| Author |
Message
|
| rahulk01 |
 Posted: Sat May 23, 2020 12:06 am Post subject: SSL setup for HTTPS request from Linux to Mainframe |
 |
|
Apprentice
Joined: 26 Dec 2019
Posts: 35
|
Hi,
I am trying to setup the SSL configuration to make HTTPS request. The IIB flow is running in a linux machiine and the webservice in mainframe (exposed via zOS connect).
I followed the steps described in the links:
https://www.ibm.com/support/pages/secure-communication-setting-iib-over-ssltls
https://www.ibm.com/developerworks/websphere/library/techarticles/1205_bhat/1205_bhat.html
While trying to call the service, I get an error
| Code: |
| '<Text>javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target</Text>' |
My mqsireportproperty shows:
| Code: |
[ftmuser@uxplaftmim01 ~]$ mqsireportproperties ftmsmp -e dnb -o ComIbmJVMManager -a
ComIbmJVMManager
uuid='ComIbmJVMManager'
userTraceLevel='none'
traceLevel='none'
userTraceFilter='none'
traceFilter='none'
vrmfIntroducedAt='7.0.0.0'
resourceStatsReportingOn='inactive'
resourceStatsMeasurements='<ResourceStatsSwitches ResourceType="JVM" version='1'> <Measurement name="InitialMemoryInMB" collect="on" /> <Measurement name="UsedMemoryInMB" collect="on" /> <Measurement name="CommittedMemoryInMB" collect="on" /> <Measurement name="MaxMemoryInMB" collect="on" /> <Measurement name="CumulativeGCTimeInSeconds" collect="on" /> <Measurement name="CumulativeNumberOfGCCollections" collect="on" /> </ResourceStatsSwitches>'
activityLogSupported='no'
jvmVerboseOption='none'
jvmDisableClassGC='false'
jvmShareClasses='false'
jvmNativeStackSize='-1'
jvmJavaOSStackSize='-1'
jvmMinHeapSize='-1'
jvmMaxHeapSize='-1'
jvmDebugPort='0'
jvmSystemProperty=''
keystoreType='JKS'
keystoreFile='/var/mqsi/SSL/keystore.jks'
keystorePass='brokerKeystore::password'
truststoreType='JKS'
truststoreFile='/opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts'
truststorePass='brokerTruststore::password'
[ftmuser@uxplaftmim01 ~]$ mqsireportproperties ftmsmp -b httplistener -o HTTPSConnector -r
HTTPSConnector
uuid='HTTPSConnector'
algorithm='Platform Default'
clientAuth='Platform Default'
keystoreFile='/var/mqsi/SSL/keystore.jks'
keystorePass='********'
keystoreType='Platform Default'
truststoreFile='/opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts'
truststorePass='********'
truststoreType='Platform Default'
sslProtocol='TLS'
ciphers='Platform Default'
|
The truststore has been imported with the Certificates provided to us, successfully as reported by below commands:
| Code: |
[ftmuser@uxplaftmim01 ~]$ keytool -list -keystore /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts -alias root.Cert
Enter keystore password:
root.Cert, May 22, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 3B:A9:A9:1F:CE:94:B7:A7:A1:49:E4:B0:1E:F4:D4:EF:52:3D:4E:B6
[ftmuser@uxplaftmim01 ~]$ keytool -list -keystore /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts -alias intermediate.Cert
Enter keystore password:
intermediate.Cert, May 22, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 59:31:DF:00:59:13:95:80:88:F8:87:16:E1:CD:66:E6:5D:72:8F:AB
[ftmuser@uxplaftmim01 ~]$ keytool -list -keystore /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts -alias issuing.Cert
Enter keystore password:
issuing.Cert, May 22, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 3D:DA:5A:8B:E9:5C:C0:02:0D:4C:01:B9:E9:D1:BF:28:27:4D:03:60
|
Any help or lead would be appreciated.
Thanks in advance!!! |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat May 23, 2020 3:44 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You're missing signer certs in the truststore. You need to have in your truststore
- All the signer cert for your own certificate
- All the signer certs for the partner's (mainframe) certificate
All the certs in any of the signer chains must be in your truststore: intermediates and root
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rahulk01 |
| Posted: Sun May 24, 2020 9:26 am Post subject: |
|
|
Apprentice
Joined: 26 Dec 2019
Posts: 35
|
I used the following sequence commands and each of them executed successfully:
Not sure what I have missed:
| Code: |
keytool -genkey -alias ftmsmp -keystore keystore.jks -keysize 2048 (and entered details like CN, OU etc...)
