Using TLSv1.2 for connecting to IBM WebSphere JNDI - ssl

I have a legacy application which is using Spring 3.2.4 and is connecting to an IBM WebSphere JMS queue resolved via JNDI. Following are the Spring beans for connection factory and the JNDI template.
<bean id="queueConnectionFactory" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiTemplate" ref="jndi-template-1" />
<property name="jndiName" value="FOO" />
<property name="lookupOnStartup" value="false"/>
<property name="proxyInterface" value="javax.jms.ConnectionFactory"/>
</bean>
<bean id="jndi-template-1" class="org.springframework.jndi.JndiTemplate">
<property name="environment">
<props>
<prop key="java.naming.factory.initial">com.ibm.websphere.naming.WsnInitialContextFactory</prop>
<prop key="java.naming.provider.url">${jndi-url}</prop>
</props>
</property>
</bean>
Recently the WebSphere server has been upgraded and restricted to allow only TLSv1.2 connections. Since the client is currently using TLSv1, connections are rejected.
Is there a way to configure the JNDI template to use TLSv1.2 for client connections?

3 things you need to check for in your legacy application:
Is it running Java 8 or higher
Is it using IBM MQ JAR files v8.0.0.9 or higher
Is the JNDI QCF/TCF entry using a CipherSuite that is TLS 1.2 - you can check out supported TLS v1.2 CipherSuites for IBM MQ here.

Related

Failed to allocate a JMS connection Payara and Websphere MQ

[WebSphere MQ installation subdirectory]
1I installed an IBM resource adapter to a Payara (Glassfish) server using the instructions on the below page from the IBM website:
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q121520_.htm
However when I try to test the Connector Connection Pool using the ping option I get the following error:
'Ping Connection Pool failed for jms/ivt/IVTCF-Connection-Pool. MQJCA1011: Failed to allocate a JMS connection., error code: MQJCA1011 Please check the server.log for more details.'
I am running Payara Server 4.1.2.181 and trying to connect to IBM WebSphere MQ Explorer Version: 8.0.0.5. Below are the relevant connection details from the domain.xml file I am using:
<connector-connection-pool resource-adapter-name="wmq.jmsra" max-pool-size="250" ping="true" steady-pool-size="1" name="jms/ivt/IVTCF-Connection-Pool" connection-definition-name="javax.jms.ConnectionFactory">
<property name="transportType" value="CLIENT"></property>
<property name="queueManager" value="QM"></property>
<property name="channel" value="SYSTEM.DEF.SVRCONN"></property>
<property name="port" value="1418"></property>
<property name="hostName" value="localhost"></property>
</connector-connection-pool>
<connector-resource pool-name="jms/ivt/IVTCF-Connection-Pool" jndi-name="IVTCF"></connector-resource>
<admin-object-resource res-adapter="wmq.jmsra" res-type="javax.jms.Queue" jndi-name="IVTQueue" class-name="com.ibm.mq.connector.outbound.MQQueueProxy">
<property name="baseQueueManagerName" value="QM"></property>
<property name="name" value="IVTQueue"></property>
<property name="CCSID" value="1208"></property>
<property name="failIfQuiesce" value="true"></property>
<property name="messageBodyStyle" value="UNSPECIFIED"></property>
<property name="readAheadClosePolicy" value="ALL"></property>
<property name="encoding" value="NATIVE"></property>
<property name="priority" value="APP"></property>
<property name="putAsyncAllowed" value="DESTINATION"></property>
<property name="readAheadAllowed" value="DESTINATION"></property>
<property name="persistence" value="APP"></property>
<property name="targetClient" value="JMS"></property>
<property name="expiry" value="APP"></property>
</admin-object-resource>
<property name="queueManager" value="QM"></property>
<property name="channel" value="SYSTEM.DEF.SVRCONN"></property>
<property name="port" value="1418"></property>
<property name="hostName" value="localhost"></property>
Do you have a local queue called 'QM'? You are using 'localhost', so is it running on your local PC? And did you configure the MQ listener to use port # 1418?
Finally, do not use the "SYSTEM.DEF.SVRCONN". Create a channel for your own use. i.e. 'TEST.CHL'. Also, you could be blocked from using the SYSTEM.* channel by a CHLAUTH rule.
As #Roger had highlighted, the issue in my case was that the channel was blocked by the CHLAUTH rule. I fixed the issue by disabling authorisation on the channel using the below commands on the IBM Integration Console:
alter QMGR CHLAUTH(DISABLED)
alter AUTHINFO(SYSTEM.DEFAULT.AUTHINFO.IDPWOS) AUTHTYPE(IDPWOS) CHCKCLNT(none)
REFRESH SECURITY TYPE(CONNAUTH)

