RoboMQ SSL Issue - ssl

I'm using RoboMQ to build a MQ to MQ service over SSL. I've got a keystore (key.jks) and I'm setting the following system properties to configure the SSL:
javax.net.ssl.keyStore
javax.net.ssl.trustStrore
javax.net.ssl.keyStorePassword
However, our email server requires SSL and setting up SSL in this way in RoboMQ stops it from working - I guess because it overrides the default cacerts which has the certificates in that the email client needs.
How can I get these 2 things to play nicely together?

You are correct - setting the above system properties will override cacerts JVM
wide. You need to use a custom socket factory for the SSL MQ connections
The RoboMQ SDK provides support for this via:
com.am.robomq.sdk.camelSpring.RoboSSLSocketFactory
But the easiest way to build your Camel MQ endpoints is to use the MQ Connection Wizard:
http://www.robomq.com/product_manual/index.html#serviceBuilderPanel
It basically lets you to pick a connection factory from your connection palette
and then generates the Spring definitions needed by Camel.

Related

How to specify a local custom SSL truststore for Hornetq client when connecting via JNDI naming server

We have a java client (mule app) which is using hornetq client (v2.3.25.SP20) for connecting to the HornetQ remote server via the JNDI naming server (port 1099).
The connection is secured with SSL. The driver is requiring the javax.net.ssl.trustStore property to be set explicitly. Otherwise, it does not find the trust store.
We would like to specify a custom truststore for the session.
But setting a global property javax.net.ssl.trustStore may affect other applications. So, we are looking for the alternative.
I've coded a custom trust manager (X509TrustManager) which points to the custom truststore. But the issue is that it's used only for establishing connectivity with the JNDI server. Then, the actual connection object is taking the trust store location from the remote server (in case, of course, if javax.net.ssl.trustStore is not set).
The error HQ212007 is produced:
connector.create or connectorFactory.createConnector should never
throw an exception, implementation is badly behaved, but we will deal
with it anyway.
Unable to create NettyConnector for myserver:4447
Failed to find a store at remote server keystore location
Googling the error code, I've found very similar issue described with not solution provided here.
So, is there another way of specifying a path to a truststore for hornetq client when connectivng via JNDI, so, that it would not affect other applications running on the same VM system? Or, may be there is a way to disable the SSL certificate validation on the client side completely - this would work for us as well?
There are HornetQ-specific system properties to set SSL configuration parameters. Check out the documentation for HornetQ 2.4.0.
These properties were added after 2.3.0.Final but backported to the 2.3.x branch which is why they're available in 2.3.25.SP20 but aren't documented in the 2.3.0.Final docs.
In short, you can use these system properties instead of the global ones:
org.hornetq.ssl.keyStore
org.hornetq.ssl.keyStorePassword
org.hornetq.ssl.trustStore
org.hornetq.ssl.trustStorePassword

Connecting to a Remote Queue Manager from an AIX Machine using SSL

I am trying to connect to a remote QM using SSL from an AIX Machine.
I have setup my QM and Channel to allow SSL connections.
I have created a KeyStore on the Server (Machine containing the above QM + Channel) and have exported its self signed certificate and imported the certificate from the Client.
I have used GSK on the AIX machine to create an Keystore in which both Self Signed and Signer of the Server are present.
Client Code is as below when trying to connect to the QM. This code does work on Windows however does not work on AIX which leads me to believe this is a certificate issue which i have done wrong and not a code issue.
the CipherSpec is - TLS_RSA_WITH_AES_256_CBC_SHA256
and the keystore location is correct.
m_QChannel.setChannelName(m_strChannelName);
m_QChannel.setConnectionName(m_pParent->GetName());
m_QChannel.setTransportType( MQXPT_TCP );
if (!m_strCipherSpec.IsEmpty())
{
m_QChannel.setSslCipherSpecification(m_strCipherSpec);
if (!m_strKeyStore.IsEmpty())
{
m_QMgr.setKeyRepository(m_strKeyStore);
}
else
{
CString strKeyStore = getenv("MQSSLKEYR");
m_QMgr.setKeyRepository(strKeyStore);
}
}
//Set the queue manager options
m_QMgr.setName(m_strName);
m_QMgr.setChannelReference(&m_QChannel);
if (!m_QMgr.connect())
{
m_iLastError =m_QMgr.reasonCode( ) ;
return false;
}
However when i try to run my application to connect i get a MQRC 2393 Error returned, When checking the Error logs it complains about the Certificates.
I have tried Restarting the QM, Restarting the Channel, Refreshing the SSL but all with no luck. What have i missed ?
Any help appreciated.
The current label of the client cert you have is ibmwebspherebldaix02.
For a MQI client app the default cert label that MQ will look for is the string ibmwebspheremq followed by the name of the user that the application is running as all in lowercase.
In this case it does not meet the first part of the default's requirement since it starts out as ibmwebsphere and is missing the mq and is then followed by bldaix02.
You have a few options:
If the user is bldaix02 then you can rename the cert in the keystore to ibmwebspheremqbldaix02. If that is not the username then rename the cert to ibmwebspheremq<username> all in lowercase. This option should work with all version of the IBM MQ product.
If you are using IBM MQ v7.0 - 7.5 (these are all out of support), you could tell MQ to use the Default cert by setting the environment variable AMQ_SSL_ALLOW_DEFAULT_CERT to any value before starting the application or if doing it within the program, do it before calling connect. Note this feature was removed in the initial versions of IBM MQ v8.0 and v9.0 but was later added back at 8.0.0.7 and 9.0.0.1 and later.
If you are using IBM MQ v8.0 or later (you should be since these are the only currently supported versions) you can tell MQ to look for a different label. You can do this in four ways:
If using a CCDT set the CERTLABL attribute of the CLNTCONN channel.
Programmatically set the CertificateLabel attribute in the MQSCO
Set the environment variable MQCERTLABL before starting the application or if doing it within the program, do it before calling connect.
Using the CertificateLabel attribute of the SSL: stanza in the mqclient.ini.Note: there are various ways MQ will find the mqclient.ini and these are detailed in both the IBM MQ Knowledge center and various answers here on StackOverflow.
You can find more information in the following links:
Technote: Specifying the userid in the SSL certificate label for an MQ client
IBM MQ 8.0.0 Knowledge Center > IBM MQ > Security > Security overview > IBM MQ security mechanisms > Security protocols in IBM MQ> The SSL or TLS key repository > Digital certificate labels, understanding the requirements

