ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Unable to connect to CMP API using SSL

Post new topic  Reply to topic
 Unable to connect to CMP API using SSL « View previous topic :: View next topic » 
Author Message
marcot
PostPosted: Wed Oct 26, 2016 2:33 pm    Post subject: Unable to connect to CMP API using SSL Reply with quote

Newbie

Joined: 26 Oct 2016
Posts: 7

I am no longer able to connect to the CMP API. The only recent change that I am aware of is that the brokers certificate was changed from SHA1 to SHA2. Because of this I received a new trust keystore. With the new trust keystore I don't get an authorization failed issue, instead I get a null password exception.

I'm not sure if there is something different that I need to do based on the new type of truststore, frankly i'm at a lost, and have no idea how to proceed. Any feedback would be appreciated. Thank you.
Back to top
View user's profile Send private message Send e-mail
marcot
PostPosted: Wed Oct 26, 2016 4:05 pm    Post subject: Unable to connect to CMP API using SSL Reply with quote

Newbie

Joined: 26 Oct 2016
Posts: 7

Was unable to post the stacktrace before, but here it is:

Below is the stacktrace:

com.ibm.broker.config.proxy.ConfigManagerProxyLoggedException: Password must not be null
at com.ibm.broker.config.proxy.WebSocketSender.connect(WebSocketSender.java:321)
at com.ibm.broker.config.proxy.WebSocketSender.send(WebSocketSender.java:185)
at com.ibm.broker.config.proxy.SendManager.send(SendManager.java:170)
at com.ibm.broker.config.proxy.AdministeredObjectPool.registerWithBroker(AdministeredObjectPool.java:2149)
at com.ibm.broker.config.proxy.AdministeredObjectPool.registerAdministeredObject(AdministeredObjectPool.java:1964)
at com.ibm.broker.config.proxy.AdministeredObjectPool.registerAdministeredObject(AdministeredObjectPool.java:1871)
at com.ibm.broker.config.proxy.BrokerProxy.<init>(BrokerProxy.java:450)
at com.ibm.broker.config.proxy.BrokerProxy.getInstance(BrokerProxy.java:1056)
at com.acng.TestBrokerConnection.exec(TestBrokerConnection.java:34)
at com.acng.IbmUtilityClass.exec(IbmUtilityClass.java:68)
at com.acng.IbmUtilityClass.main(IbmUtilityClass.java:48)
Caused by: java.security.UnrecoverableKeyException: Password must not be null
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:132)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:903)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:296)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:108)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:90)
at org.eclipse.jetty.websocket.client.WebSocketClient.doStart(WebSocketClient.java:194)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69)
at com.ibm.broker.config.proxy.WebSocketClientManager.connect(WebSocketClientManager.java:82)
at com.ibm.broker.config.proxy.IIBCommandSocket.<init>(IIBCommandSocket.java:59)
at com.ibm.broker.config.proxy.WebSocketSender.connect(WebSocketSender.java:260)
... 10 more

Here is a sample of the broker file:

<?xml version="1.0" encoding="UTF-8"?>
<IntegrationNodeConnectionParameters Version="10.0.0.4" listenerPort="1443" useSsl="true" sslTrustStorePath="truststore.jks" userName="user" host="10.10.10.255" password="password" integrationNodeName="IBNODE" sslTrustStorePassword="password" />
Back to top
View user's profile Send private message Send e-mail
Craig B
PostPosted: Thu Oct 27, 2016 6:34 am    Post subject: Reply with quote

Partisan

Joined: 18 Jun 2003
Posts: 316
Location: UK

This CMP (IAPI) exception was fixed in 10.0.0.5. Are you able to upgrade to see if it fixes your problem?
_________________
Regards
Craig
Back to top
View user's profile Send private message
marcot
PostPosted: Thu Oct 27, 2016 7:16 am    Post subject: Reply with quote

Newbie

Joined: 26 Oct 2016
Posts: 7

Thanks for your response Craig. I'm not able to upgrade at the moment. I have been doing more investigating and I realized that they jks file given to me is a keystore and not a truststore. I have requested a truststore.

Do you see any issues in using a keystore over truststore? Obviously it's not working and my knowledge of SSL is very primitive.
Back to top
View user's profile Send private message Send e-mail
Craig B
PostPosted: Thu Oct 27, 2016 7:29 am    Post subject: Reply with quote

Partisan

Joined: 18 Jun 2003
Posts: 316
Location: UK

You should be able to use either a keyStore or a trustStore but I believe the defect that was fixed covers your type of scenario. If you still get the same error when you get your new trust store you could try working around the issue by setting both sslTrustStorePassword and sslKeyStorePassword to the same value in your connection file.
_________________
Regards
Craig
Back to top
View user's profile Send private message
marcot
PostPosted: Thu Oct 27, 2016 8:06 am    Post subject: Reply with quote

Newbie

Joined: 26 Oct 2016
Posts: 7

Interesting, so i updated my broker file to reflect the path of the keystore and the password using sslKeyStorePath and sslKeyStorePassword. It appears to be properly extracting the information, but now it's unable to connect to the broker as if the broker is down, yet it is up.

