ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportTLSv1.2 protocol in message broker 7.0.0.8

Post new topicReply to topic Goto page 1, 2  Next
TLSv1.2 protocol in message broker 7.0.0.8 View previous topic :: View next topic
Author Message
prabhuoist
PostPosted: Wed Nov 08, 2017 2:46 am Post subject: TLSv1.2 protocol in message broker 7.0.0.8 Reply with quote

Novice

Joined: 10 Oct 2017
Posts: 20

Hi Team,

Is it possible to use TLSv1.2 protocol in message broker 7.0.0.8.

I am trying to call client which is having TLSv1.2 protocol but I am getting

"An error occurred whilst performing an SSL socket operation"

java.lang.NullPointerException.

I have set the SSL certificate as well.

However i am able to get the response from SOAPUI.
Back to top
View user's profile Send private message
zpat
PostPosted: Wed Nov 08, 2017 3:00 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5563
Location: UK

"call client" is a vague term as is "set SSL certificate".

Which broker nodes are you using?

What did you set the SSL protocol to?

Is this one-way or two-way SSL?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
prabhuoist
PostPosted: Wed Nov 08, 2017 3:09 am Post subject: Reply with quote

Novice

Joined: 10 Oct 2017
Posts: 20

Broker node - HTTP Request Node

I believe its one way ssl as they have given the SSL certificate to us and we have configured certificate on cacert file.

SSL protocol set to TLSv1.2
Back to top
View user's profile Send private message
zpat
PostPosted: Wed Nov 08, 2017 3:34 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5563
Location: UK

What type of certificate have they given you? A personal (server) cert or a Certificate Authority signer cert?

Are you trying to validate the server cert their web service presents to you, or are you trying to present a server certificate to their web service?

cacerts is only for signer (CA) certs and is best left alone as IBM replace this file with fixpacks etc.

You could create your own JKS and use it for the execution group keystore/truststore to keep your certs away from IBM's supplied ones.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
prabhuoist
PostPosted: Wed Nov 08, 2017 10:20 pm Post subject: Reply with quote

Novice

Joined: 10 Oct 2017
Posts: 20

Hi,

It is self certified server certificate as the Server is in Private network.
We have got the certificate and we have import the same in Message broker using keytool -import command.

It was working till the time they have configured TLSv1 then client have changed it TLSV1.2 and strong cypher .
Back to top
View user's profile Send private message
zpat
PostPosted: Wed Nov 08, 2017 11:53 pm Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5563
Location: UK

Run a SSL debug trace on the broker.

export IBM_JAVA_OPTIONS="-Djavax.net.debug=ssl"

Restart broker, run the flow, look in the EG JVM directory for the trace.

Turn trace off afterwards as it affects the whole broker.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
prabhuoist
PostPosted: Thu Nov 09, 2017 5:16 am Post subject: Reply with quote

Novice

Joined: 10 Oct 2017
Posts: 20

Hi There,

We are able to hit url successfully from local machine now(i.e. windows) but when we deploy same code and same certificate on test servers(i.e. AIX 6.1) we are getting SSL handshake error.

broker java version on local as well as on test server is same.
Back to top
View user's profile Send private message
prabhuoist
PostPosted: Thu Nov 09, 2017 10:46 pm Post subject: Reply with quote

Novice

Joined: 10 Oct 2017
Posts: 20

Dear All,

Any suggestion.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Nov 09, 2017 11:07 pm Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19398
Location: LI,NY

prabhuoist wrote:
Dear All,

Any suggestion.

Upgrade.... that version is no longer supported...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
fjb_saper
PostPosted: Thu Nov 09, 2017 11:11 pm Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19398
Location: LI,NY

prabhuoist wrote:
Hi There,

We are able to hit url successfully from local machine now(i.e. windows) but when we deploy same code and same certificate on test servers(i.e. AIX 6.1) we are getting SSL handshake error.

broker java version on local as well as on test server is same.

Don't have enough information about your cert.
But the reason could well be because you are using the same cert as on windows and it no longer describes adequately the server you're running on...

