| Author |
Message
|
| andrewfemin |
 Posted: Sat Aug 26, 2017 4:42 am Post subject: SSLHandshakeException in IIB 9.0.0.7 |
 |
|
Acolyte
Joined: 26 Aug 2017
Posts: 54
|
Hello,
I'm trying to call a SOAP webservice from IIB SOAP Request node. The URL is a HTTPS URL. I am getting SSLHandshakeException in SOAP Request node. I have imported the certificates in my keystore and restarted the EG after the import. PFB the Exception Tree:
| Code: |
ExceptionList
RecoverableException
File:CHARACTER:/build/slot1/S900_P/src/DataFlowEngine/MessageServices/ImbDataFlowNode. cpp
Line:INTEGER:1140
Function:CHARACTER:ImbDataFlowNode::createExceptionList
Type:CHARACTER:ComIbmSOAPRequestNode
Name:CHARACTER:AMDMVendorInbound#FCMComposite_1_17
Label:CHARACTER:AMDMVendorInbound. SOAP Request
Catalog:CHARACTER:BIPmsgs
Severity:INTEGER:3
Number:INTEGER:2230
Text:CHARACTER:Node throwing exception
Insert
Type:INTEGER:14
Text:CHARACTER:AMDMVendorInbound. SOAP Request
RecoverableException
File:CHARACTER:/build/slot1/S900_P/src/WebServices/WSLibrary/ImbSOAPRequestNode. cpp
Line:INTEGER:846
Function:CHARACTER:ImbSOAPRequestNode::requestData
Type:CHARACTER:ComIbmSOAPRequestNode
Name:CHARACTER:AMDMVendorInbound#FCMComposite_1_17
Label:CHARACTER:AMDMVendorInbound. SOAP Request
Catalog:CHARACTER:BIPmsgs
Severity:INTEGER:3
Number:INTEGER:3754
Text:CHARACTER:Error occurred in ImbSOAPRequestHelper::makeSOAPRequest()
RecoverableException
File:CHARACTER:/build/slot1/S900_P/src/WebServices/WSLibrary/ImbSOAPRequestHelper. cpp
Line:INTEGER:3676
Function:CHARACTER:ImbSOAPRequestHelper::logWebServiceInvocationException
Type:CHARACTER:
Name:CHARACTER:
Label:CHARACTER:
Catalog:CHARACTER:BIPmsgs
Severity:INTEGER:3
Number:INTEGER:3162
Text:CHARACTER:WebService Request Exception
Insert
Type:INTEGER:12
Text:CHARACTER:436f6e74656e742d4c656e6774683a203330390d0a417574686f72697a6174696f6e3a2042617369632063335a6a625752745a574670
4d4449365532566a64584a7064486b780d0a436f6e74656e742d547970653a20746578742f786d6c3b20636861727365743d7574662d380d0a486f7374
3a2062706d2d7161322e737973636f2e636f6d0d0a534f4150416374696f6e3a2022687474703a2f2f7777772e6578616d706c652e6f72672f4541495365
72766963652f4e65774f7065726174696f6e220d0a436f6e6e656374696f6e3a204b6565702d416c6976650d0a0d0a
Insert
Type:INTEGER:12
Text:CHARACTER:3c736f6170656e763a456e76656c6f706520786d6c6e733a
736f6170656e763d22687474703a2f2f736368656d61732e786d6c736f6170
2e6f72672f736f61702f656e76656c6f70652f2220786d6c6e733a656169733d22687474703a2f2f737973636f2e636f6d2f454149536572766963652f223e3c736f6170656e763a4865616465723e3c2f736f6170656e763a4865616465
723e3c736f6170656e763a426f64793e3c656169733a4e65774f7065726174696f6e3e3c73617056656e646f724e756d6265723e34303032343831373c2f
73617056656e646f724e756d6265723e3c737576634e756d6265723e3138373c2f737576634e756d6265723e3c2f656169733a4e65774f7065726174696
f6e3e3c2f736f6170656e763a426f64793e3c2f736f6170656e763a456e76656c6f70653e
Insert
Type:INTEGER:5
Text:CHARACTER:
Insert
Type:INTEGER:5
Text:CHARACTER:
Insert
Type:INTEGER:5
Text:CHARACTER:POST /bpm/*****com/mdm/vendor/mgmt/prc/maintvend/***Msg HTTP/1. 1
RecoverableException
File:CHARACTER:/build/slot1/S900_P/src/WebServices/WSLibrary/ImbWSRequest. cpp
Line:INTEGER:474
Function:CHARACTER:ImbWSRequest::makeWSRequest
Type:CHARACTER:
Name:CHARACTER:
Label:CHARACTER:
Catalog:CHARACTER:BIPmsgs
Severity:INTEGER:3
Number:INTEGER:3152
Text:CHARACTER:A Web Service request has detected a SOCKET error whilst invoking a web service located at host &1, on port &2, on path &3.