Disabling ssl v3 in activemq admin console

How to disable ssl v3 in activemq Admin console (port 8161)? I did not found any document on line.
In my jetty.xml file I can see below lines:
<bean id="SecureConnector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<property name="port" value="8161" />
<property name="keystore" value="file:${activemq.conf}/broker.ks" />
<property name="password" value="password" />
</bean>
ActiveMQ uses a basic spring wired jetty server for the admin web-gui. Use the methods available in Jetty documentation - or look at this SO.
SslSelectChannelConnector takes a SslContextFactory as constructor arg. That factory has a excludeProtocols property which you can feed with "sslv3".
Wire that up in spring should be straight forward.

How to disable SSL3 for activemq https transport?

I am trying to disable SSL3 for activemq https transport. (activemq-5.11)
I tried the transport.enabledProtocols option as suggested in How to disable SSLv3 protocol in Apache ActiveMQ?
transport.enabledProtocols is working for ssl:// transport but not for https:// transport.
I do not see a handshake failure when i try to connect with openssl using -ssl3 option.
Thanks
Jetty front's the HTTP aspect of activemq, and uses a spring connector for the config. This lets you add the excludeProtocols property with SSLv3 as the value:
<bean id="SecureConnector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<property name="port" value="8162" />
<property name="keystore" value="file:${activemq.conf}/broker.ks" />
<property name="password" value="password" />
<property name="excludeProtocols" value="SSL,SSLv2,SSLv3" />
</bean>
You should be on .Net 4.5+ and in your code before calling the service add below:
System.Net.ServicePointManager.SecurityProtocol=SecurityProtocolType.Tls12;
There is an article here:
http://passionatecoder.ca/Posts/Details/47

