ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Java / JMS » JMS using TLS using Oracle JRE - SOLVED!

Post new topic  Reply to topic
 JMS using TLS using Oracle JRE - SOLVED! « View previous topic :: View next topic » 
Author Message
hughson
PostPosted: Wed Jul 26, 2017 9:30 pm    Post subject: JMS using TLS using Oracle JRE - SOLVED! Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Not being much of a Java person, I've rarely (if ever) played around with any JRE except the IBM one. However, today I find myself trying to set up a TLS Client connection for a JMS application using the Oracle JRE.

I have set up a JNDI Connection Factory to use a CCDT, and successfully connected the JmsJndiBrowser sample in anonymous mode - SSLCAUTH(OPTIONAL) - using both an IBM JRE and the Oracle JRE. Only difference in the commands below is the use of the useIBMCipherMappings setting.

IBM JRE:-
Code:
java -Djavax.net.ssl.trustStore=C:\MQGem\MQGem.jks -Djavax.net.ssl.keyStore=C:\MQGem\MQGem.jks -Djavax.net.ssl.keyStorePassword=passw0rd JmsJndiConsumer -i file:/c:/JNDI-Directory -c MQGEM-CCDT -d MQGEM-Q


Oracle JRE:-
Code:
java -Djavax.net.ssl.trustStore=C:\MQGem\MQGem.jks -Djavax.net.ssl.keyStore=C:\MQGem\MQGem.jks -Djavax.net.ssl.keyStorePassword=passw0rd -Dcom.ibm.mq.cfg.useIBMCipherMappings=false JmsJndiConsumer -i file:/c:/JNDI-Directory -c MQGEM-CCDT -d MQGEM-Q


Having successfully made this connection, I alter my SVRCONN to have SSLCAUTH(REQUIRED) and proceed to make a certificate for my client, sign it, receive it into my java keystore, and re-run my IBM JRE example. It works fine, the certificate is presented to the queue manager, and I can see the DNs from it in my DISPLAY CHSTATUS output.

I run my Oracle JRE example and it fails - because it hasn't presented a certificate to the queue manager.

So my question is, how do you tell the Oracle JRE which certificate to use? Or, how does the Oracle JRE determine which certificate it is going to pick (or not pick)?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software


Last edited by hughson on Thu Jul 27, 2017 4:06 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
mqjeff
PostPosted: Thu Jul 27, 2017 3:40 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

Having sat in an SSL session taught by you (at a Hyatt *lo* these many years ago), I'm sure you know more about that than I do.

But the Oracle JRE should use the same runtime paramters to point to the keystore and truststore and the IBM JRE.

Or, if you're doing EBJs or etc... again, the same parameters...

But have you checked little tweaky things like cypher specs and etc?

I also notice that you have
Code:
C:\MQGem\MQGem.jks
but then
Code:
file:/c:/JNDI-Directory


You could try making these consistent... the Oracle JRE may be less forgiving.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jul 27, 2017 12:33 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

My Oracle JRE command invocation is successfully able to use the JNDI look up to do an anonymous client connection. It only doesn't work when I want it to send a certificate. So I don't believe the JNDI path separators are the problem. But I will experiment just in case.

I have already got the switch to get the cipher specs to work, as evidenced by the fact that it works in anonymous mode.

I assume there is some label or property of the certificate - key usage perhaps? - that makes the Oracle JSSE pick it, that is not needed for the IBM JSSE. Hoping someone out there has successfully made a mutually authentication Java client TLS connection.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
tczielke
PostPosted: Thu Jul 27, 2017 12:47 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

From what I have read/experienced, it is undetermined which personal certificate will be selected if there are multiple personal certificates in the keystore with JSSE. The way we handle this is just to make sure there is one personal certificate in the keystore when working with our MQ Java client applications that need to use TLS.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jul 27, 2017 12:57 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

I only have one personal certificate in my keystore. It doesn't get selected.

Do you have an example of the command you use to create it that I could compare to mine? I used runmqckm to make the certificate request and also to receive the signed certificate.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
tczielke
PostPosted: Thu Jul 27, 2017 1:01 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

If you add "-Djavax.net.debug=all" to your command line, you will get some diagnostics on what the Java client is doing with the TLS handshake. I use IKeyman to generate the java keystore.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jul 27, 2017 3:47 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

I followed your advice and added -Djavax.net.debug=all to my command line.

In the output, after the initial handshake and validation of the queue manager certificate by the client, I can see the server making the request for a certificate:-

Code:
*** CertificateRequest
Cert Types: RSA
Cert Authorities:
<CN=MQGem CA, O=MQGem Software>
<CN=MQG1, O=MQGem Software>

Then I see that it says:-
Code:
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***

Suggesting that it has not found a certificate that is signed by any of the Cert Authorities sent by the server. Even though, my client certificate is signed by the MQGem CA.

I can even see at the start of the output:-

Code:
adding as trusted cert:
  Subject: CN=Client App, O=MQGem Software
  Issuer:  CN=MQGem CA, O=MQGem Software
  :
adding as trusted cert:
  Subject: CN=MQGem CA, O=MQGem Software
  Issuer:  CN=MQGem CA, O=MQGem Software
  :

So it can definitely see my client certificate.

Also, in the output, there is only mention of the TrustStore, no mention of the KeyStore. I re-run using a bad KeyStore password, and the output and behaviour are identical (but for random numbers and hashes differing). It would seem that the KeyStore is NEVER used. That would certainly account for the problem.

According to http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html the first thing in the output should be the keyEntry in the supplied KeyStore. I do not see any such output. The first thing in my output is the truststore information which comes next according to that link. Yet more evidence that my KeyStore is being ignored.

If I run the exact same test with javax.net.debug=all using the IBM JRE, I do see the keyEntry at the start of the output. This using the exact same trustStore and keyStore as I used and failed with the Oracle JRE.

Anyone seen such a problem with the Oracle JRE ignoring your specified Keystore? My Oracle JRE version is:-
Code:
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)

Perhaps I should look for an update?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
tczielke
PostPosted: Thu Jul 27, 2017 3:59 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

Do you maybe need APAR IT10837 mentioned in here?

https://www.ibm.com/developerworks/community/blogs/messaging/entry/MQ_Java_TLS_Ciphers_Non_IBM_JREs_APARs_IT06775_IV66840_IT09423_IT10837_HELP_ME_PLEASE?lang=en
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Jul 27, 2017 4:05 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

tczielke wrote:
Do you maybe need APAR IT10837 mentioned in here?

https://www.ibm.com/developerworks/community/blogs/messaging/entry/MQ_Java_TLS_Ciphers_Non_IBM_JREs_APARs_IT06775_IV66840_IT09423_IT10837_HELP_ME_PLEASE?lang=en

BINGO!

Yes, I'm running V8.0.0.4, and that APAR is in V8.0.0.5.

You star!

Ran with V9 (quicker than downloading V8.0.0.5) and it worked.

Cheers!
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Java / JMS » JMS using TLS using Oracle JRE - SOLVED!
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.