| Author |
Message
|
| pavraj |
 Posted: Tue Jun 11, 2019 3:36 am Post subject: EmailInput node - mail server connectivity issue |
 |
|
Novice
Joined: 06 Mar 2017
Posts: 18
|
Dear All,
I am getting the below error when EmailInput node tries to connect to imap gmail server.
| Quote: |
| EmailInput node ''Email Input'' in message flo xxx is unable to communicate with email server ''imaps://imap.gmail.com:993''. The error message is ''java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: IBMJSSE2, class: com.ibm.jsse2.ae |
Version: 9.0.0.4, Platform: Windows
Configured required PKI at integration server also as mentioned in the documentation. The algorithm that I selected for self signed certificate I chosen as - SHA1withRSA, keysize: 1024, version: X509 V3
Both keystore and trust store are of JKS type.
I also verified jre\lib\security folder, java.security file - the first provider is:
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
Please provide your guidance which algorithm by default sdk provides and where I need to verify it. Or in some other place I made a mistake. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Jun 11, 2019 4:16 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
First of all your key size should be a minimum of 2048, better yet have it be 4096. Second point SHA-1 is no longer deemed secure. Use SHA-2 or SHA-5.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jun 11, 2019 4:33 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| First of all your key size should be a minimum of 2048, better yet have it be 4096. Second point SHA-1 is no longer deemed secure. Use SHA-2 or SHA-5. |
To circle back to your problem, I don't think the JSSE implements SHA1 any more, because it's insecure. I also don't think the gmail server will accept a connection request with a key that small and/or using SHA1.
Use a better certificate and see if that helps, posting your results here if it doesn't.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| pavraj |
| Posted: Tue Jun 11, 2019 4:34 am Post subject: |
|
|
Novice
Joined: 06 Mar 2017
Posts: 18
|
| Thank you a lot for your very quick response. I will do these changes and let you know for any further issues. |
|
| Back to top |
|
|
| pavraj |
| Posted: Tue Jun 11, 2019 7:19 am Post subject: |
|
|
Novice
Joined: 06 Mar 2017
Posts: 18
|
I am still getting the same error.
Now the key size is 4096 & Signature Algorithm is : SHA512withRSA
Could you please help to debug the issue further ? |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jun 11, 2019 7:26 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| pavraj wrote: |
| I am still getting the same error. |
Word for word?
| pavraj wrote: |
| Could you please help to debug the issue further ? |
Obvious next step is an SSL trace to see how far (if at all) you're getting through the handshake.
You might also want to try POP3 rather than IMAP to see if that has more luck, to isolate the problem.
Do the credentials you're using have anything unfortunate, like multi-factor authentication, set up?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| pavraj |
| Posted: Tue Jun 11, 2019 7:34 am Post subject: |
|
|
Novice
Joined: 06 Mar 2017
Posts: 18
|
Yes, word for word got the same error.
Credentials for gmail account not enabled for multi factor authentication.
As you specified, will go for an SSL trace and also pop3 protocol.
I will share my findings after the required tests.
Thank you a lot for your help. |
|
| Back to top |
|
|
| pavraj |
| Posted: Tue Jun 11, 2019 8:36 am Post subject: |
|
|
Novice
Joined: 06 Mar 2017
Posts: 18
|
I changed gmail configuration to enable pop3 with port 995. And deployed the flow with email server as: pop3s://pop.gmail.com:995 (using telnet I am able to access it).
Now I am getting the below error-
| Quote: |
Flow is unable to communicate with email server ''pop3s://pop.gmail.com:995''. The error message is ''Connect failed''.
|
|
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jun 11, 2019 9:19 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| pavraj wrote: |
| I changed gmail configuration to enable pop3 with port 995. And deployed the flow with email server as: pop3s://pop.gmail.com:995 (using telnet I am able to access it). |
Can you telnet to that URL or that specific port on that specific URL? The default telnet port might be accessible but 995 blocked.
| pavraj wrote: |
Now I am getting the below error-
| Quote: |
Flow is unable to communicate with email server ''pop3s://pop.gmail.com:995''. The error message is ''Connect failed''.
|
|
Run a user trace. There should be more information in that.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| pavraj |
| Posted: Fri Jun 14, 2019 9:24 pm Post subject: |
|
|
Novice
Joined: 06 Mar 2017
Posts: 18
|
It got worked finally.
In the below documentation link -
https://www.ibm.com/support/knowledgecenter/pt-br/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap34020_.htm#ap34020_80
it was specified we can set PKI configuration at three levels: broker level (broker registry), broker-wide http listener(HTTPSConnector) & integration server level(ComIbmJVMManager).
For Inbound connections (EmailInput, HTTPInput etc.), we should set only at broker-wide http listener. For outbound connections, we should set either at broker registry or JVM level.
Earlier I am focused on JVM level only even though I done with the configuration at HTTPSConnector its just overriding it. So not able to succeeded. I have reset the configuration at all places, and done PKI at broker-wide http listener then it got worked.
Follow are my observations (hope it will be helpful to others):
1. Integration with Gmail requires SSL. If you specify url in EmailInput with out 's' like imap://imap.gmail.com:993 instead of imaps://imap.gmail.com:993 then it will throw 'EOF Socket' error.
2. If you have done PKI configuration at JVM level for inbound connections - for imap protocol - it will give you 'NoSuchAlgorithmException' kind of error.
For pop3 protocol - it will give you 'ConnectFailed' kind of error.
3. No additional configuration is required apart from the commands that was specified in the documentation.
4. Please make sure you turn on SSL support in the broker -
mqsichangeproperties brokername -b httplistener -o HTTPListener -n enableSSLConnector -v true
Thank you a lot Vitor & fjb_saper for taking your time and providing guidance. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Jun 15, 2019 7:43 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You are neglecting here to take into consideration that you are most probably operating with the defaults HTTP Node (and affiliates?) use the broker wide listener and SOAP nodes use the Integration server listener.
You can change that at the integration server level.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