SpringJMS 3.0.4 not connecting MQ 7.5 Connection using UserName

SpringJMS 3.0.4 not connecting MQ 7.5 Connection using UserName
Not able to connect MQ 7.5 Queue manager from Spring JMS version 3.0.4 with username. Username is passed to provide appropriate authorization to queue. We are using SpringJMS which uses MQ Client libraries available on the same machine. MQ Manager/Server is on remote machine
Below is the configuration we are using but we are getting error message as shown below
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jms="http://www.springframework.org/schema/jms" xmlns:p="http://www.springframework.org/schema/p" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/jms http://www.springframework.org/schema/jms/spring-jms-3.0.xsd">
<!-- :: Messaging Infrastructure Beans :: -->
<bean id="transport" class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean" p:staticField="com.ibm.mq.jms.JMSC.MQJMS_TP_CLIENT_MQ_TCPIP" />
<bean id="mqConnectionFactory" class="com.ibm.mq.jms.MQQueueConnectionFactory" p:transportType-ref="transport"
p:queueManager="${tcs.messaging.queueManager.name}" p:hostName="${tcs.messaging.queueManager.host}" p:port="${tcs.messaging.queueManager.port}"
p:channel="${tcs.messaging.queueManager.channel}" />
<bean id="queueConnectionFactory" class="org.springframework.jms.connection.CachingConnectionFactory"
p:targetConnectionFactory-ref="mqConnectionFactory" p:sessionCacheSize="${tcs.messaging.connectionFactory.sessionCacheSize}"
p:exceptionListener-ref="providerMessageListener" />
<bean id="providerMessageListener" class="com.uhg.treasury.customerservice.management.transport.jms.ProviderExceptionListener" />
<!-- New Addition :: -->
<bean id="myConnectionFactory2" class="org.springframework.jms.connection.UserCredentialsConnectionFactoryAdapter">
<property name="targetConnectionFactory"> <ref bean ="mqConnectionFactory"/> </property>
<property name="username"> <value>"tbossmqd"</value> </property>
<property name="password"> <value>"password1"</value> </property>
</bean>
</beans>
Error Message is as below
2014-06-27 11:25:42,503 [main] DEBUG - DefaultMessageListenerContainer.establishSharedConnection(752) | Could not establish shared JMS Connection - leaving it up to asynchronous invokers to establish a Connection as soon as possible
com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager 'WMQT013' with connection mode 'Client' and host name 'wmqlt0006.xxx.com(1960)'.
Please check if the supplied username and password are correct on the QueueManager to which you are connecting.
at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:521)
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:221)
at com.ibm.msg.client.wmq.internal.WMQConnection.(WMQConnection.java:426)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:6902)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:6277)
at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:285)
at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6233)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:120)
at com.ibm.mq.jms.MQQueueConnectionFactory.createConnection(MQQueueConnectionFactory.java:203)
at org.springframework.jms.connection.SingleConnectionFactory.doCreateConnection(SingleConnectionFactory.java:342)
at org.springframework.jms.connection.SingleConnectionFactory.initConnection(SingleConnectionFactory.java:288)
at org.springframework.jms.connection.SingleConnectionFactory.createConnection(SingleConnectionFactory.java:225)
at org.springframework.jms.support.JmsAccessor.createConnection(JmsAccessor.java:184)
at org.springframework.jms.listener.AbstractJmsListeningContainer.createSharedConnection(AbstractJmsListeningContainer.java:403)
at org.springframework.jms.listener.AbstractJmsListeningContainer.establishSharedConnection(AbstractJmsListeningContainer.java:371)
at org.springframework.jms.listener.DefaultMessageListenerContainer.establishSharedConnection(DefaultMessageListenerContainer.java:749)
at org.springframework.jms.listener.AbstractJmsListeningContainer.doStart(AbstractJmsListeningContainer.java:278)
at org.springframework.jms.listener.AbstractJmsListeningContainer.start(AbstractJmsListeningContainer.java:263)
at org.springframework.jms.listener.DefaultMessageListenerContainer.start(DefaultMessageListenerContainer.java:555)
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:166)
at org.springframework.context.support.DefaultLifecycleProcessor.access$1(DefaultLifecycleProcessor.java:154)
at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:335)
at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:143)
at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:108)
at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:908)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:428)
at org.springframework.context.support.ClassPathXmlApplicationContext.(ClassPathXmlApplicationContext.java:197)
at org.springframework.context.support.ClassPathXmlApplicationContext.(ClassPathXmlApplicationContext.java:172)
at org.springframework.context.support.ClassPathXmlApplicationContext.(ClassPathXmlApplicationContext.java:158)
at com.uhg.treasury.customerservice.management.Server.(Server.java:61)
at com.uhg.treasury.customerservice.management.Server.(Server.java:43)
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED').
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:209)
... 29 more
2014-06-27 11:25:42,512 [main] DEBUG - AbstractJmsListeningContainer.resumePausedTasks(539) | Resumed paused task: org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker#627a94a9
2014-06-27 11:25:42,512 [main] DEBUG - AbstractJmsListeningContainer.resumePausedTasks(539) | Resumed paused task: org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker#5db615c1
I can confirm that the MQQueueuConnectionFactory.createConnection method been called by Spring is the version that passes no username/password. This is why you are seeing the MQRC_NOT_AUTHORIZED as the username is not being passed to the queue manager.
I am not a spring expert but I believe that the new myConnectionFactory2 bean that you have added needs to reference your CachingConnectionFactory bean (queueConnectionFactory) rather than directly referencing the MQQueueConnectionFactory bean (mqConnectionFactory). So change this:
<bean id="myConnectionFactory2" class="org.springframework.jms.connection.UserCredentialsConnectionFactoryAdapter">
<property name="targetConnectionFactory"> <ref bean ="mqConnectionFactory"/> </property>
<property name="username"> <value>"tbossmqd"</value> </property>
<property name="password"> <value>"password1"</value> </property>
</bean>
to be this:
<bean id="myConnectionFactory2" class="org.springframework.jms.connection.UserCredentialsConnectionFactoryAdapter">
<property name="targetConnectionFactory"> <ref bean ="queueConnectionFactory"/> </property>
<property name="username"> <value>"tbossmqd"</value> </property>
<property name="password"> <value>"password1"</value> </property>
</bean>