Each server needs to have it's own cert.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
zpat
PostPosted: Thu Nov 09, 2017 11:55 pm Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5563
Location: UK

prabhuoist wrote:
Any suggestion.


Yes, run the trace, or alternatively rely on guesswork.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
prabhuoist
PostPosted: Mon Nov 13, 2017 12:48 am Post subject: Reply with quote

Novice

Joined: 10 Oct 2017
Posts: 20

We have ran this trace but trace files are not being created any where.
Back to top
View user's profile Send private message
prabhuoist
PostPosted: Mon Nov 13, 2017 1:05 am Post subject: Reply with quote

Novice

Joined: 10 Oct 2017
Posts: 20

The same error we have recreated on another test(AIX) server and below are the trace log :

javax.net.ssl.SSLHandshakeException: No appropriate protocol
2017-11-13 14:28:37.561 26 at com.ibm.jsse2.lb.c(lb.java:433)
2017-11-13 14:28:37.562 26 at com.ibm.jsse2.SSLSocketImpl.i(SSLSocketImpl.java:476)
2017-11-13 14:28:37.563 26 at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:15)
2017-11-13 14:28:37.563 26 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:676)
2017-11-13 14:28:37.564 26 at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:620)
2017-11-13 14:28:37.565 26 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeoutInternalNoProxy(MbSslSocket.java:305)
2017-11-13 14:28:37.565 26 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeout(MbSslSocket.java:151)
2017-11-13 14:28:37.566 26 at com.ibm.broker.plugin.MbOutputTerminal._propagate(Native Method)
2017-11-13 14:28:37.567 26 at com.ibm.broker.plugin.MbOutputTerminal.propagate(MbOutputTerminal.java:107)
2017-11-13 14:28:37.567 26 at com.ibm.xsl.mqsi.XMLTransformNode.evaluate(XMLTransformNode.java:1015)
2017-11-13 14:28:37.568 26 at com.ibm.broker.plugin.MbNode.evaluate(MbNode.java:1469)


It is saying no appropriate protocol.

However same code is working on local (windows) machine.
Back to top
View user's profile Send private message
zpat
PostPosted: Mon Nov 13, 2017 1:26 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5563
Location: UK

prabhuoist wrote:
We have ran this trace but trace files are not being created any where.


As already mentioned, the SSL trace will be in stdout or stderr in the execution group's JVM directory location.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
prabhuoist
PostPosted: Mon Nov 13, 2017 1:46 am Post subject: Reply with quote

Novice

Joined: 10 Oct 2017
Posts: 20

After removing the cypher in "ALLOWED SSL CYPHER" in HTTP Request Node,

Now we are getting below error :

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2017-11-13 15:03:35.757 31 at com.ibm.jsse2.p.a(p.java:36)
2017-11-13 15:03:35.757 31 at com.ibm.jsse2.p.a(p.java:23)
2017-11-13 15:03:35.758 31 at com.ibm.jsse2.SSLSocketImpl.b(SSLSocketImpl.java:789)
2017-11-13 15:03:35.759 31 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:397)
2017-11-13 15:03:35.759 31 at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:320)
2017-11-13 15:03:35.760 31 at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:676)
2017-11-13 15:03:35.761 31 at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:620)
2017-11-13 15:03:35.761 31 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeoutInternalNoProxy(MbSslSocket.java:305)
2017-11-13 15:03:35.763 31 at com.ibm.broker.imbsslsocket.MbSslSocket.connectTimeout(MbSslSocket.java:151)
2017-11-13 15:03:35.763 31 at com.ibm.broker.plugin.MbOutputTerminal._propagate(Native Method)
2017-11-13 15:03:35.764 31 at com.ibm.broker.plugin.MbOutputTerminal.propagate(MbOutputTerminal.java:107)
2017-11-13 15:03:35.765 31 at com.ibm.xsl.mqsi.XMLTransformNode.evaluate(XMLTransformNode.java:1015)
2017-11-13 15:03:35.766 31 at com.ibm.broker.plugin.MbNode.evaluate(MbNode.java:1469)


Still our code works fine in local environment.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum IndexWebSphere Message Broker SupportTLSv1.2 protocol in message broker 7.0.0.8
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.