I'm trying to connect my java based application to the IBM MQ queue manager through the MQ client. SSL is already configured at MQ Server which is managed by third-party, Now to configure the SSL on the client-side I need Keystore & Truststore in .jks form.
Could you please let me know the process of generating the Keystore & Truststore required for SSL communication b/w IBM MQ server & client?
What is the Userid in Keystore & Truststore is it the alias name?
There is a tutorial that will guide you through the process of creating a JMS Keystore - https://developer.ibm.com/tutorials/mq-secure-msgs-tls/
but it doesn't need to be. You could use a .p12 Truststore, and there is a guide that shows how - https://github.com/ibm-messaging/mq-dev-samples/blob/master/README.md
both use keytool.
Related
I am running a JMS point to point sampler for TIBCO EMS queue testing. I have added all the tibco ems jars to jmeter lib folder. Configured the queue details, context factory, user credentials in JMS sampler.
When hitting the TIBCO ems with tcp request for queue, it is working. But while hitting with SSL url it is failing to connect.
I tried below way to attach the Self signed certificate given by tibco team
added the .pem file (only begin and end certificate) to JAVA JDK cacerts file and opened Jmeter in command line with -Djavax.net.ssl.keystore=cacerts with password. The SSL request failed to connect with tibco ems server
extracted the certificate from server through openssl -connect commands, copied the begin & end certificate sections to .cer file and used keytool to add them to trustore. Started jmeter with this truststore. the JMS sampler still failed.
I understand the SSL certificate is not getting attached with JMS sampler when we are running it. Can some one help out with steps to successfully attached the SSL certificate to the JMS request.enter image description here
Looking into Configuring EMS over SSL on Application Servers I think you need to provide the following Java System properties:
com.tibco.tibjms.naming.security_protocol=ssl
jsse.providerClass=com.ibm.jsse2.IBMJSSEProvider2
com.tibco.tibjms.ssl.expected_hostname=xxxx
com.tibco.tibjms.ssl.enable_verify_host_name=false
com.tibco.tibjms.ssl.enable_verify_host=false
com.tibco.tibjms.ssl.trusted=/path/to/your/certificate.pem
The properties can either be put into system.properties file (lives in "bin" folder of your JMeter installation) or passed via -D command-line arguments like:
jmeter -Dcom.tibco.tibjms.naming.security_protocol=ssl -Djsse.providerClass=com.ibm.jsse2.IBMJSSEProvider2 ....
References:
Java Secure Socket Extension (JSSE) Reference Guide
TibjmsContext
TibjmsSSL
Apache JMeter Properties Customization Guide
Overriding Properties Via The Command Line
I am setting up the tomcat server which communicate with external system through SOAP web services(I am using the external system stubs and apache Axis2 library for that).
The external system is secured with ssl client/server authentication. The system provides me keystore file in .pfx format which contains two certificates.
Things I have tried:
I have extract those two certificates and added in my keystore. I added below entry in my tomcat/bin/catalina.bat file
set JAVA_OPTS = %JAVA_OPTS% -Djavax.net.ssl.trustStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit
With above configuration my request fails with No X.509 client certificate HTTP header found in request.
I have enable ssl logs then I found that serverHelloDone is printed and after that it says
"No suitable client certificate could be found - continuing without
client authentication"
The same thing I have tried from SOAPUI Tool where I directly configure .pfx file as keystore and it is working fine there
The diff between Tomcat and SOPAUI logs is
SOAPUI can successfully competing Client authentication where tomcat is not.
also below lines are missing from tomcat ssl logs
keystore is:
keystoreType is: jks
keystore provider is
Update1:
I remove the keystore configuration from SOAPUI->project view-> WS Security Configuration -> keystore (This is working configuration) and added above mentioned JAVA_OPTS entries in soapui.bat file and now SOAPUI also giving a same error.
Anyone helps arround how soap ui pick and send the certificates from keystore configured in project view->keystore
Looking to port Outbound SSL configuration from Websphere to JBoss. In my case, JBoss is the client. It wants to pass a client cert to a remote machine as part of a 2-way SSL communication.
In Websphere, you explicitly specify...
keystore / keystore password (where are the certs?)
certificate alias (which client cert to apply?)
matching outbound url pattern (when do i apply the client cert?)
You may have many of these configurations. Between these 3 pieces of info, the container can selectively choose when/which client certificate to include when making outbound SSL calls.
What is the JBoss way of doing the same thing as I described above ?
Can this be done by simply configuring your JRE ?
Are there parts of this that cannot be done in JBoss and/or java?
Thanks,
Wade.
In our WSO2 ESB 4.9.0 we had setup CA certificate (root, intermediate and the final) in new JKS and had configured our carbon, axis2 and catalina xmls.
Now we want the client application to hit our ESB on https with SSL, can you let us know what details do we need to share to our client application ?
Thanks
Client should have the public key of the server.
I am using jboss as the server and my java program as the client, I have modified the server.xml file in jboss to send certificate from server to the client. this happens automatically, when the requesting client has the same domain as the domain in the server keystore.
But I want the jboss server to validate the client certificate also. How can I send the client certificate to jboss and receive it in jboss?
You are trying to achieve a two way ssl so lookup "jboss two way ssl".
The steps would be similar to setting up ssl on the server ; the only difference would be that you would need to import the client cert into the server truststore (assuming the client cert is self-signed).