ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General Discussion » Multiple certificates in client JKS - Java

Post new topic  Reply to topic
 Multiple certificates in client JKS - Java « View previous topic :: View next topic » 
Author Message
zbyszanna
PostPosted: Tue Nov 13, 2018 9:30 am    Post subject: Multiple certificates in client JKS - Java Reply with quote

Novice

Joined: 03 Feb 2012
Posts: 23

Hi,
we have a testing application that allows us to impersonate other applications. Our applications connect to various qmgrs using dedicated channels (with dedicated SSL certificates) and so this testing app must be able to connect to multiple qmgrs using different channels and different certificates (sometimes multiple times to the same qmgr via different channels using different SSL certs). This application will run under JBoss and uses WMQ RA to do so.

For testing purposes I created the following setup:

Client side:
KeyStore.jks:
cert1: dn='CN=client1' (self signed cert + private key)
cert2: dn='CN=client2' (self signed cert + private key)

TrustStore.jks
cert3: dn='CN=qmgr1' (qmgr cert only)

Qmgr side:
QMGR1.kdb:
cert1: 'dn=CN=client1' (cert only)
cert2: 'dn=CN=client2' (cert only)
cert3: 'dn=qmgr1' (qmgr self signed cert + private key)
this cert is there under the label ibmwebspheremqqmgr1

SVRCONN:
C.CLIENT1 SSLPEER(CN=client1)
C.CLIENT2 SSLPEER(CN=client2)

Both channels have the same SSLCIPH and SSLCAUTH is set to REQUIRED

When I try to connect as client2 I get 2059 at first (with information that channel C.CLIENT1 lacks proper certificate - it doesn't say which side of the conversation lacks a certificate) and then everything works fine during subsequent connections.

When I try to connect as client1 however, I at first get 2059 with the same message as above, but on the subsequest retries I get 2397 with information, that CN=client2 is does not match SSLPEER attribute on the channel C.CLIENT1.

It looks like it's trying to use the client2 certificate to authenticate which is something which I did not expect. I found this article:

https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q014340_.htm

which says that JSSE provider tries all the certs and chooses the first acceptable one, but it doesn't say what this 'acceptable' means. I expected that during SSL handshake the server side will inform client which certificate it requires and the client will provide this certificate, but it looks like it's simply sending the first (or last) certificate to the server and the servers ends with error.

So what is the algorithm of choosing proper certificate when connecting to MQ from Java?

MQ client:
Wildfly 12
WMQ RA 8.0.0.4
openjdk version "1.8.0_171"

MQ server:
MQ 8.0.0.7 on AIX
Back to top
View user's profile Send private message
tczielke
PostPosted: Tue Nov 13, 2018 1:07 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

From what I have read, it is undetermined which personal certificate will be chosen with JSSE when you have multiple personal certs in your keystore.

If I had your requirement, I would do the following:

1) Create a seperate JCEKS (JCEKS is more secure than JKS) for each personal certificate.

2) Have your code create a separate SSLSocketFactory per JCEKS. This doc gives an example of how to create an SSLSocketFactory that can be used by MQ -> https://hursleyonwmq.wordpress.com/2007/03/08/custom-sslsocketfactory-with-wmq-base-java/

3) Set the MQEnvironment.sslSocketFactory appropriately for each queue manager you will be calling. Note that the MQEnvironment.sslSocketFactory is a static variable, so you will want to single thread all of this code, or properly synchronize it.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
tczielke
PostPosted: Sun Nov 18, 2018 6:10 am    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

One other note. MQEnvironment.sslSocketFactory is not defined as volatile (at least in the MQ java doc) so some care needs to be taken when using it between threads. It would be safer to just single thread here.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General Discussion » Multiple certificates in client JKS - Java
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.