE.
I have set up a JNDI Connection Factory to use a CCDT, and successfully connected the JmsJndiBrowser sample in anonymous mode - SSLCAUTH(OPTIONAL) - using both an IBM JRE and the Oracle JRE. Only difference in the commands below is the use of the useIBMCipherMappings setting.
IBM JRE:-
| Code: |
| java -Djavax.net.ssl.trustStore=C:\MQGem\MQGem.jks -Djavax.net.ssl.keyStore=C:\MQGem\MQGem.jks -Djavax.net.ssl.keyStorePassword=passw0rd JmsJndiConsumer -i file:/c:/JNDI-Directory -c MQGEM-CCDT -d MQGEM-Q |
Oracle JRE:-
| Code: |
| java -Djavax.net.ssl.trustStore=C:\MQGem\MQGem.jks -Djavax.net.ssl.keyStore=C:\MQGem\MQGem.jks -Djavax.net.ssl.keyStorePassword=passw0rd -Dcom.ibm.mq.cfg.useIBMCipherMappings=false JmsJndiConsumer -i file:/c:/JNDI-Directory -c MQGEM-CCDT -d MQGEM-Q |
Having successfully made this connection, I alter my SVRCONN to have SSLCAUTH(REQUIRED) and proceed to make a certificate for my client, sign it, receive it into my java keystore, and re-run my IBM JRE example. It works fine, the certificate is presented to the queue manager, and I can see the DNs from it in my DISPLAY CHSTATUS output.
I run my Oracle JRE example and it fails - because it hasn't presented a certificate to the queue manager.
So my question is, how do you tell the Oracle JRE which certificate to use? Or, how does the Oracle JRE determine which certificate it is going to pick (or not pick)?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Last edited by hughson on Thu Jul 27, 2017 4:06 pm; edited 1 time in total |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Thu Jul 27, 2017 3:40 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Having sat in an SSL session taught by you (at a Hyatt *lo* these many years ago), I'm sure you know more about that than I do.
But the Oracle JRE should use the same runtime paramters to point to the keystore and truststore and the IBM JRE.
Or, if you're doing EBJs or etc... again, the same parameters...
But have you checked little tweaky things like cypher specs and etc?
I also notice that you have
but then
| Code: |
| file:/c:/JNDI-Directory |
You could try making these consistent... the Oracle JRE may be less forgiving.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jul 27, 2017 12:33 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
My Oracle JRE command invocation is successfully able to use the JNDI look up to do an anonymous client connection. It only doesn't work when I want it to send a certificate. So I don't believe the JNDI path separators are the problem. But I will experiment just in case.
I have already got the switch to get the cipher specs to work, as evidenced by the fact that it works in anonymous mode.
I assume there is some label or property of the certificate - key usage perhaps? - that makes the Oracle JSSE pick it, that is not needed for the IBM JSSE. Hoping someone out there has successfully made a mutually authentication Java client TLS connection.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu Jul 27, 2017 12:47 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
From what I have read/experienced, it is undetermined which personal certificate will be selected if there are multiple personal certificates in the keystore with JSSE. The way we handle this is just to make sure there is one personal certificate in the keystore when working with our MQ Java client applications that need to use TLS.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jul 27, 2017 12:57 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
I only have one personal certificate in my keystore. It doesn't get selected.
Do you have an example of the command you use to create it that I could compare to mine? I used runmqckm to make the certificate request and also to receive the signed certificate.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu Jul 27, 2017 1:01 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
If you add "-Djavax.net.debug=all" to your command line, you will get some diagnostics on what the Java client is doing with the TLS handshake. I use IKeyman to generate the java keystore.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jul 27, 2017 3:47 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
I followed your advice and added -Djavax.net.debug=all to my command line.
In the output, after the initial handshake and validation of the queue manager certificate by the client, I can see the server making the request for a certificate:-
| Code: |
*** CertificateRequest
Cert Types: RSA
Cert Authorities:
<CN=MQGem CA, O=MQGem Software>
<CN=MQG1, O=MQGem Software> |
Then I see that it says:-
| Code: |
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
*** |
Suggesting that it has not found a certificate that is signed by any of the Cert Authorities sent by the server. Even though, my client certificate is signed by the MQGem CA.
I can even see at the start of the output:-
| Code: |
adding as trusted cert:
Subject: CN=Client App, O=MQGem Software
Issuer: CN=MQGem CA, O=MQGem Software
:
adding as trusted cert:
Subject: CN=MQGem CA, O=MQGem Software
Issuer: CN=MQGem CA, O=MQGem Software
: |
So it can definitely see my client certificate.
Also, in the output, there is only mention of the TrustStore, no mention of the KeyStore. I re-run using a bad KeyStore password, and the output and behaviour are identical (but for random numbers and hashes differing). It would seem that the KeyStore is NEVER used. That would certainly account for the problem.
According to http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html the first thing in the output should be the keyEntry in the supplied KeyStore. I do not see any such output. The first thing in my output is the truststore information which comes next according to that link. Yet more evidence that my KeyStore is being ignored.
If I run the exact same test with javax.net.debug=all using the IBM JRE, I do see the keyEntry at the start of the output. This using the exact same trustStore and keyStore as I used and failed with the Oracle JRE.
Anyone seen such a problem with the Oracle JRE ignoring your specified Keystore? My Oracle JRE version is:-
| Code: |
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode) |
Perhaps I should look for an update?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu Jul 27, 2017 3:59 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jul 27, 2017 4:05 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
BINGO!
Yes, I'm running V8.0.0.4, and that APAR is in V8.0.0.5.
You star!
Ran with V9 (quicker than downloading V8.0.0.5) and it worked.
Cheers!
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