Apache Camel with IBM MQ

Hello has anyone ever used Camel with IBM's MQ. We are looking at possibly using the two products together but have no example of the two products working together.
I have extensive use of IBM MQ's with camel. There is no issue using both together. I will paste a sample configuration from one of my spring context files leveraging a camel Jms Endpoint, A spring connection factory, and an IBM MQ definition.
Camel Route
from("someplace")
.to("cpaibmmq:queue:myQueueName");
Spring Context
<bean name="cpaibmmq" class="org.apache.camel.component.jms.JmsComponent" destroy-method="doStop">
<property name="transacted" value="${jms.transacted}" />
<property name="concurrentConsumers" value="${cpa.concurrentConsumers}" />
<property name="maxConcurrentConsumers" value="${cpa.concurrentConsumers}" />
<property name="acceptMessagesWhileStopping" value="${jms.acceptMessagesWhileStopping}" />
<property name="acknowledgementModeName" value="${jms.acknowledgementModeName}" />
<property name="cacheLevelName" value="${jms.cacheLevelName}" />
<property name="connectionFactory" ref="ibmFac1" />
<property name="exceptionListener" ref="ibmFac1" />
</bean>
<bean id="ibmFac1" class="org.springframework.jms.connection.SingleConnectionFactory" destroy-method="destroy">
<constructor-arg>
<bean class="com.ibm.mq.jms.MQQueueConnectionFactory">
<property name="transportType" value="1" />
<property name="channel" value="${cpa.wmq.channel}" />
<property name="hostName" value="${cpa.wmq.hostname}" />
<property name="port" value="${cpa.wmq.port}" />
<property name="queueManager" value="${cpa.wmq.mqmanager}" />
</bean>
</constructor-arg>
</bean>
The best I have been able to get is documented below, illustrated as a Spring XML application context that itself hosts the CAMEL context and routes. This sample works with the IBM native MQ JCA-compliant resource adapter v7.5, CAMEL 2.16, Spring core 4.2. I have deployed it in Glassfish, Weblogic, and JBoss EAP7 servers.
The complexity is bound to handling the flow of MQ reports whose philosophy conflicts with that of a plain JMS reply-to message. For a detailed explanation, please refer to Implementing native websphere MQ with CoD over Camel JMS component
This example based on the CAMEL XML DSL is self-contained and easy to test.
We start with Spring & CAMEL declarations:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:camel="http://camel.apache.org/schema/spring"
xmlns:jee="http://www.springframework.org/schema/jee"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://camel.apache.org/schema/spring http://camel.apache.org/schema/spring/camel-spring.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd">
The CAMEL context follows with 2 routes: MQ to JMS and JMS to MQ, here chained to form a bridge to ease testing.
<camel:camelContext id="mqBridgeCtxt">
<camel:route id="mq2jms" autoStartup="true">
Weird: on Weblogic, the only way to get (e.g.) 3 listeners is to enforce 3 connections (with 3 Camel:from statements in sequence) with max 1 session each, otherwise an MQ error ensues: MQJCA1018: Only one session per connection is allowed. On JBoss, you can simply adjust concurrentConsumers=...
<camel:from uri="wmq:queue:TEST.Q1?concurrentConsumers=1&disableReplyTo=true&
acknowledgementModeName=SESSION_TRANSACTED"/>
The disable disableReplyTo option above ensures that CAMEL will not produce a reply before we can test the MQ message type to be 1=Request(-reply) or 8=datagram (one way!). That test and reply construction is not illustrated here.
Then we enforce the EIP to InOnly on the next posting to plain JMS to be consistent with the Inbound MQ mode.
<camel:setExchangePattern pattern="InOnly"/>
<!-- camel:process ref="reference to your MQ message processing bean fits here" / -->
<camel:to uri="ref:innerQueue" />
</camel:route>
This ends the MQ-to-jms route; next comes the jms-to-MQ route still in the same CAMEL context:
<camel:route id="jms2mq" autoStartup="true">
<camel:from uri="ref:innerQueue" />
<!-- remove inner message headers and properties to test without inbound side effects! -->
<camel:removeHeaders pattern="*"/>
