I am trying to connect to a remote QM using SSL from an AIX Machine.
I have setup my QM and Channel to allow SSL connections.
I have created a KeyStore on the Server (Machine containing the above QM + Channel) and have exported its self signed certificate and imported the certificate from the Client.
I have used GSK on the AIX machine to create an Keystore in which both Self Signed and Signer of the Server are present.
Client Code is as below when trying to connect to the QM. This code does work on Windows however does not work on AIX which leads me to believe this is a certificate issue which i have done wrong and not a code issue.
the CipherSpec is - TLS_RSA_WITH_AES_256_CBC_SHA256
and the keystore location is correct.
m_QChannel.setChannelName(m_strChannelName);
m_QChannel.setConnectionName(m_pParent->GetName());
m_QChannel.setTransportType( MQXPT_TCP );
if (!m_strCipherSpec.IsEmpty())
{
m_QChannel.setSslCipherSpecification(m_strCipherSpec);
if (!m_strKeyStore.IsEmpty())
{
m_QMgr.setKeyRepository(m_strKeyStore);
}
else
{
CString strKeyStore = getenv("MQSSLKEYR");
m_QMgr.setKeyRepository(strKeyStore);
}
}
//Set the queue manager options
m_QMgr.setName(m_strName);
m_QMgr.setChannelReference(&m_QChannel);
if (!m_QMgr.connect())
{
m_iLastError =m_QMgr.reasonCode( ) ;
return false;
}
However when i try to run my application to connect i get a MQRC 2393 Error returned, When checking the Error logs it complains about the Certificates.
I have tried Restarting the QM, Restarting the Channel, Refreshing the SSL but all with no luck. What have i missed ?
Any help appreciated.
The current label of the client cert you have is ibmwebspherebldaix02.
For a MQI client app the default cert label that MQ will look for is the string ibmwebspheremq followed by the name of the user that the application is running as all in lowercase.
In this case it does not meet the first part of the default's requirement since it starts out as ibmwebsphere and is missing the mq and is then followed by bldaix02.
You have a few options:
If the user is bldaix02 then you can rename the cert in the keystore to ibmwebspheremqbldaix02. If that is not the username then rename the cert to ibmwebspheremq<username> all in lowercase. This option should work with all version of the IBM MQ product.
If you are using IBM MQ v7.0 - 7.5 (these are all out of support), you could tell MQ to use the Default cert by setting the environment variable AMQ_SSL_ALLOW_DEFAULT_CERT to any value before starting the application or if doing it within the program, do it before calling connect. Note this feature was removed in the initial versions of IBM MQ v8.0 and v9.0 but was later added back at 8.0.0.7 and 9.0.0.1 and later.
If you are using IBM MQ v8.0 or later (you should be since these are the only currently supported versions) you can tell MQ to look for a different label. You can do this in four ways:
If using a CCDT set the CERTLABL attribute of the CLNTCONN channel.
Programmatically set the CertificateLabel attribute in the MQSCO
Set the environment variable MQCERTLABL before starting the application or if doing it within the program, do it before calling connect.
Using the CertificateLabel attribute of the SSL: stanza in the mqclient.ini.Note: there are various ways MQ will find the mqclient.ini and these are detailed in both the IBM MQ Knowledge center and various answers here on StackOverflow.
You can find more information in the following links:
Technote: Specifying the userid in the SSL certificate label for an MQ client
IBM MQ 8.0.0 Knowledge Center > IBM MQ > Security > Security overview > IBM MQ security mechanisms > Security protocols in IBM MQ> The SSL or TLS key repository > Digital certificate labels, understanding the requirements
Related
After successfully connecting to IBM MQ 9.1 with the IBM MQ Client with SSL, we're trying to setup the same configuration, but this time, with the Microsoft MQ Client binding.
So this should be straight forward, once HIS 2016 is configured (CU2 is installed). But not in my case.
The following error was thrown on the BizTalk Server 2016 (CU6 installed) with event source 'HIS Microsoft Client for MQ':
Connecting to a Queue Manager failed: Could not Connect the Queue Manager 'test': Could not connect to the target Host/Port, SSL handshake failed.
The following error was thrown on the IBM MQ Server machine:
Internal error on call to SSL function on channel '????' to host '<ip address>'.
An error indicating a software problem was returned from a function which is used to provide SSL or TLS support.