Please see stacktrace:
com.ibm.broker.config.proxy.ConfigManagerProxyLoggedException: The Integration Node could not be reached. Please check that the Integration Node has been started and check that the Web Admin Listener has started.
at com.ibm.broker.config.proxy.WebSocketSender.connect(WebSocketSender.java:321)
at com.ibm.broker.config.proxy.WebSocketSender.send(WebSocketSender.java:185)
at com.ibm.broker.config.proxy.SendManager.send(SendManager.java:170)
at com.ibm.broker.config.proxy.AdministeredObjectPool.registerWithBroker(AdministeredObjectPool.java:2149)
at com.ibm.broker.config.proxy.AdministeredObjectPool.registerAdministeredObject(AdministeredObjectPool.java:1964)
at com.ibm.broker.config.proxy.AdministeredObjectPool.registerAdministeredObject(AdministeredObjectPool.java:1871)
at com.ibm.broker.config.proxy.BrokerProxy.<init>(BrokerProxy.java:450)
at com.ibm.broker.config.proxy.BrokerProxy.getInstance(BrokerProxy.java:1056)
at com.acng.TestBrokerConnection.exec(TestBrokerConnection.java:34)
at com.acng.IbmUtilityClass.exec(IbmUtilityClass.java:68)
at com.acng.IbmUtilityClass.main(IbmUtilityClass.java:48)
Caused by: com.ibm.broker.config.proxy.ConfigManagerProxyRequestTimeoutException: The Integration Node could not be reached. Please check that the Integration Node has been started and check that the Web Admin Listener has started.
at com.ibm.broker.config.proxy.WebSocketSender.connect(WebSocketSender.java:312)
... 10 more

Could it present this message on an authentication failure?

FYI - the admin port is open. I'm able to successfully telnet to it.
Back to top
View user's profile Send private message Send e-mail
Craig B
PostPosted: Thu Oct 27, 2016 8:16 am    Post subject: Reply with quote

Partisan

Joined: 18 Jun 2003
Posts: 316
Location: UK

This new exception will be encountered if the WebSocketSender cannot establish a connection the WebAdmin listener running on the broker. In your broker connection file you have specified an IP Address of 10.10.10.255 and 1443. Is this the correct hostname where your broker is running and is port 1443 your web admin listener? If so, have you enabled SSL on the webAdmin listener? Do you have any firewalls to which you would have to authorise your application?
_________________
Regards
Craig
Back to top
View user's profile Send private message
marcot
PostPosted: Thu Oct 27, 2016 8:30 am    Post subject: Reply with quote

Newbie

Joined: 26 Oct 2016
Posts: 7

Yes, i have the correct host IP and port specified. This was working before I had to update the truststore to use the keystore. The only change recently made was the new keystore being generated. So the web admin port is enabled and setup with SSL. Firewall rule is still in place since i can successfully connect to that port using telnet.
Back to top
View user's profile Send private message Send e-mail
mqjeff
PostPosted: Thu Oct 27, 2016 8:35 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

The truststore is never the keystore.

The truststore contains the certificates of other clients/machines/etc.

The keystore contains the certificate of the server. So the keystore of the webadmin listener contains the certificate that represents the webadmin.

The truststore of the webadmin listener contains the certificates/ca's that the webadmin is supposed to... you know... trust. So if some client or etc. comes to connect, and it's signed by something in the truststore, then it's okay.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
marcot
PostPosted: Thu Oct 27, 2016 9:04 am    Post subject: Reply with quote

Newbie

Joined: 26 Oct 2016
Posts: 7

OK, I now understand the difference between the keystore and truststore. Should one be used over the other to connect to the web admin? I just received the new truststore.jks file and it's giving me the same exception that I posted above. I changed my broker file to use sslTrustStorePath and sslTrustStorePassword appropriately.

If i get this message, does it truly mean the node is unreachable or could it throw this exception in the scenario of an incorrect certificate stored in the truststore?
Back to top
View user's profile Send private message Send e-mail
mqjeff
PostPosted: Thu Oct 27, 2016 9:05 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

You need both a keystore and a truststore on the webadmin side.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
marcot
PostPosted: Thu Oct 27, 2016 9:42 am    Post subject: Reply with quote

Newbie

Joined: 26 Oct 2016
Posts: 7

Is there a separate key/trust store that needs to be setup specifically for the webadmin? As in multiple places on the broker?
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Unable to connect to CMP API using SSL
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.