ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportSSL setup for truststore in HTTP Request node

Post new topicReply to topic
SSL setup for truststore in HTTP Request node View previous topic :: View next topic
Author Message
shubham_rajput
PostPosted: Sun Feb 04, 2018 11:15 pm Post subject: SSL setup for truststore in HTTP Request node Reply with quote

Novice

Joined: 29 Aug 2017
Posts: 13

Hi,
I am using the below flow of HTTP Request node:
MQInput Node---->HTTP Request Node----->Compute Node---->MQOutPut Node

I have also another flow with HTTPInput node:

HTTPinput----->HTTPReply---->MQOutput

I have been issued the Personal certificate from the CA in the form(Root certificate->Intermediate certifcate->Personal certificate). I have setuped the Public key infrastructure by configuring Keystore with Chained certificate. So when I give the URL as mentioned in the HTTPInput node via browser the HTTPInput node flow works fine.

For HTTPRequest node I have imported the Root and intermediate certificate in the Truststore and try to trigger the HTTPInput node flow but the HTTPInput node does not gets triggered and gives the following error:
Code:
( T24_QueCer.default ) An HTTP error occurred. The HTTP Request-Line was: ''POST /EbicsInst HTTP/1.1
''.   

The HTTP Request Header bitstream (if any) to be used was: 'X'''. The HTTP Request Message Body bitstream (if any) to be used was: 'X'3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225
554462d38223f3e0d0a3c6562696373556e736563757265645265717565737420786d6c6e733d2275726e3a6f72673a65626963733a48303034222056657
273696f6e3d224830303422205265766973696f6e3d2231223e0d0a3c6865616465722061757468656e7469636174653d2274727565223e0d0a3c737461
7469633e0d0a3c486f737449443e45424943535f484f53545f49443c2f486f737449443e0d0a3c506172746e657249443e45424943535f555345525f49443c
2f506172746e657249443e0d0a3c5573657249443e45424943535f504152544e45525f49443c2f5573657249443e0d0a3c50726f64756374204c616e67756
167653d226465223e45424943533c2f50726f647563743e0d0a3c4f7264657244657461696c733e0d0a3c4f72646572547970653e4a49413c2f4f726465725
47970653e0d0a3c4f726465724174747269627574653e445a484e4e3c2f4f726465724174747269627574653e0d0a3c2f4f7264657244657461696c733e0d
0a3c53656375726974794d656469756d3e303030303c2f53656375726974794d656469756d3e0d0a3c2f7374617469633e0d0a3c6d757461626c652f3e0d0
a3c2f6865616465723e0d0a3c626f64793e0d0a3c446174615472616e736665723e0d0a3c4f72646572446174613e483473494141414141414141414b3255
575a4f6953425346332f30564663366a4d63556d46427157485941674b54734970623678704d686967757a34363865706d75367536756d6e69586e4c0d0
a6538374e6a427633664a477262384d31662b706756536346657030537a2f6a3043614b7769424955763037647666516e4f2f323258736d41732b477468
58566a564247734e6e376a507a30750d0a6f767031326c5a6f5756547845675a4a5743396c484a39505036786c3948417654564d754d617a762b2b65656
56e37305953534f3478692b77423439555a334566307a584b3635744c6841310d0a536567336a796e4d4e6c4467434e4335574b382b7a70366674334339
6975716c3758426661713249327279743135795342753643563239585841653961416c4a723242587a67652b4b4c38520d0a52734d4f666343563070486
d57394130644c4b59345a684b4a42497a31776a45466b4642424a353073704f3654726c4a567275594a6f32426232444b4668304f6e475a493143625172
79724a0d0a4d6b6f6c6c4f5464616c7877424359654877393665344d597a6e74754a6974376a426779797a66754d4c6d42624b6a3864444b586d5845573
0646451696c58644d764f62546d56374b6f30550d0a597a5438713973554f6733697134646e314537624e5048497649794f70386d6d7431456a5a564d75
2f4a6c4d56454f3373492f58387953504434422f3034767a77466438324271424f3938320d0a444169556733624d46356b4a466e50365468396e72445947
6c4c574c4f686368566e65394b6b2f4644506d38466753372b43552b773046464535564f695a426e6464534870337654574b43350d0a6b665a773455753
26a3239565773677a4c3457582b6e5746665672303330735868374a416a377a576e4d5878372b34503562333645684c324a634b7653587366324b30504f
453675734e39370d0a762b7166365242525749336c66325a473352324233525143334e70656369697650444b5653504e792b2b346a4b2f654650636e66
6e48674d54494a5a4a447846474c4f5a5477747a335349730d0a6e475768505475585467565030444c316955455635354750684d342f78484f68624e4e63
68636b2b77796e366f747039593934545a7964733666626c4d633332654a4c46774f7947735054500d0a44364459744f746f523570545862723343386d63
53446f4a495241354133563157414b4154687349534a6d6c705a5159444961303975784a38466a7063644377494743636f715a4b354d67750d0a33326f76
6d6f42316a46594b6f746f456f587162704a4a425853353332744865514d723355753565596a672f4b534e506b35613533616b6b34545055305841615564
7a59654f31306d4652310d0a71726d484b586c623847384d56752b4e48436775364e6b4a64644a457368784f2b317a574b466e506a544472463661357963
3979686d55714e692b47794f442f58325a2b70767964436647640d0a6c332f726e37557652506856673241464e6d755242344c7a65502b4873484c72373
85a6868663154724c44662f48667276774466784258384b77554141413d3d3c2f4f72646572446174613e0d0a3c2f446174615472616e736665723e0d0a3
c2f626f64793e0d0a3c2f6562696373556e73656375726564526571756573743e0d0a''.
The HTTP Reply Header bitstream (if any) received from the server was: ''''. The HTTP Reply Message Body bitstream (if any) received from the server was: ''''. Ensure that the HTTP data is valid.   