The error code returned was '447'. The function call was 'gsk_secure_soc_init'. &P The channel is '????'; in some cases its name cannot be determined and so is shown as '????'.
The channel did not start. &P The remote host name is '<ip address>'.
So it's throwing a 447 error, which IBM explains as follows:
The TLS server or client encountered a communicating partner that does not support a TLS extension that is defined as required.
Ensure that the TLS extension data is correctly defined, and that both the TLS server and client support the required extension.
If the problem persists collect a System SSL trace and contact your service representative.
The MQSC Transport properties on the BizTalk receive location looks something like this:
Use Microsoft MQ Client : Yes
SSL Cipher Specification: TLS_RSA_WITH_AES_256_CBC_SHA
SSL Key Repository Location: D:\Somepathtocert
Transport Type: TCP
SSL Peer name is kept empty.
User Id is kept empty.
I did not change anything to the bindings except the 'Use Microsoft MQ Client' part of course. This is a working setup when used with the IBM MQ Client with SSL. So I'm wondering why all of the sudden it will not work with the Microsoft MQ Client.
SSL Cipher Specification is not considered in the MSFT MQ client,
while the IBM MQ client use the configured cipher.
The MS MQ client only use default Windows cipher (first choice in the adapter list), so you have to set the same cipher in the MQ channel that you use.
so depends on the default Cipher in Windows, your IBM should be configured.
Thanks for my colleague Niklas Engfelt for testing this.
I am hoping someone can help me out with a frustrating configuration problem I'm having with IBM FileNet Content Manager 5.2.1 (aka P8 5.2.1).
We have an existing system setup that uses Microsoft Active Directory as our LDAP directory service for P8 and that has worked fine to date. That said, we are now wanting our .NET apps to talk to P8 (via the Content Platform Engine .NET API) using WCF instead of legacy (and now deprecated) WSE but we have run into a problem. WCF requires that all communication occur over SSL - on the surface, not a problem. If you want to talk to the IBM Content Platform Engine (CPE) over SSL however, according to IBM's documentation, you must also change the underlying default LDAP connection from unsecured to SSL as well (in the process, changing LDAP to use port 636 instead of 389).
Following both Microsoft's and IBM's docs, I first enabled LDAP over SSL on Active Directory and tested accordingly. Using Microsoft's LDAP utility, ldp.exe, I can successfully connect and bind to Active Directory on port 636 over SSL.
The next step however is where I hit a wall - Enabling SSL for Content Platform Engine. I followed all the steps involving adding the Active Directory Server's CA certificate to the CPE's application server keystore - no problem. The next step in the configuration instructions however asks you to start the Administration Console for CPE (ACCE) and reconfigure the directory configuration properties - telling it to use SSL on port 636 and... KABOOM! When I attempt to save the configuration, the save fails, stating
An unexpected exception occurred. Message was: Failed connecting to ldap://ad1.domain.com:636
Unfortunately, I can't find any additional info as to why it failed to connect - I assumed it was due to something minor, such as a port conflict. To test that theory, I installed Microsoft's LDAP test utility on the CPE server and attempted to connect to the Active Directory Server over SSL on port 636. Much to my surprise, that worked just fine - grrrr...
I am now at something of a loss as to what to look at next. Anybody out there with experience configuring CPE to use SSL in an Active Directory environment?
Thanks in advance for any-and-all assistance.
WCF requires that all communication occur over SSL - on the surface, not a problem. If you want to talk to the IBM Content Platform Engine (CPE) over SSL however, according to IBM's documentation, you must also change the underlying default LDAP connection from unsecured to SSL as well
This is not true. FileNet can work with non-secure LDAP, while at the same time working with WCF.
Now, if you would like to solve why FileNet will not connect to a secure LDAP, then you should start with your WebSphere
Check WebSphere's Keystores to ensure that the AD's key is contained. Follow #M.Tamboli's advice and restart WebSphere.
Also make sure that you check WebSphere's SystemOut.log logs, as you may find more info in there.
I'm not sure if it is necessary, but you may also want to add/change the LDAP config that is setup within WebSphere itself.
I'm using RoboMQ to build a MQ to MQ service over SSL. I've got a keystore (key.jks) and I'm setting the following system properties to configure the SSL:
javax.net.ssl.keyStore
javax.net.ssl.trustStrore
javax.net.ssl.keyStorePassword
However, our email server requires SSL and setting up SSL in this way in RoboMQ stops it from working - I guess because it overrides the default cacerts which has the certificates in that the email client needs.
