ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportSSL configuration via CACERT certificate using IIBv10

Post new topicReply to topic
SSL configuration via CACERT certificate using IIBv10 View previous topic :: View next topic
Author Message
HSarwan
PostPosted: Sun Feb 14, 2021 7:49 am Post subject: SSL configuration via CACERT certificate using IIBv10 Reply with quote

Newbie

Joined: 14 Feb 2021
Posts: 9

Hello,


Quote:
Working on linux machine, trying to securing inbound requests to an Integration Server's embedded HTTP Listener but it throws exception:

keystore was tempared with, or password was incorrect.


I performed following config:
Code:


keytool -importcert -alias test -file abc.cer -keystore TestKeystore
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n keystoreType -v JKS
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n truststoreType -v JKS
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n explicitlySetPortNumber -v 8542
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n sslProtocol -v TLSv1.2
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n keystoreFile -v /u01/esbuser/CACERT/TestKeystore.jks
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n truststoreFile -v /u01/esbuser/CACERT/TestTruststore.jks
mqsisetdbparms TestBroker -n brokerKeystore::password -u ignore -p admin123
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n keystorePass -v brokerKeystore::password
mqsisetdbparms TestBroker -n brokerTruststore::password -u ignore -p admin123
mqsichangeproperties TestBroker -e IS -o HTTPSConnector -n truststorePass -v brokerTruststore::password
mqsistop TestBroker
mqsistart TestBroker


Quote:
I have tested it via client and server application deployed at SSL configured server. when client invoke to the https url it throws above exception.


Quote:
I am sure, i am missing something as i am new to config SSL. Please help.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sun Feb 14, 2021 8:15 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8856
Location: US: west coast, almost. Otherwise, enroute.

Hello. Youve used Quote option in your post. Who or what are you quoting?
_________________
Five out of four people have trouble with fractions. - Steven Wright.
Back to top
View user's profile Send private message
HSarwan
PostPosted: Sun Feb 14, 2021 8:23 am Post subject: Reply with quote

Newbie

Joined: 14 Feb 2021
Posts: 9

Thanx for reply.
Quoting the exception mainly. what else is required to overcome the exception ?
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sun Feb 14, 2021 11:23 am Post subject: Re: SSL configuration via CACERT certificate using IIBv10 Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8856
Location: US: west coast, almost. Otherwise, enroute.

HSarwan wrote:
keystore was tempared with, or password was incorrect.

Is this the error message? Where do you see this?

Errors from IBM products usually have a message identifier. Please post the complete error message including the message identifirer?
_________________
Five out of four people have trouble with fractions. - Steven Wright.
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Sun Feb 14, 2021 2:33 pm Post subject: Re: SSL configuration via CACERT certificate using IIBv10 Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2213
Location: Melbourne, Australia

bruce2359 wrote:
HSarwan wrote:
keystore was tempared with, or password was incorrect.

Is this the error message? Where do you see this?

Errors from IBM products usually have a message identifier. Please post the complete error message including the message identifirer?

Also, IBM messages usually have correct spelling: tampered
_________________
Glenn
Back to top
View user's profile Send private message
HSarwan
PostPosted: Sun Feb 14, 2021 9:16 pm Post subject: Reply with quote

Newbie

Joined: 14 Feb 2021
Posts: 9

Here is exception:
<exceptionList>
<RecoverableException>
<File>/build/slot3/S1000_P/src/DataFlowEngine/MessageServices/ImbDataFlowNode.cpp</File>
<Line>1251</Line>
<Function>ImbDataFlowNode::createExceptionList</Function>
<Type>ComIbmWSRequestNode</Type>
<Name>RRR#FCMComposite_1_2</Name>
<Label>RRR.HTTP Request</Label>
<Catalog>BIPmsgs</Catalog>
<Severity>3</Severity>
<Number>2230</Number>
<Text>Node throwing exception</Text>
<Insert>
<Type>14</Type>
<Text>RRR.HTTP Request</Text>
</Insert>
<RecoverableException>
<File>/build/slot3/S1000_P/src/WebServices/WSLibrary/ImbWSRequestNode.cpp</File>
<Line>1147</Line>
<Function>ImbWSRequestNode::evaluate</Function>
<Type/>
<Name/>
<Label/>
<Catalog>BIPmsgs</Catalog>
<Severity>3</Severity>
<Number>3162</Number>
<Text>WebService Request Exception</Text>
<Insert>
<Type>12</Type>
<Text>436f6e74656e742d4c656e6774683a20300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f782d7777772d666f726d2d75726c656e636f6465640d0a4163636570743a20746578742f68746d6c2c20696d6167652f6769662c20696d6167652f6a7065672c202a3b20713d2e322c202a2f2a3b20713d2e320d0a557365722d4167656e743a204a6176612f312e382e305f3138310d0a486f73743a2031302e3230302e3133312e3132313a373834330d0a534f4150416374696f6e3a2022220d0a0d0a</Text>
</Insert>
<Insert>
<Type>12</Type>
<Text/>
</Insert>
<Insert>
<Type>5</Type>
<Text/>
</Insert>
<Insert>
<Type>5</Type>
<Text/>
</Insert>
<Insert>
<Type>5</Type>
<Text>POST /ttt/yy HTTP/1.0
</Text>
</Insert>
<RecoverableException>
<File>/build/slot3/S1000_P/src/WebServices/WSLibrary/ImbWSRequest.cpp</File>
<Line>657</Line>
<Function>ImbWSRequest::makeWSRequest</Function>
<Type/>
<Name/>
<Label/>
<Catalog>BIPmsgs</Catalog>
<Severity>3</Severity>
<Number>3152</Number>
<Text>A Web Service request has detected a SOCKET error whilst invoking a web service located at host &1, on port &2, on path &3.</Text>
<Insert>
<Type>5</Type>
<Text>10.X.X.X</Text>
</Insert>
<Insert>
<Type>2</Type>
<Text>7843</Text>
</Insert>
<Insert>
<Type>5</Type>
<Text>/ttt/yy</Text>
</Insert>
<SocketException>
<File>/build/slot3/S1000_P/src/WebServices/WSLibrary/ImbSocket.cpp</File>
<Line>1305</Line>
<Function>ImbSocketJNIManager::handleGeneralJavaException</Function>
<Type/>
<Name/>
<Label/>
<Catalog>BIPmsgs</Catalog>
<Severity>3</Severity>
<Number>3165</Number>
<Text>An error occurred whilst performing an SSL socket operation</Text>
<Insert>
<Type>5</Type>
<Text>setSSLOptions</Text>
</Insert>
<Insert>
<Type>5</Type>
<Text>java.security.KeyStoreException: IBMKeyManager: Problem accessing key store java.io.IOException: Keystore was tampered with, or password was incorrect</Text>
</Insert>
</SocketException>
</RecoverableException>
</RecoverableException>
</RecoverableException>
</exceptionList


