ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SSL Authentication issue between JAVA 8 client and IBM MQ 8

Post new topic  Reply to topic Goto page Previous  1, 2, 3, 4  Next
 SSL Authentication issue between JAVA 8 client and IBM MQ 8 « View previous topic :: View next topic » 
Author Message
riyaz_tak
PostPosted: Thu Aug 29, 2019 1:26 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

/opt/mqm/bin/runmqckm -cert -list -db key.jck -type jceks -pw xxxx
to list all the certificates.

Really Sorry for the confusion but I am still getting the same invalid keystore format error.

[/quote]
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Thu Aug 29, 2019 1:29 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

I am using jceks not JKS key format.
jceks keyformat was working with MQ 7.5.0.0 but after upgrading to IBM mq 8.0.0.5 ,it has stopped working and throwing error.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Aug 29, 2019 2:04 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

How did you create the JCEKS file? Was it created using an IBM JRE or an Oracle JRE? I have seen some mention that the two are incompatible. Are you using the same vendor JRE in both MQ 7.5 (working) and MQ 8 (failing) scenarios?

Also, have you tried with a JKS file to see if that works?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
riyaz_tak
PostPosted: Thu Aug 29, 2019 2:17 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

I am using Oracle JAVA 8 with IBM MQ 8.0.0.5.
Earlier with IBM MQ 7.5.0.0 ,I was using JAVA 6.

I haven't tried JKS format so I will try to create one and let you know my results.
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Thu Aug 29, 2019 2:40 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

1.runmqckm -keydb -create -db key.jck -pw xxxx -type jks
2. runmqckm -cert -export -db /dir/key.kdb -pw xxxx -label test -target key.jck -target_pw xxxx -type cms
3. runmqckm -cert -extract -db /dir/key.kdb -pw xxxx -label test2-target test.arm -format ascii
4. runmqckm -cert -add -db key.jck -pw xxx -label test -file test.arm -format ascii


I used above commands to create jsk key format but still getting the same error
Back to top
View user's profile Send private message
tczielke
PostPosted: Thu Aug 29, 2019 5:33 am    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

From what I have read, the JCEKS format for your keystore is recommended because it provides more security than a JKS keystore. I use the IBM Key Management GUI that comes with IBM MQ to create the JCEKS, and I have not had issues running it with a non-IBM JRE.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Aug 29, 2019 3:06 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

riyaz_tak wrote:
I am using Oracle JAVA 8 with IBM MQ 8.0.0.5.
Earlier with IBM MQ 7.5.0.0 ,I was using JAVA 6.

Which vendor was your Java 6?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
tczielke
PostPosted: Sat Aug 31, 2019 7:31 am    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

Can you also explain how you are setting the keystore type to be a jceks. Is it through a Java system property? Programmatically?
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Mon Sep 02, 2019 7:04 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

hughson wrote:
riyaz_tak wrote:
I am using Oracle JAVA 8 with IBM MQ 8.0.0.5.
Earlier with IBM MQ 7.5.0.0 ,I was using JAVA 6.

Which vendor was your Java 6?


it was Oracle.
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Mon Sep 02, 2019 7:50 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

tczielke wrote:
Can you also explain how you are setting the keystore type to be a jceks. Is it through a Java system property? Programmatically?


I have created makefile which is creating keystore.

runmqckm -keydb -create \
-db key.jck -pw xxxx \
-type jceks
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Mon Sep 02, 2019 10:27 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

I have found another error where listener starts and then stops.

09/03/19 06:25:36 - Process(6221.1) User(root) Program(runmqlsr)
Host(xxxx) Installation(Installation1)
VRMF(8.0.0.5) QMgr(xxx)

AMQ9218: The TCP/IP listener program could not bind to port number 51410.

EXPLANATION:
An attempt to bind the TCP/IP socket to the listener port was unsuccessful.
ACTION:
The failure could be due to another program, including other MQ listeners,
using the same port number. The return code from the 'bind' call for port
:51410 was 125. Record these values and tell the systems administrator.
----- amqclita.c : 771 --------------------------------------------------------
09/03/19 06:25:36 - Process(6191.1) User(root) Program(amqzmgr0)
Host(xxx) Installation(Installation1)
VRMF(8.0.0.5) QMgr(xxxx)

AMQ5027: The listener 'SYSTEM.LISTENER.TCP.2' has ended. ProcessId(6221).

EXPLANATION:
The listener process has ended.
ACTION:
None.

I have already verified that no other process is trying to connects to port 51410
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Sep 02, 2019 11:02 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

What does netstat show about this port number?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
exerk
PostPosted: Mon Sep 02, 2019 11:10 pm    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

riyaz_tak wrote:
...The listener 'SYSTEM.LISTENER.TCP.2' has ended...

And is there a SYSTEM.LISTENER.TCP.1 that may be using the same port? TCP/IP Error 125 is EADDRINUSE (which suggests you're on Solaris?) so it's possible that the Listener process previously abnormally terminated or did not clean up properly.

riyaz_tak wrote:
...I have already verified that no other process is trying to connects to port 51410

By that, do you mean that no other process is selecting that port for its own purposes?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Mon Sep 02, 2019 11:12 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

exerk wrote:
riyaz_tak wrote:
"...The listener 'SYSTEM.LISTENER.TCP.2' has ended..."

And is there a SYSTEM.LISTENER.TCP.1 that may be using the same port? TCP/IP Error 125 is EADDRINUSE (which suggests you're on Solaris?) so it's possible that the Listener process previously abnormally terminated or did not clean up properly.

riyaz_tak wrote:
"...I have already verified that no other process is trying to connects to port 51410

By that, do you mean that no other process is selecting that port for its own purposes?


Yes that's what I meant.
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Tue Sep 03, 2019 12:15 am    Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 732
Location: Germany

riyaz_tak wrote:
exerk wrote:
riyaz_tak wrote:
"...I have already verified that no other process is trying to connects to port 51410

By that, do you mean that no other process is selecting that port for its own purposes?


Yes that's what I meant.


How could you verify this? Corresponding to RFC 6335 of the Internet Engineering Task Force (IETF), ports above 49152 are used for dynamic port allocation. So these ports may be used - and dropped - and used - ... by any application. These ports could also be locked by the operating system. You should not use ports in this range for MQ listeners (or any other fixed port allocation).
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Goto page Previous  1, 2, 3, 4  Next Page 2 of 4

MQSeries.net Forum Index » IBM MQ Security » SSL Authentication issue between JAVA 8 client and IBM MQ 8
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.