| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| IIB9 error sending soap request with SSL |
« View previous topic :: View next topic » |
| Author |
Message
|
| tez_i |
 Posted: Tue Sep 03, 2013 7:09 am Post subject: IIB9 error sending soap request with SSL |
 |
|
Novice
Joined: 03 Apr 2008
Posts: 12
|
Hi, I am new (obviously) to IIB9, but not to WMB in general. I am struggling to get a test connection to an external webservice working. This is what I have done:
1) copied the external company supplied cacerts.db.jks to c:\Temp
2) created an execution group specifically for interaction with this external WS
3) set the following configurable service properties for that execution group:
keystoreType='JKS'
keystoreFile='C:\Temp\cacerts.db.jks'
keystorePass='********'
truststoreType='JKS'
truststoreFile='C:\Temp\cacerts.db.jks'
truststorePass='********'
(Its only a test system, so I am deliberately using plaintext passwords for simplicity)
And:
httpNodesUseEmbeddedListener='false'
soapNodesUseEmbeddedListener='true'
4) deployed a message flow to the above execution group containing a SOAPRequest node, with the relevant WSDL properties set up. HTTP Transport properties as follows:
Web service URL: https://test.com/test (obviously anonymised!)
Protocol: TLS
- Have I missed something here?
When I attempt the connection, I get the following exception:
Text:CHARACTER:java.security.KeyStoreException: IBMKeyManager: Problem accessing key store java.security.PrivilegedActionException: java.io.FileNotFoundException: C:\Temp\cacerts.db.jks (Access is denied.)
Obviously, access denied, is the problem - I know.
So, I've checked - the file does exist, the file can be opened by ikeyman and the certificate is readable using the password supplied. The DataFlowEngine user has requsite filesystem permissions for the cert file.
Note: I've also checked the same message flow works to a dummy service, without SSL enabled. It also gets the expected authentication error when switched to the real connection, but without the keystore configured. And using SOAPUI, I can also get to the webservice, using the supplied jks file.
I am thinking this is a java security problem in accessing the keystore - but if that is the case the answer is beyond me.
Help would be appreciated. |
|
| Back to top |
|
 |
| lancelotlinc |
| Posted: Tue Sep 03, 2013 7:25 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
|
| Back to top |
|
|
| tez_i |
| Posted: Tue Sep 03, 2013 7:54 am Post subject: |
|
|
Novice
Joined: 03 Apr 2008
Posts: 12
|
ok - yes I know the difference between keystore and truststore, and in fact we don't have a truststore, because it is just being used for client (ie, my message flow) authentication with a 3rd party.
It doesn't work if I remove the trust store either - and the exception message is talking about "access is denied" to the keystore.
I cannot create my own keystore, as the certificate is being supplied by an external third party....
....well, ok, I could export it. Create my own keystore, and then import it into the new keystore. Would this really make a difference? Do you think I should do this? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Sep 03, 2013 8:06 am Post subject: Re: IIB9 error sending soap request with SSL |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| tez_i wrote: |
| The DataFlowEngine user has requsite filesystem permissions for the cert file. |
It really sounds like it doesn't.
Maybe it doesn't have access to the directory holding the cert file.
Maybe the mqsisetdbparms command didn't give the right password... |
|
| Back to top |
|
|
| tez_i |
| Posted: Wed Sep 04, 2013 5:18 am Post subject: |
|
|
Novice
Joined: 03 Apr 2008
Posts: 12
|
Hi mqjeff/lanceolotlinc
I created my own keystore in c:\temp
I exported the 3rd party certificate from the supplied keystore, and imported it into my own.
- I got "the keystore appears to have been tampered with" exception
(great I think - at least that's progress)
I reset the keystore passwords again (to the same as they were before)
- I have success!
(well its a http 500 error.....but, as far as a connection goes its success)
I still have no idea why this works, or what the difference between the 3rd party supplied jks and my homemade jks is. I can only assume some kind of file permission problem, but I cannot see any difference in the file permissions. I am not a sys admin, but I think I have a pretty good level of understanding.
Thanks for the pointers.
If anyone has any insight into why this has made a difference I would appreciate expanding my knowledge. |
|
| Back to top |
|
|
| tez_i |
| Posted: Thu Sep 05, 2013 1:21 am Post subject: |
|
|
Novice
Joined: 03 Apr 2008
Posts: 12
|
| Just thought I'd add, in case anyone has similar problems, manipulating the HTTPRequestHeader solved the remaining HTTP/500 error. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