How can I get these 2 things to play nicely together?
You are correct - setting the above system properties will override cacerts JVM
wide. You need to use a custom socket factory for the SSL MQ connections
The RoboMQ SDK provides support for this via:
com.am.robomq.sdk.camelSpring.RoboSSLSocketFactory
But the easiest way to build your Camel MQ endpoints is to use the MQ Connection Wizard:
http://www.robomq.com/product_manual/index.html#serviceBuilderPanel
It basically lets you to pick a connection factory from your connection palette
and then generates the Spring definitions needed by Camel.
I have the following implementation in testing environment,
Front-end Server [IBM HTTP Server + IBM Websphere plugin],
WLServer1 [IBM Worklight 6.2 + IBM DB2 10.1+ Liberty Farm 8.5.5.1] and
WLServer2 [IBM Worklight 6.2 + IBM DB2 10.1+ Liberty Farm 8.5.5.1].
plugin-cfg.xml has been generated from each Worklight server and merged.
The request[http] from multiple devices has been directed to worklight server's alternatively, once the merged plugin-cfg.xml has been deployed in Front-end server's IBM Websphere plugin.
How I can implement the same to serve HTTPS request.
And also I have implemented the "UserCertificateAuthenticationProject" from the Worklight modules which connects the device[HTTPS] to Worklight server directly.
Note Tested it on Android only.
Help me to understand, How I can achieve HTTPS in Test environment via IHS.
What should be the procedure in Production environment?
Note IBM Worklight 6.2 supports Android, IOS, Blackberry & Windows, so I have to implement in all platforms.
It sounds like the problem you are having is similar to this one: https://stackoverflow.com/a/21914147/2245921 The Unresponsive Host error occurs for one of two reasons:
Your device cannot reach your server (they are not in the same network)
The device does not trust the server's certificate
Since you can connect to your HTTP connection, it is not #1, so it should be #2. The answer to the other question I pointed to above should fix your problem. Make sure to turn on trace-level logs in the WL Logger so that you can see the exceptions regarding untrusted certificates.
Edit: To expand on this answer; to use HTTPS, your server needs an SSL certificate to identify itself, otherwise the device has no proof that it is connecting to the right server and not to some random server that could be malicious. You should already have a certificate that you are using in your server; if you don't, then read on.
You usually get an SSL certificate from one of two places: you either use a certificate issued to you by a trusted Certificate Authority (e.g., Verisign), or you create one for internal testing purposes. In your case, you probably want to create your own, so you should follow the "Client X.509 Certificate Authentication and User Enrollment" getting started here, specifically the parts that talk about generating the server certificate.
Once you have that certificate set up, you should configure your server to use it; for that, follow the instructions here. After doing this, the last step is to have your device trust your server's certificate. For this, follow the last part in the getting started above, which shows you how to make your iOS/Android device trust the server. You would have to look up how to do this on Windows and Blackberry, too.
After this, you should now be able to connect successfully via HTTPS. (Always make sure that when you get an "Unresponsive host" error, that you can still connect to the HTTP console via the browser, to make sure that you are connected to the same network as your server. I know you already did this as you specified in your question, I'm just mentioning it as a reminder since it is easy to forget this.)
I am trying to write a java application connecting to server connection channel with SSL enabled.
So far, I have been successfully connected to the channel by setting authentication to 'optional'. However, when I set it to be 'required', the connection fails.
Here is what I did:
Create key db for queue manager and keystore for the java client user.
Create key/self-signed certificates for the queue manager and the client user, with names prefixed ibmwebspheremq.
Export, exchange and import certificates for the queue manager and the client. (I did answered 'yes' when being asked whether I trust the queue manager cert).
The location and password to the truststore and keystore are set to point to the same keystore at the client side, where the orgininal created client user key and the imported queue manager key are.
With other settings being the same, if I switch back to 'optional' authentication, the connection works.
I think there is something I understand incorrectly about this ssl authenticaion but cannot figure out what.
Could someone kindly help me?
I beat my head against that wall for a couple of weeks. IBM L2 Support eventually clued me in. My issue here was that keytool will use DSA algorithm unless you specify RSA. This results in keys of length 1022 instead of 1024, which WMQ doesn't like. The fix was to specify -sigalg RSA when generating the certificate and everything works.
I've asked the IBM WMQ team and WMQ FTE team to add this to their Infocenter documentation.