Author |
Message
|
jon.austen |
Posted: Mon Aug 03, 2020 9:45 am Post subject: |
|
|
Newbie
Joined: 03 Aug 2020 Posts: 9
|
I have put together an example project using JMeter to performance test IBM MQ9.
In GitHub, my project is at: djangofan/jmeter-ibm-mq9
So, in the example I am using JMeter with Groovy script to connect to MQ. The Non-ssl version of it works great.
BUT, I am having trouble creating a SSL cert in a way that I am able to match a MQ client , having the correct Cipher Spec in order to get it to work. Is it possible someone could help me create a "example cert+key" (with password 'changeit') that I can use, and tell me which cipher spec I can use with it?
In other words, I just need a "simple recipe" , as an example, that I can get working in my example project. No matter what I tried, I cannot figure out which is the correct cipher spec to use after I create my cert. I even tried using ikeyman tool. Is my problem because I am creating cert with openssl tool?
Is there an example hidden somewhere in these forums?
Help? |
|
Back to top |
|
|
bruce2359 |
Posted: Mon Aug 03, 2020 10:10 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
Are you following some How-to step-by-step document? Have you searched for one? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
hughson |
Posted: Mon Aug 03, 2020 4:09 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013 Posts: 1948 Location: Bay of Plenty, New Zealand
|
Could you show us one example if what you have tried and the error that you get. _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
|
jon.austen |
Posted: Wed Aug 12, 2020 4:41 pm Post subject: |
|
|
Newbie
Joined: 03 Aug 2020 Posts: 9
|
To answer your questions:
1. There are lots of examples of doing this with non-SSL, but that is not my question here.
2. If you check out my project file, the code is all correct, as long as I get the correct cert into place on the server side and the corrrect matching keystore on the client side. (Permalink: https://github.com/djangofan/jmeter-ibm-mq9/blob/28f018dfceeacf9cf3a8f6b4326f6a23431feeef/sslExample.jmx#L167-L248 )
--------------
1. All I need to get this working is simple instructions to create the server side key and cert and the client side Java keystore file.
2. I know how to configure Docker-IBM-MQ to use the cert, as you can see in the README file of my example project.
3. What I don't know, and is the hard part, is being able to create a cert that has a particular cipher-spec that would work with a client connection.
4. The code in my example works with MQ servers that exist at my employer BUT I just don't know the magic sauce of creating the certificate in the correct fashion to match a supported ciper-spec.
5. A link to such documentation would be awesome but I couldn't find anything.
6. When I am done with this example project, it might be the only such documentation that exists, if I manage to do this.
--------------
The ERROR that I get is just the typical error you get when SSL is not setup correctly.
Code: |
javax.script.ScriptException: com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'QM1' with connection mode 'Client' and host name 'localhost(1414)'.
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.
javax.script.ScriptException: com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'QM1' with connection mode 'Client' and host name 'localhost(1414)'.
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.
Caused by: com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'QM1' with connection mode 'Client' and host name 'localhost(1414)'.
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR')
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'localhost(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed.
|
Last edited by jon.austen on Wed Aug 12, 2020 4:47 pm; edited 1 time in total |
|
Back to top |
|
|
bruce2359 |
Posted: Wed Aug 12, 2020 4:47 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
|
Back to top |
|
|
jon.austen |
Posted: Wed Aug 12, 2020 6:15 pm Post subject: |
|
|
Newbie
Joined: 03 Aug 2020 Posts: 9
|
I managed to create a certificate and check it into the Git repository (above) and so you should be able to try it yourself although it would take a little bit of time to setup as described in the README .
The error I get now is:
2020-08-12 19:10:02,568 ERROR o.a.j.p.j.s.J.JMS Connection Setup: Error loading SSL context.
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[?:1.8.0_231]
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[?:1.8.0_231]
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[?:1.8.0_231]
I assume this error is because I must use a valid cert chain with a known certificate authority rather than a pure self-signed test certificate? |
|
Back to top |
|
|
hughson |
Posted: Wed Aug 12, 2020 9:32 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013 Posts: 1948 Location: Bay of Plenty, New Zealand
|
Hi again,
Thank you for showing the error you get, could you also show the command you are using to generate the certificate and run the application. That would make it easier for us to answer on here than to trawl through a GitHub repository looking for the commands you are issuing.
To your specific questions - a certificate is not tied to one specific cipherspec, but it is tied to a class of cipherspecs as you can read here.
The trustanchor error is not about CA-signed vs self-signed but likely the attributes you are supplying on the command to launch your Java application - perhaps you could show us an example of that command and we could point out what was missing.
Cheers,
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
|
fjb_saper |
Posted: Thu Aug 13, 2020 4:19 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20729 Location: LI,NY
|
jon.austen wrote: |
I managed to create a certificate and check it into the Git repository (above) and so you should be able to try it yourself although it would take a little bit of time to setup as described in the README .
The error I get now is:
2020-08-12 19:10:02,568 ERROR o.a.j.p.j.s.J.JMS Connection Setup: Error loading SSL context.