<camel:removeProperties pattern="*" />
<!-- camel:process ref="reference to your MQ message preparation bean fits here" / -->
Now comes the request flag for the MQ CoD report to be returned by remote destination. We also enforce the MQ message to be of Datagram type (value 8).
<camel:setHeader headerName="JMS_IBM_Report_COD"><camel:simple resultType="java.lang.Integer">2048</camel:simple></camel:setHeader>
<camel:setHeader headerName="JMS_IBM_Report_Pass_Correl_ID"><camel:simple resultType="java.lang.Integer">64</camel:simple></camel:setHeader>
<camel:setHeader headerName="JMS_IBM_MsgType"><camel:simple resultType="java.lang.Integer">8</camel:simple></camel:setHeader>
The ReplyTo queue can be specified either via the ReplyTo uri option, else as a header as below.
Next we do use CamelJmsDestinationName header to enforce suppressing of the JMS MQ message header MQRFH2 (using targetClient MQ URL option value 1). In other words, we want to send a plain vanilla MQ binary message (i.e. Only the MQMD message descriptor followed by the payload).
<camel:setHeader headerName="JMSReplyTo"><camel:constant>TEST.REPLYTOQ</camel:constant></camel:setHeader>
<camel:setHeader headerName="CamelJmsDestinationName"> <camel:constant>queue://MYQMGR/TEST.Q2?targetClient=1</camel:constant></camel:setHeader>
More MQMD fields may be controlled through reserved JMS properties as illustrated below. See restrictions in IBM doc.
<camel:setHeader headerName="JMS_IBM_Format"><camel:constant>MQSTR </camel:constant></camel:setHeader>
<camel:setHeader headerName="JMSCorrelationID"><camel:constant>_PLACEHOLDER_24_CHARS_ID_</camel:constant></camel:setHeader>
The destination queue in the URI is overwritten by the CamelJmsDestinationName above, hence the queue name in the URI becomes a placeholder.
The URI option preserveMessageQos is the one that - as observed - allows sending a message with the ReplyTo data being set (to get the MQ CoD Report), yet prevent CAMEL to instantiate a Reply message listener by enforcing the InOnly MEP.
<camel:to uri="wmq:queue:PLACEHOLDER.Q.NAME?concurrentConsumers=1&
exchangePattern=InOnly&preserveMessageQos=true&
includeSentJMSMessageID=true" />
</camel:route>
</camel:camelContext>
We have not finished, we have still to declare our queue factories for both a native JMS provider and Websphere MQ (via the native IBM WMQ JCA Resource Adapter), to be adjusted to your context.
We use here JNDI lookups on administrative objects.
<camel:endpoint id="innerQueue" uri="jmsloc:queue:transitQueue">
</camel:endpoint>
<jee:jndi-lookup id="mqQCFBean" jndi-name="jms/MYQMGR_QCF"/>
<jee:jndi-lookup id="jmsraQCFBean" jndi-name="jms/jmsra_QCF"/>
<bean id="jmsloc" class="org.apache.camel.component.jms.JmsComponent">
<property name="connectionFactory" ref="jmsraQCFBean" />
</bean>
<bean id="wmq" class="org.apache.camel.component.jms.JmsComponent">
<property name="connectionFactory" ref="mqQCFBean" />
</bean>
</beans>
An alternative to fetching the factories (and JCA adapters) from JNDI is to declare the JMS client as Spring beans. In Weblogic and Glassfish, you'll be better inspired by deploying the native IBM JCA resource adapter and creating JNDI resources then referenced in the Spring Context as above, in JBoss a direct MQ client bean declaration suits best as below)
<bean id="mqCFBean" class="com.ibm.mq.jms.MQXAConnectionFactory">
<property name="hostName" value="${mqHost}"/>
<property name="port" value="${mqPort}"/>
<property name="queueManager" value="${mqQueueManager}"/>
<property name="channel" value="${mqChannel}"/>
<property name="transportType" value="1"/> <!-- This parameter is fixed and compulsory to work with pure MQI java libraries -->
<property name="appName" value="${connectionName}"/>
</bean>
<bean id="wmq" class="org.apache.camel.component.jms.JmsComponent">
<property name="connectionFactory" ref="mqCFBean"/>
<property name="transacted" value="true"/>
<property name="acknowledgementModeName" value="AUTO_ACKNOWLEDGE"/>
</bean>
Comments and improvements welcome.
A quick google revealed following,
http://lowry-techie.blogspot.de/2010/11/camel-integration-with-websphere-mq.html
HTH