ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportIIB 10 Keystore settings

Post new topicReply to topic
IIB 10 Keystore settings View previous topic :: View next topic
Author Message
andrewfemin
PostPosted: Thu Sep 06, 2018 3:39 am Post subject: IIB 10 Keystore settings Reply with quote

Apprentice

Joined: 26 Aug 2017
Posts: 46

Hi,

We currently have IIBv9 running on AIX. We have a Java Key Store configured in a local directory and the brokerKeystoreFile and brokerTruststoreFile properties of the broker are pointing to that directory. Whenever we have a message flow with a HTTPS request, we manually download the certificate(using a browser), upload it to the keystore(using keytool) and restart the execution group. If we don't do this, the HTTPRequest node throws SocketException.

We are now in the process of upgrading to IIBv10 in a Linux server. We have readied the new environment and are doing our testing. We still haven't created a keystore and haven't updated any Integration Node properties related to keystore. brokerKeystoreFile and brokerTruststoreFile are empty in the Integration Node. We have observed that in this new environment, without any keystore, the message flows with such HTTPS requests are working fine. They are able to make requests to https URLs without us explicitly uploading certificates to the Integration Node keystore.

I am unable to find any documentation in the KC related to this. Can someone please explain this behavior? Is it a feature of IIB 10? Can I trust it and take it to Production?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Sep 06, 2018 7:49 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19743
Location: LI,NY

set environment variable IBM_JAVA_OPTIONS to javax.net.debug=ssl and see what ssl stores are being used in your case. I trust that it might work because the current truststore being accessed is not empty...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
joebuckeye
PostPosted: Thu Sep 06, 2018 8:28 am Post subject: Reply with quote

Partisan

Joined: 24 Aug 2007
Posts: 339
Location: Columbus, OH

The default truststore for your IIB 10 install is probably more up to date than the one from IIB 9 and it may have the proper Root CA's for the calls you are making.

Over time as old CA's expire or new ones are added you will need to maintain the truststore used by IIB.
Back to top
View user's profile Send private message
andrewfemin
PostPosted: Thu Sep 13, 2018 10:23 pm Post subject: Reply with quote

Apprentice

Joined: 26 Aug 2017
Posts: 46

Thanks for the replies. Even if the current trust store has the Root certificates and the Intermediate certificates, shouldn't it still fail because the URL certificates are missing in the Keystore? In IIB 9, message flows throw errors when all the certificates are not manually imported into the Keystore. Does IIB 10 do the certificate chaining by itself, like a browser?
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Sep 14, 2018 2:24 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19743
Location: LI,NY

andrewfemin wrote:
Thanks for the replies. Even if the current trust store has the Root certificates and the Intermediate certificates, shouldn't it still fail because the URL certificates are missing in the Keystore? In IIB 9, message flows throw errors when all the certificates are not manually imported into the Keystore. Does IIB 10 do the certificate chaining by itself, like a browser?

This is only the case if you verify the certs used in a SOAP with ssl headers.
For standard http ssl stuff it is enough to have the signer certs in the truststore and of course present an ssl cert as a server...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportIIB 10 Keystore settings
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.