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[?:1.8.0_231]
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[?:1.8.0_231]
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[?:1.8.0_231]
I assume this error is because I must use a valid cert chain with a known certificate authority rather than a pure self-signed test certificate? |
The error is most probably because when using your self signed cert you did not export the public certificate and add it to your trust store... assuming of cource you did specify a key store and a trust store _________________ MQ & Broker admin |
|
Back to top |
|
|
jon.austen |
Posted: Thu Aug 13, 2020 8:02 am Post subject: |
|
|
Newbie
Joined: 03 Aug 2020 Posts: 9
|
The command I am using to execute is documented below, and in my README.md file.
Here is how I setup the cert. The keystore contains the cert, and therefore contains the public key and the private key that the MQ server was launched with.
Here is how I documented it:
Code: |
##### What I did
Use the Java `Keytool Explorer` app. Here are the steps I used:
* Create a new `Server keypair` as `mq_client.jks` , 2048 bit RSA and 10 years long.
* Export the `certificate chain` as `tls.crt` in DER format.
* Export the PKCS#8 `private key` as `tls.key`
* Load those two files into the mykey folder shown in the Docker config above.
##### If you setup MQ to be SSL
Start JMeter like so, using the included `sslExample.jmx` project file:
./bin/jmeter -J"jmsPassword=passw0rd" -J"jksPassword=changeme"
When you start JMeter, the `mq_client.jks` must be in the same folder as the project file. |
[/code]
Also, I included a new screenshot in my README.md that provides more info without you needing to startup the project.
The work I am doing here can be shared forward with great value. I hope you can help. I'll try to use the runmqakm to prove my CipherSpec is supported and paste that below. |
|
Back to top |
|
|
jon.austen |
Posted: Thu Aug 13, 2020 8:46 am Post subject: |
|
|
Newbie
Joined: 03 Aug 2020 Posts: 9
|
I suspect I should have created my cert with runmqakm tool instead of "java keytool explorer"? (ref: http://www.mqseries.net/phpBB2/viewtopic.php?t=77064 ) I am very experienced with certs but this IBM context is throwing me for a loop.
If you help me with this, I will fully document it.
Right now I am trying to locate the runmqakm tool, which I cannot find in my 8.x SDK. Maybe I need to download a 9.x SDK? |
|
Back to top |
|
|
jon.austen |
Posted: Thu Aug 13, 2020 12:40 pm Post subject: |
|
|
Newbie
Joined: 03 Aug 2020 Posts: 9
|
Ok, I am getting closer. Now it appears i need to create the Circular cert with the runmqakm tool. So, I need to find documentation for that. Any help would be great.
Code: |
13:39 $ runmqakm -cert -details -db mq_client.jks -pw changeit -label self-signed
CTGSK3026W The key file "mq_client.jks" does not exist or cannot be read.
CTGSK2017W An invalid database file type was encountered. |
|
|
Back to top |
|
|
fjb_saper |
Posted: Fri Aug 14, 2020 5:43 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20729 Location: LI,NY
|
jon.austen wrote: |
Ok, I am getting closer. Now it appears i need to create the Circular cert with the runmqakm tool. So, I need to find documentation for that. Any help would be great.
Code: |
13:39 $ runmqakm -cert -details -db mq_client.jks -pw changeit -label self-signed
CTGSK3026W The key file "mq_client.jks" does not exist or cannot be read.
CTGSK2017W An invalid database file type was encountered. |
|
For a jks file you need to use runmqckm.
For the keystore for the qmgr (.kdb) use runmqakm
You can also create the client as .kdb with runmqakm and then convert it all into a jks using runmqckm... _________________ MQ & Broker admin |
|
Back to top |
|
|
jon.austen |
Posted: Fri Aug 14, 2020 9:09 am Post subject: |
|
|
Newbie
Joined: 03 Aug 2020 Posts: 9
|
Ok, I will look for that information and get back to you after I try again. I do need it in .jks format since I am using Java on the client side. Also, i need it to be self-signed so i can enable SSL on my local Docker container. I hope I don't run into an issue with it being self-signed. Do you think I would?
I did manage to locate the comand line tool runmqakm on my system. I am on a mac, and i put it at /var/mqm |
|
Back to top |
|
|
fjb_saper |
Posted: Sat Aug 15, 2020 11:44 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20729 Location: LI,NY
|
jon.austen wrote: |
Ok, I will look for that information and get back to you after I try again. I do need it in .jks format since I am using Java on the client side. Also, i need it to be self-signed so i can enable SSL on my local Docker container. I hope I don't run into an issue with it being self-signed. Do you think I would?
I did manage to locate the comand line tool runmqakm on my system. I am on a mac, and i put it at /var/mqm |
it is supposed to be at /opt/mqm/bin[64]
If you did not set a preferred installation, you'd need to source the setmqenv file in each session before executing any commands:
Code: |
. /opt/mqm/bin/setmqenv -s |
_________________ MQ & Broker admin |
|
Back to top |
|
|
|