ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SSL setup for HTTPS request from Linux to Mainframe

Post new topic  Reply to topic
 SSL setup for HTTPS request from Linux to Mainframe « View previous topic :: View next topic » 
Author Message
rahulk01
PostPosted: Sat May 23, 2020 12:06 am    Post subject: SSL setup for HTTPS request from Linux to Mainframe Reply with quote

Apprentice

Joined: 26 Dec 2019
Posts: 35

Hi,

I am trying to setup the SSL configuration to make HTTPS request. The IIB flow is running in a linux machiine and the webservice in mainframe (exposed via zOS connect).
I followed the steps described in the links:
https://www.ibm.com/support/pages/secure-communication-setting-iib-over-ssltls
https://www.ibm.com/developerworks/websphere/library/techarticles/1205_bhat/1205_bhat.html

While trying to call the service, I get an error
Code:
'<Text>javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target</Text>'


My mqsireportproperty shows:
Code:

[ftmuser@uxplaftmim01 ~]$ mqsireportproperties ftmsmp -e dnb -o ComIbmJVMManager -a
ComIbmJVMManager
  uuid='ComIbmJVMManager'
  userTraceLevel='none'
  traceLevel='none'
  userTraceFilter='none'
  traceFilter='none'
  vrmfIntroducedAt='7.0.0.0'
  resourceStatsReportingOn='inactive'
  resourceStatsMeasurements='<ResourceStatsSwitches ResourceType="JVM" version='1'> <Measurement name="InitialMemoryInMB" collect="on" /> <Measurement name="UsedMemoryInMB" collect="on" /> <Measurement name="CommittedMemoryInMB" collect="on" /> <Measurement name="MaxMemoryInMB" collect="on" /> <Measurement name="CumulativeGCTimeInSeconds" collect="on" /> <Measurement name="CumulativeNumberOfGCCollections" collect="on" /> </ResourceStatsSwitches>'
  activityLogSupported='no'
  jvmVerboseOption='none'
  jvmDisableClassGC='false'
  jvmShareClasses='false'
  jvmNativeStackSize='-1'
  jvmJavaOSStackSize='-1'
  jvmMinHeapSize='-1'
  jvmMaxHeapSize='-1'
  jvmDebugPort='0'
  jvmSystemProperty=''
  keystoreType='JKS'
  keystoreFile='/var/mqsi/SSL/keystore.jks'
  keystorePass='brokerKeystore::password'
  truststoreType='JKS'
  truststoreFile='/opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts'
  truststorePass='brokerTruststore::password'

[ftmuser@uxplaftmim01 ~]$ mqsireportproperties ftmsmp -b httplistener -o HTTPSConnector -r
HTTPSConnector
  uuid='HTTPSConnector'
  algorithm='Platform Default'
  clientAuth='Platform Default'
  keystoreFile='/var/mqsi/SSL/keystore.jks'
  keystorePass='********'
  keystoreType='Platform Default'
  truststoreFile='/opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts'
  truststorePass='********'
  truststoreType='Platform Default'
  sslProtocol='TLS'
  ciphers='Platform Default'


The truststore has been imported with the Certificates provided to us, successfully as reported by below commands:
Code:

[ftmuser@uxplaftmim01 ~]$ keytool -list -keystore /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts -alias root.Cert
Enter keystore password:
root.Cert, May 22, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 3B:A9:A9:1F:CE:94:B7:A7:A1:49:E4:B0:1E:F4:D4:EF:52:3D:4E:B6

[ftmuser@uxplaftmim01 ~]$ keytool -list -keystore /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts -alias intermediate.Cert
Enter keystore password:
intermediate.Cert, May 22, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 59:31:DF:00:59:13:95:80:88:F8:87:16:E1:CD:66:E6:5D:72:8F:AB

[ftmuser@uxplaftmim01 ~]$ keytool -list -keystore /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts -alias issuing.Cert
Enter keystore password:
issuing.Cert, May 22, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 3D:DA:5A:8B:E9:5C:C0:02:0D:4C:01:B9:E9:D1:BF:28:27:4D:03:60

Any help or lead would be appreciated.
Thanks in advance!!!
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sat May 23, 2020 3:44 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

You're missing signer certs in the truststore. You need to have in your truststore
  1. All the signer cert for your own certificate
  2. All the signer certs for the partner's (mainframe) certificate


All the certs in any of the signer chains must be in your truststore: intermediates and root
Enjoy
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
rahulk01
PostPosted: Sun May 24, 2020 9:26 am    Post subject: Reply with quote