I tried many way to trigger the HTTPInput flow from HTTP request flow but it fails. Is there something else that I may be missing from configuring?
Please help
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Feb 05, 2018 5:24 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19658
Location: LI,NY

First things first:
Is it working without SSL/TLS?

Now you talk about having received the personal cert from the CA and having set up the cert chain... What you don't talk about is having created the private key and certificate request to be signed by the CA.?

Also in the HTTP Request node you are supposed to specify the label of the private key to be use for the connection. Did you do that?

Hope this helps
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
shubham_rajput
PostPosted: Mon Feb 05, 2018 5:48 am Post subject: Reply with quote

Novice

Joined: 29 Aug 2017
Posts: 13

Hi,
Quote:
Is it working without SSL/TLS?

I have set the sslProtocol to TLSv1.2 at the broker level via the following command:
Code:
mqsichangeproperties T24_QueMgrRet -b httplistener -o HTTPSConnector -n sslProtocol -v TLSv1.2

and protocol in HTTPRequest node is set to TLS.
Quote:
Now you talk about having received the personal cert from the CA and having set up the cert chain... What you don't talk about is having created the private key and certificate request to be signed by the CA.?


Yeah I have created a keystore and using that keystore made the certificate signing request and forwaded to the CA. After that only I received .p7b file through which I imported the chain certifcate to the keystore.

Quote:
Also in the HTTP Request node you are supposed to specify the label of the private key to be use for the connection. Did you do that?


The only thing that I was missing and this thing is not mentioned in any help doc or at the developer site of the IBM too. After I mentioned the private key lable in my keystore it worked. Thanks a lot you just saved me from scratching my head for more long.


I am facing another dilemma please help in this also. As I told above in I have set sslProtocol to TLSv1.2 via the command:
mqsichangeproperties T24_QueMgrRet -b httplistener -o HTTPSConnector -n sslProtocol -v TLSv1.2

And in the HTTPRequest node properties set the protocol to TLSv1.2 but when I run the flow I am face with the below error:
Code:
( T24_QueCer.default ) An error occurred whilst performing an SSL socket operation. Operation: 'connect'. Error Text: 'javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.'.   


Any Idea why even after making changes in the HTTPRequest node properties to TLSv1.2 the flow is getting failed?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Feb 05, 2018 7:24 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19658
Location: LI,NY

The response here is quite clear. You using the HTTP Request node are the client. You are choosing to use TLS 1.2. However the server you are calling chooses TLS 1.

This is why you can't communicate...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
shubham_rajput
PostPosted: Mon Feb 05, 2018 7:33 am Post subject: Reply with quote

Novice

Joined: 29 Aug 2017
Posts: 13

But in this case I am choosing the flow with HTTPInput node and making that as server to receive the request from another flow having HTTP Request node..
In short same machine, 2 flow: One having HTTPInput and act as server and other having HTTPRequest and act as client.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Feb 05, 2018 7:44 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19658
Location: LI,NY

shubham_rajput wrote:
But in this case I am choosing the flow with HTTPInput node and making that as server to receive the request from another flow having HTTP Request node..
In short same machine, 2 flow: One having HTTPInput and act as server and other having HTTPRequest and act as client.

Are both nodes in the same eg / integration server?
If in different integration servers does one use the broker wide listener and the other the integration server scoped listener?


_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
shubham_rajput
PostPosted: Mon Feb 05, 2018 8:24 am Post subject: Reply with quote

Novice

Joined: 29 Aug 2017
Posts: 13

They are in the same Integration server
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportSSL setup for truststore in HTTP Request node
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.