Insert
Type:INTEGER:5
Text:CHARACTER:***-qa2. *****. com
Insert
Type:INTEGER:2
Text:CHARACTER:443
Insert
Type:INTEGER:5
Text:CHARACTER:/bpm/*****com/mdm/vendor/mgmt/prc/maintvend/***Msg
SocketException
File:CHARACTER:/build/slot1/S900_P/src/WebServices/WSLibrary/ImbSocket. cpp
Line:INTEGER:1314
Function:CHARACTER:ImbSocketJNIManager::handleGeneralJavaException
Type:CHARACTER:
Name:CHARACTER:
Label:CHARACTER:
Catalog:CHARACTER:BIPmsgs
Severity:INTEGER:3
Number:INTEGER:3165
Text:CHARACTER:An error occurred whilst performing an SSL socket operation
Insert
Type:INTEGER:5
Text:CHARACTER:connect
Insert
Type:INTEGER:5
Text:CHARACTER:javax. net. ssl. SSLHandshakeException: Received fatal alert: handshake_failure
|
Please note that I have other flows calling other HTTPS URLs running in the same server and they are all working fine. Please help me find what I am doing wrong here.  |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Aug 26, 2017 11:21 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Well you got a handshake failure....
So I would check that the right certificate is available in the keystore. Are those other calls originating from the same integration server (eg) using the same certificate? is the trustchain available in the truststore? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| andrewfemin |
| Posted: Sat Aug 26, 2017 11:50 pm Post subject: |
|
|
Acolyte
Joined: 26 Aug 2017
Posts: 54
|
Thanks for the reply.
Please note that this used to work fine without any issues earlier when the broker version running was 9.0.0.1. Then we upgraded to IIB 9.0.0.7. That is when we suddenly started getting this error. This is weird because all other HTTPS calls are working fine. I checked the keystore and I can see the Root certificate, intermediate certificate and the URL certificate for this URL are present there.
The other calls are originating from the same integration server but different URLs using different certificates. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sun Aug 27, 2017 6:35 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
... anything involving external entries should be in the truststore not the keystore.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| andrewfemin |
| Posted: Mon Aug 28, 2017 12:11 am Post subject: |
|
|
Acolyte
Joined: 26 Aug 2017
Posts: 54
|
My truststore and keystore are the same. PFB the output when I run this command:
[b]Command:[/b]
[code]
mqsireportproperties <BrokerName> -o BrokerRegistry -a
[/code]
[b]Output:[/b]
[code]
BrokerRegistry
uuid='BrokerRegistry'
brokerKeystoreType='JKS'
brokerKeystoreFile='/opt/IBM/mqsi/9.0.0.1/jre17/lib/security/cacerts'
brokerKeystorePass='********'
brokerTruststoreType='JKS'
brokerTruststoreFile='/opt/IBM/mqsi/9.0.0.1/jre17/lib/security/cacerts'
brokerTruststorePass='********'
brokerCRLFileList=''
httpConnectorPortRange=''
httpsConnectorPortRange=''
allowSSLv3=''
brokerKerberosConfigFile=''
brokerKerberosKeytabFile=''
modeExtensions=''
operationMode='enterprise'
shortDesc=''
longDesc=''
[/code]
And the certificates are present in this keystore.
Please note that IIB is running 9.0.0.7 but the keystore and truststore being referred is from 9.0.0.1. Is that an issue? |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Mon Aug 28, 2017 7:52 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| andrewfemin wrote: |
| Please note that IIB is running 9.0.0.7 but the keystore and truststore being referred is from 9.0.0.1. Is that an issue? |
No, but why would you put your key/trust store where the product was installed? Wouldn't it make more sense to put it where the Integration Bus is located (say if you specified the -e when you created it (and then in a directory named pki))?
Is the cipher you are attempting supported at IIB 9 FP7? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Aug 28, 2017 7:10 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Are you sure that the cipher you are attempting is supported by the certificate?
Elliptic curve ciphers especially may need a different certificate from the usual RSA one...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| andrewfemin |
| Posted: Tue Aug 29, 2017 5:12 am Post subject: |
|
|
Acolyte
Joined: 26 Aug 2017
Posts: 54
|
Thanks everyone for the help. The issue was with the SSLProtocol. I had selected TLS in SOAPRequest Node. When I tried with TLSv1.2, it worked.
Still I don't understand why it was working in 9.0.0.1, but not in 9.0.0.7. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Aug 29, 2017 7:25 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Did you read the "read me" file with FP7?
I bet they deprecated the cipher you were using...
Since it is after the fact, now would be a good time to read the "readme" file.  |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Aug 29, 2017 7:26 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| JosephGramig wrote: |
| I bet they deprecated the cipher you were using... |
Or anything other than TLS1.2...
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
|
|
