ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportEmailInput node - mail server connectivity issue

Post new topicReply to topic
EmailInput node - mail server connectivity issue View previous topic :: View next topic
Author Message
pavraj
PostPosted: Tue Jun 11, 2019 3:36 am Post subject: EmailInput node - mail server connectivity issue Reply with quote

Novice

Joined: 06 Mar 2017
Posts: 18

Dear All,
I am getting the below error when EmailInput node tries to connect to imap gmail server.

Quote:
EmailInput node ''Email Input'' in message flo xxx is unable to communicate with email server ''imaps://imap.gmail.com:993''. The error message is ''java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: IBMJSSE2, class: com.ibm.jsse2.ae


Version: 9.0.0.4, Platform: Windows
Configured required PKI at integration server also as mentioned in the documentation. The algorithm that I selected for self signed certificate I chosen as - SHA1withRSA, keysize: 1024, version: X509 V3
Both keystore and trust store are of JKS type.

I also verified jre\lib\security folder, java.security file - the first provider is:
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2

Please provide your guidance which algorithm by default sdk provides and where I need to verify it. Or in some other place I made a mistake.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Jun 11, 2019 4:16 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20071
Location: LI,NY

First of all your key size should be a minimum of 2048, better yet have it be 4096. Second point SHA-1 is no longer deemed secure. Use SHA-2 or SHA-5.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Vitor
PostPosted: Tue Jun 11, 2019 4:33 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25787
Location: Ohio, USA

fjb_saper wrote:
First of all your key size should be a minimum of 2048, better yet have it be 4096. Second point SHA-1 is no longer deemed secure. Use SHA-2 or SHA-5.


To circle back to your problem, I don't think the JSSE implements SHA1 any more, because it's insecure. I also don't think the gmail server will accept a connection request with a key that small and/or using SHA1.

Use a better certificate and see if that helps, posting your results here if it doesn't.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
pavraj
PostPosted: Tue Jun 11, 2019 4:34 am Post subject: Reply with quote

Novice

Joined: 06 Mar 2017
Posts: 18

Thank you a lot for your very quick response. I will do these changes and let you know for any further issues.
Back to top
View user's profile Send private message
pavraj
PostPosted: Tue Jun 11, 2019 7:19 am Post subject: Reply with quote

Novice

Joined: 06 Mar 2017
Posts: 18

I am still getting the same error.
Now the key size is 4096 & Signature Algorithm is : SHA512withRSA

Could you please help to debug the issue further ?
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Jun 11, 2019 7:26 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25787
Location: Ohio, USA

pavraj wrote:
I am still getting the same error.


Word for word?

pavraj wrote:
Could you please help to debug the issue further ?


Obvious next step is an SSL trace to see how far (if at all) you're getting through the handshake.

You might also want to try POP3 rather than IMAP to see if that has more luck, to isolate the problem.

Do the credentials you're using have anything unfortunate, like multi-factor authentication, set up?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
pavraj
PostPosted: Tue Jun 11, 2019 7:34 am Post subject: Reply with quote

Novice

Joined: 06 Mar 2017
Posts: 18

Yes, word for word got the same error.
Credentials for gmail account not enabled for multi factor authentication.
As you specified, will go for an SSL trace and also pop3 protocol.
I will share my findings after the required tests.
Thank you a lot for your help.
Back to top
View user's profile Send private message
pavraj
PostPosted: Tue Jun 11, 2019 8:36 am Post subject: Reply with quote

Novice

Joined: 06 Mar 2017
Posts: 18

I changed gmail configuration to enable pop3 with port 995. And deployed the flow with email server as: pop3s://pop.gmail.com:995 (using telnet I am able to access it).

Now I am getting the below error-

Quote:
Flow is unable to communicate with email server ''pop3s://pop.gmail.com:995''. The error message is ''Connect failed''.
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Jun 11, 2019 9:19 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 25787
Location: Ohio, USA

pavraj wrote:
I changed gmail configuration to enable pop3 with port 995. And deployed the flow with email server as: pop3s://pop.gmail.com:995 (using telnet I am able to access it).


Can you telnet to that URL or that specific port on that specific URL? The default telnet port might be accessible but 995 blocked.

pavraj wrote:
Now I am getting the below error-

Quote:
Flow is unable to communicate with email server ''pop3s://pop.gmail.com:995''. The error message is ''Connect failed''.


Run a user trace. There should be more information in that.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
pavraj
PostPosted: Fri Jun 14, 2019 9:24 pm Post subject: Reply with quote

Novice

Joined: 06 Mar 2017
Posts: 18

It got worked finally.
In the below documentation link -
https://www.ibm.com/support/knowledgecenter/pt-br/SSMKHH_9.0.0/com.ibm.etools.mft.doc/ap34020_.htm#ap34020_80

it was specified we can set PKI configuration at three levels: broker level (broker registry), broker-wide http listener(HTTPSConnector) & integration server level(ComIbmJVMManager).

For Inbound connections (EmailInput, HTTPInput etc.), we should set only at broker-wide http listener. For outbound connections, we should set either at broker registry or JVM level.
Earlier I am focused on JVM level only even though I done with the configuration at HTTPSConnector its just overriding it. So not able to succeeded. I have reset the configuration at all places, and done PKI at broker-wide http listener then it got worked.

Follow are my observations (hope it will be helpful to others):
1. Integration with Gmail requires SSL. If you specify url in EmailInput with out 's' like imap://imap.gmail.com:993 instead of imaps://imap.gmail.com:993 then it will throw 'EOF Socket' error.

2. If you have done PKI configuration at JVM level for inbound connections - for imap protocol - it will give you 'NoSuchAlgorithmException' kind of error.
For pop3 protocol - it will give you 'ConnectFailed' kind of error.

3. No additional configuration is required apart from the commands that was specified in the documentation.

4. Please make sure you turn on SSL support in the broker -
mqsichangeproperties brokername -b httplistener -o HTTPListener -n enableSSLConnector -v true

Thank you a lot Vitor & fjb_saper for taking your time and providing guidance.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sat Jun 15, 2019 7:43 pm Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20071
Location: LI,NY

You are neglecting here to take into consideration that you are most probably operating with the defaults HTTP Node (and affiliates?) use the broker wide listener and SOAP nodes use the Integration server listener.

You can change that at the integration server level.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportEmailInput node - mail server connectivity issue
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.