Apprentice

Joined: 26 Dec 2019
Posts: 35

I used the following sequence commands and each of them executed successfully:
Not sure what I have missed:
Code:

keytool -genkey -alias ftmsmp -keystore keystore.jks -keysize 2048 (and entered details like CN, OU etc...)
mqsichangeproperties ftmsmp -e dnb -o ComIbmJVMManager -n keystoreType -v JKS
mqsichangeproperties ftmsmp -e dnb -o ComIbmJVMManager -n truststoreType -v JKS
mqsichangeproperties ftmsmp -e dnb -o ComIbmJVMManager -n keystoreFile -v /var/mqsi/SSL/keystore.jks
mqsichangeproperties ftmsmp -e dnb -o ComIbmJVMManager -n truststoreFile -v /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts

changing the keystore pasword:
mqsisetdbparms ftmsmp -n brokerKeystore::password -u ignore -p FtmAdm1n
mqsichangeproperties ftmsmp -e dnb -o ComIbmJVMManager -n keystorePass -v brokerKeystore::password

Truststore password was left to be changeit (default password)

Importing the certificates to our truststore
keytool -import -alias root.Cert -file '/mnt/repo/URN_Cert/DNB ASA PKI Class I Root.cer' -keystore cacerts
keytool -import -alias intermediate.Cert -file '/mnt/repo/URN_Cert/DNB ASA PKI Class E Intermediate 1.0.cer' -keystore cacerts
keytool -import -alias issuing.Cert -file '/mnt/repo/URN_Cert/DNB ASA PKI Class E Issuing 1.0.cer' -keystore cacerts

mqsichangeproperties ftmsmp -b httplistener -o HTTPListener -n enableSSLConnector -v true
Set keystore property
mqsichangeproperties ftmsmp -b httplistener -o HTTPSConnector -n keystoreFile -v /var/mqsi/SSL/keystore.jks
Set truststore property
mqsichangeproperties ftmsmp -b httplistener -o HTTPSConnector -n keystoreFile -v /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts
mqsichangeproperties ftmsmp -o BrokerRegistry -n brokerKeystoreFile -v /var/mqsi/SSL/keystore.jks
mqsichangeproperties ftmsmp -o BrokerRegistry -n brokerTruststoreFile -v /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/cacerts
mqsichangeproperties ftmsmp -b httplistener -o HTTPSConnector -n keystorePass -v FtmAdm1n
mqsichangeproperties ftmsmp -b httplistener -o HTTPSConnector -n truststorePass -v changeit
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Sun May 24, 2020 10:42 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

So I suppose ftmsmp is a self signed cert?
If that is the case you will need to add the public cert to the truststore or your trust chain is incomplete...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
rahulk01
PostPosted: Tue May 26, 2020 8:08 am    Post subject: Reply with quote

Apprentice

Joined: 26 Dec 2019
Posts: 35

Taking your advise, I ran the below 2 commands:
Exporting self-signed certificate (from /var/mqsi/SSL):
keytool -export -alias ftmsmp -file selfsigned.cer -keystore keystore.jks
Importing the self-signed certificates to our truststore (to /opt/IBM/iib-10.0.0.15/common/jdk/jre/lib/security/)
keytool -import -alias selfsigned.Cert -file /var/mqsi/SSL/selfsigned.cer -keystore cacerts

Restarted the broker, still get the same error
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed May 27, 2020 4:57 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Your message is clear: Unable to find certpath to target.
So what kind of cert does the mainframe you are trying to reach have?
  • If it also is a self signed cert is the cert in your truststore?
  • If it is an internal CA or private CA signed, is the signer chain in your truststore?
  • If it is a public CA signed is the signer chain, including intermediate certs in your truststore?

Enjoy
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
rahulk01
PostPosted: Wed May 27, 2020 7:07 am    Post subject: Reply with quote

Apprentice

Joined: 26 Dec 2019
Posts: 35

It's a CA signed certificate, and I have imported the entire chain of certificates into the IIB truststore i.e. Root, Intermediate and Issuing in the same order. Does the order of import of certificates make any difference?

Another application is successfully able to access this service via APIC. The APIC has imported the same certificates.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed May 27, 2020 6:57 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Are you specifying the label of your private key on the request node?
Are you sure you are using the keystore / truststore you think you are using?
Try adding -Djavax.net.debug="ssl" or -Djavax.net.debug=true to see what happens during key exchange...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
rahulk01
PostPosted: Wed May 27, 2020 11:22 pm    Post subject: Reply with quote

Apprentice

Joined: 26 Dec 2019
Posts: 35

Thanks for your reply.
Just got to know this morning, it is actually a self-signed ceritificate.
Will try the debugging options you have suggested.
Thanks
Back to top
View user's profile Send private message
rahulk01
PostPosted: Thu Jun 11, 2020 5:06 am    Post subject: Reply with quote

Apprentice

Joined: 26 Dec 2019
Posts: 35

It was a case of incorrect certificate. After we got the correct certificates and imported into the truststore, it started to work.
Thanks for your inputs.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » SSL setup for HTTPS request from Linux to Mainframe
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.