mqsichangeproperties ftmsmp -e dnb -o ComIbmJVMManager -n keystoreType -v JKS
mqsichangeproperties ftmsmp -e dnb -o ComIbmJVMManager -n truststoreType -v JKS
mqsichangeproperties ftmsmp -e dnb -o ComIbmJVMManager -n keystoreFile -v /var/mqsi/SSL/keystore.jks
mqsichangeproperties ftmsmp -e dnb -o ComIbmJVMManager -n truststoreFile -v /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts
changing the keystore pasword:
mqsisetdbparms ftmsmp -n brokerKeystore::password -u ignore -p FtmAdm1n
mqsichangeproperties ftmsmp -e dnb -o ComIbmJVMManager -n keystorePass -v brokerKeystore::password
Truststore password was left to be changeit (default password)
Importing the certificates to our truststore
keytool -import -alias root.Cert -file '/mnt/repo/URN_Cert/DNB ASA PKI Class I Root.cer' -keystore cacerts
keytool -import -alias intermediate.Cert -file '/mnt/repo/URN_Cert/DNB ASA PKI Class E Intermediate 1.0.cer' -keystore cacerts
keytool -import -alias issuing.Cert -file '/mnt/repo/URN_Cert/DNB ASA PKI Class E Issuing 1.0.cer' -keystore cacerts
mqsichangeproperties ftmsmp -b httplistener -o HTTPListener -n enableSSLConnector -v true
Set keystore property
mqsichangeproperties ftmsmp -b httplistener -o HTTPSConnector -n keystoreFile -v /var/mqsi/SSL/keystore.jks
Set truststore property
mqsichangeproperties ftmsmp -b httplistener -o HTTPSConnector -n keystoreFile -v /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts
mqsichangeproperties ftmsmp -o BrokerRegistry -n brokerKeystoreFile -v /var/mqsi/SSL/keystore.jks
mqsichangeproperties ftmsmp -o BrokerRegistry -n brokerTruststoreFile -v /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts
mqsichangeproperties ftmsmp -b httplistener -o HTTPSConnector -n keystorePass -v FtmAdm1n
mqsichangeproperties ftmsmp -b httplistener -o HTTPSConnector -n truststorePass -v changeit |
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun May 24, 2020 10:42 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
So I suppose ftmsmp is a self signed cert?
If that is the case you will need to add the public cert to the truststore or your trust chain is incomplete...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rahulk01 |
| Posted: Tue May 26, 2020 8:08 am Post subject: |
|
|
Apprentice
Joined: 26 Dec 2019
Posts: 35
|
Taking your advise, I ran the below 2 commands:
Exporting self-signed certificate (from /var/mqsi/SSL):
keytool -export -alias ftmsmp -file selfsigned.cer -keystore keystore.jks
Importing the self-signed certificates to our truststore (to /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/)
keytool -import -alias selfsigned.Cert -file /var/mqsi/SSL/selfsigned.cer -keystore cacerts
Restarted the broker, still get the same error  |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed May 27, 2020 4:57 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Your message is clear: Unable to find certpath to target.
So what kind of cert does the mainframe you are trying to reach have?
- If it also is a self signed cert is the cert in your truststore?
- If it is an internal CA or private CA signed, is the signer chain in your truststore?
- If it is a public CA signed is the signer chain, including intermediate certs in your truststore?
Enjoy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rahulk01 |
| Posted: Wed May 27, 2020 7:07 am Post subject: |
|
|
Apprentice
Joined: 26 Dec 2019
Posts: 35
|
It's a CA signed certificate, and I have imported the entire chain of certificates into the IIB truststore i.e. Root, Intermediate and Issuing in the same order. Does the order of import of certificates make any difference?
Another application is successfully able to access this service via APIC. The APIC has imported the same certificates. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed May 27, 2020 6:57 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Are you specifying the label of your private key on the request node?
Are you sure you are using the keystore / truststore you think you are using?
Try adding -Djavax.net.debug="ssl" or -Djavax.net.debug=true to see what happens during key exchange...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rahulk01 |
| Posted: Wed May 27, 2020 11:22 pm Post subject: |
|
|
Apprentice
Joined: 26 Dec 2019
Posts: 35
|
Thanks for your reply.
Just got to know this morning, it is actually a self-signed ceritificate.
Will try the debugging options you have suggested.
Thanks |
|
| Back to top |
|
|
| rahulk01 |
| Posted: Thu Jun 11, 2020 5:06 am Post subject: |
|
|
Apprentice
Joined: 26 Dec 2019
Posts: 35
|
It was a case of incorrect certificate. After we got the correct certificates and imported into the truststore, it started to work.
Thanks for your inputs. |
|
| Back to top |
|
|
|
|