Is Weblogic Node Manager SSL setup required while implementiing SSL for Application

In Weblogic, I have more than one Machines created using Node Manager. We have been told to setup SSL implementation for our Application which is deployed across created machines in a single Weblogic Admin Console.
So for the Application we had configured certificate using .jks file and configured SSL listen port by enabling it.
However we have been told to secure Node Manager machines in which application are deployed across as well. While enabling Node Manager type to SSL instead of Plain I am getting SSLException. By the fact we no need to secure Machines which were created using Node Manager, only securing Application is sufficient. Is am I right. Else is it required to Secure Machines -> Node Manager as well.
When I am turning SSL in Machines -> Node Manager, what are the things I have to consider to avoid SSLException. Is the Weblogic restart required If configure this or so. For now I do not have UNIX access, hence I couldn't do that at this moment.
Please advise on this situation. Without securing Machines -> Node Manager I am able run the application. But not able to access it using https. Only http for the Application is working.
Please advise on the situation.
SSL for node manager is optional as there's no application related sensitive data that flows in this layer.
You mention even after configuring jks you can't get the server and hence the application listening on https. Could you elaborate what steps did you follow. Note this has nothing to do with node manager

NxLogs to Fluentd/SSL?

I have a bunch of linux servers configured to push logs to another fluentd server using the fluent-secure-output plugin. Now I'd like to configure our windows servers using nxlogs.
I read a bit on the om_ssl nxlogs module, but I am puzzled about the shared key. Basically, fluentd's secure-output plugin requires a shared key to be identical everywhere for authentication (this is not tied to the certificates at all). But I can't see how I could specify this key in nxlog's om_ssl configuration.
Is this even supported at all? Is it possible to use nxlogs to forward to an ssl fluentd server?
It looks like they have their own authentication protocol over TLS that uses shared_keys (i.e. passphrase) on the client side instead of using private keys. I don't know why that is needed but NXLog and most other log aggregator solutions (rsyslog, syslog-ng, logstash, etc) use plain TLS which can provide proper authentication for both the client and the server.
The protocol is described in their GitHub README and I doubt it will work with NXLog's om_ssl or anything else other than Fluentd's out_secure_forward.
The Fluentd input/output plugin to forward fluentd messages over SSL with authentication, works only between the two plugin (which is actually the same one) using authentication by shared_key check from both of client(out_secure_forward) and server(in_secure_forward).
So unfortunately you can't sent it through your nxlog only through out_secure_forward.

Spring Boot calling HTTPS endpoint

I've created a Spring Boot application that I'm running as a poor man's daemon to call another Java service on another tomcat instance. I'm getting an SSL error when connecting to the other Java service but if I hit the other service with something like SoapUi(or Postman) using the same URL and headers I get an OK response. So something must be wrong with my Spring Boot configuration.
I'm using the same JKS for Spring Boot and SoapUI. I've tried using the cert in the application.properties as well as specifying it on the command line using -Djavax.net.ssl.keyStore as well as the related password parameter.
When I run the other service locally without SSL I can connect just fine via my Spring Boot application.
The SSL error I'm getting is: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
Best I can think is that SoapUI(or Postman) identify's itself as a client application and my Spring Boot identifies itself as a server? So I think I'm asking how can I make Spring Boot identify itself as a client but I'm still not sure I understand the SSL error to begin with.
You have a multitude of problems. First off, soapui doesn't do verification of the server SSL certificate when it connects, java by default does not. You can however configure java client to also ignore server cert verification.
How to ignore depends on what client you use, apache httpclient is the most common one and you can find details on that in this thread.
Now, you should not really do that. Instead, you should have a trust store that contains the certificates that would validate the server cert. In that case you would be interested in truststore configuration, not a keystore - keystore is for other way around, when you're identifying yourself to some other party. You'd need to import the root CA and intermediate certificates to your trust store, then point to that in your configuration.