ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportIIB v10 One Way SSL handshake_failure with SOAP Request/HTTP

Post new topicReply to topic
IIB v10 One Way SSL handshake_failure with SOAP Request/HTTP View previous topic :: View next topic
Author Message
Partha.Baidya
PostPosted: Tue Nov 21, 2017 8:39 pm Post subject: IIB v10 One Way SSL handshake_failure with SOAP Request/HTTP Reply with quote

Acolyte

Joined: 05 Nov 2009
Posts: 74

Trying an One way SSL with IIB v10.0.0.7 with SOAPRequat/http node as client. There is another SOAPINput/Reply node as Provider flow.
Created the necessary keystore in Provider and Truststore in Consume.
Getting Exception as
Code:
Text:CHARACTER:javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


Collected a JSSE trace to debug HTTPS problems. Which says
Code:
nable to negotiate SSL connection. Client key alias supplied was [].


Could you please let me know what could be the issue with Handshake?
Why the client key alias in empty?
Back to top
View user's profile Send private message
zpat
PostPosted: Wed Nov 22, 2017 12:17 am Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5578
Location: UK

The client key alias is the label of the personal certificate in the keystore.

If blank it should use the first one in the keystore.

You can set the client key alias value in node properties if you want.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
Partha.Baidya
PostPosted: Wed Nov 22, 2017 5:24 am Post subject: Reply with quote

Acolyte

Joined: 05 Nov 2009
Posts: 74

Is this an optional field?
Personal certificate of Provider has to mention here?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Nov 22, 2017 5:48 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19432
Location: LI,NY

The broker is not a browser and as such has no default private key.
You need to create a private public key pair for the broker to be able to present an X509 cert...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Partha.Baidya
PostPosted: Wed Nov 22, 2017 6:06 am Post subject: Reply with quote

Acolyte

Joined: 05 Nov 2009
Posts: 74

I have already created a keystone & truststore in the provider broker. Created a trustore in consumer broker.
I am using Soap/http in the consumer broker flow in soap requst node.
My question was in soap request http connection which personal key level has to given in the key alias field?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Nov 22, 2017 6:21 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19432
Location: LI,NY

Partha.Baidya wrote:
I have already created a keystone & truststore in the provider broker. Created a trustore in consumer broker.
I am using Soap/http in the consumer broker flow in soap requst node.
My question was in soap request http connection which personal key level has to given in the key alias field?

From what you described your client only has a truststore. The server is requesting the cert of the client and there is none. It is not like the server is going to verify the cert of the client but it needs one to finish the handshake.

So your client needs to have an SSL cert to provide to the server. (basic browser functionality).
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Partha.Baidya
PostPosted: Wed Nov 22, 2017 7:13 am Post subject: Reply with quote

Acolyte

Joined: 05 Nov 2009
Posts: 74

But I am using One way SSL with SOAP nodes.
For one way SSL, client certificate is not required to present to Server.
Is it like the SOAP nodes in WMB does not support One way SSL?
Back to top
View user's profile Send private message
Partha.Baidya
PostPosted: Wed Nov 22, 2017 7:30 am Post subject: Reply with quote

Acolyte

Joined: 05 Nov 2009
Posts: 74

I added the Server label in the alias name.
Now am not getting alias [] error.
But the ssl handshake failing.

Code:
2017-11-22 09:23:16.903     97 unable to negotiate SSL connection. Client key alias supplied was [wmbcert].


Code:

Exception in thread "Thread-53" 2017-11-22 09:23:16.905     97 javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


What is the other option to check why the handshake fails?[/code]
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Nov 22, 2017 11:13 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19432
Location: LI,NY

did you try running the JVM with -Djavax.net.ssl="debug" and what did the debug level trace say?
Do you have the full trustchain in the truststore?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
zpat
PostPosted: Wed Nov 22, 2017 11:59 pm Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5578
Location: UK

The blank alias was not actually an error.

You need to find the actual problem by looking at a SSL trace in the execution group stdout/stderr.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportIIB v10 One Way SSL handshake_failure with SOAP Request/HTTP
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.