Last edited by HSarwan on Mon Feb 15, 2021 5:45 am; edited 1 time in total
Back to top
View user's profile Send private message
abhi_thri
PostPosted: Mon Feb 15, 2021 1:55 am Post subject: Reply with quote

Chevalier

Joined: 17 Jul 2017
Posts: 418
Location: UK

hi...one obvious question, have you crosschecked that the password used works against the keystore in question (/u01/esbuser/CACERT/TestTruststore.jks)?...eg:- by using the 'keytool list' command?
Back to top
View user's profile Send private message
HSarwan
PostPosted: Mon Feb 15, 2021 2:05 am Post subject: Reply with quote

Newbie

Joined: 14 Feb 2021
Posts: 9

Yes i had cross-checked using:
keytool -list -keystore /u01/esbuser/CACERT/TestKeystore.jks
Back to top
View user's profile Send private message
abhi_thri
PostPosted: Mon Feb 15, 2021 2:07 am Post subject: Reply with quote

Chevalier

Joined: 17 Jul 2017
Posts: 418
Location: UK

hi...ok, if the credentials are verified have you tried restarting the Broker as the keystore/truststore is changed at a Node level?
Back to top
View user's profile Send private message
HSarwan
PostPosted: Mon Feb 15, 2021 5:44 am Post subject: Reply with quote

Newbie

Joined: 14 Feb 2021
Posts: 9

Yes dear i have restarted also
Back to top
View user's profile Send private message
abhi_thri
PostPosted: Mon Feb 15, 2021 10:22 am Post subject: Reply with quote

Chevalier

Joined: 17 Jul 2017
Posts: 418
Location: UK

hi...for some reason the Node/Integration server is not able to load the keystore, crosscheck whether it might be to do with the file permissions among the other things mentioned in the below link.

https://www.ibm.com/mysupport/s/question/0D50z000062kkah/keystore-was-tampered-with-or-password-was-incorrect-iib-ibm-integration-bus?language=en_US

Have you tried adding the certs to the default keystore/truststore and see...if nothing works try capturing the JSSE trace and see
Back to top
View user's profile Send private message
HSarwan
PostPosted: Tue Feb 16, 2021 11:47 pm Post subject: Reply with quote

Newbie

Joined: 14 Feb 2021
Posts: 9

Thanx for your reply's.

i have solved d issue by doing:


. cat root, intermediate, and signed certificate into single .pem file.
. convert .pfx to .pem file
. generate jks with single .pem and .pem private key.


At middleware, i configured:
Code:

mqsichangeproperties BAHL_BROK2 -e default -o ComIbmJVMManager -n keystoreFile -v  /u01/esbuser/AllCert/store.jks
   mqsichangeproperties BAHL_BROK2 -e default -o ComIbmJVMManager -n keystoreType -v JKS
   mqsichangeproperties BAHL_BROK2 -e default -o ComIbmJVMManager -n keystorePass -v defaultKeystore::password
   mqsisetdbparms BAHL_BROK2 -n defaultKeystore::password -u ignore -p admin123/?
   
   mqsichangeproperties BAHL_BROK2 -e default -o ComIbmJVMManager -n truststoreFile -v /u01/esbuser/AllCert/store.jks
   mqsichangeproperties BAHL_BROK2 -e default -o ComIbmJVMManager -n truststorePass -v defaultTruststore::password
   mqsichangeproperties BAHL_BROK2 -e default -o ComIbmJVMManager -n truststoreType -v JKS
   mqsisetdbparms BAHL_BROK2 -n defaultTruststore::password -u ignore -p admin123/?
   
   keytool -list -keystore /u01/esbuser/AllCert/store.jks -storepass admin123/?
   mqsichangeproperties BAHL_BROK2 -e default -o HTTPSConnector -n sslProtocol -v TLS
   mqsichangeproperties BAHL_BROK2  -e default -o HTTPSConnector  -n explicitlySetPortNumber -v 7803


Thank you.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportSSL configuration via CACERT certificate using IIBv10
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.