ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SSL Authentication issue between JAVA 8 client and IBM MQ 8

Post new topic  Reply to topic Goto page 1, 2, 3, 4  Next
 SSL Authentication issue between JAVA 8 client and IBM MQ 8 « View previous topic :: View next topic » 
Author Message
riyaz_tak
PostPosted: Sun Aug 25, 2019 11:00 pm    Post subject: SSL Authentication issue between JAVA 8 client and IBM MQ 8 Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Hi

Name: WebSphere MQ
Version: 8.0.0.4
Level: p800-004-151017
BuildType: IKAP - (Production)
Platform: WebSphere MQ for Solaris (SPARC platform)
Mode: 64-bit
O/S: SunOS 5.10
InstName: Installation1


I have java 8 installed on my machine.
I have defined java jceks database at java client end and cms mq key database at MQ server side.
I have used sslcipher TLS_RSA_WITH_AES_128_CBC_SHA256 at both the java client and MQ end.

But when I start both the application I get below error :

AMQ9637: Channel is lacking a certificate.

EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is 'XXXX' (if '????' it is unknown at this stage in the SSL
processing).

The remote host is 'localhost (127.0.0.1)'.

The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.


I have defined created and stored correct keys but still getting the error.
If I disable SSL authentication then it works without any error.

Please let me know if more information is needed.
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Mon Aug 26, 2019 1:05 am    Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 732
Location: Germany

Did you have a look at this site?

https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113210_.htm

The CipherSpec "TLS_RSA_WITH_AES_128_CBC_SHA256" is equivalent to the CipherSuite "SSL_RSA_WITH_AES_128_CBC_SHA256" when you use IBM Java, and equivalent to the CipherSuite "TLS_RSA_WITH_AES_128_CBC_SHA256" when you use Oracle Java.

You should look at the client's log. Did the Java app load the keystore successfully?
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
riyaz_tak
PostPosted: Mon Aug 26, 2019 2:10 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Hi,

Thanks for the reply.

I have already looked at the site but still getting error.

SSL cipher at MQ Side :

SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)

SSL ciphersuit at JAVA client side :

SSL_RSA_WITH_AES_128_CBC_SHA256


Error at JAVA client end :

JMSException: JMSWMQ0018: Failed to connect to queue manager 'xxx' with connection mode 'Client' and host name 'localhost(51410)'.
Mon Aug 26 10:08:17 2019 ERROR !com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'xxx' with connection mode 'Client' and host name 'localhost(51410)'.
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Mon Aug 26, 2019 2:50 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Do we need to upgrade to IBM MQ fixpack 8.0.0.5 ?

https://developer.ibm.com/answers/questions/178651/what-tls-ciphersuites-are-supported-when-connectin/
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Mon Aug 26, 2019 4:51 am    Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 732
Location: Germany

Do you use IBM Java or Oracle Java?
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
HubertKleinmanns
PostPosted: Mon Aug 26, 2019 5:00 am    Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 732
Location: Germany

For IBM Java Runtime Environment you have to

- use CipherSuite "SSL_RSA_WITH_AES_256_CBC_SHA256".

For Oracle Java Runtime Environment you have to

- use CipherSuite "TLS_RSA_WITH_AES_256_CBC_SHA256"
- and upgrade the MQ Client to 8.0.0.5

Hope this helps.
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
tczielke
PostPosted: Mon Aug 26, 2019 12:19 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

Your missing cert issue may have to do with running with MQ 8.0.0.4 and missing APAR IT10837 which was added at 8.0.0.5.

This thread covers this issue -> http://www.mqseries.net/phpBB2/viewtopic.php?t=74303
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Mon Aug 26, 2019 8:00 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Thanks everyone for the response.
I am using Oracle JAVA.
I will upgrade my MQ server to 8.0.0.5 and let you know the result.
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Tue Aug 27, 2019 1:22 am    Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 732
Location: Germany

I think in addition you need the Java Cryptography Extension (JCE) from here

https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

because you are using AES 256.

This consists out of two jar files you have to exchange in your class path.
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
riyaz_tak
PostPosted: Wed Aug 28, 2019 2:26 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Hi ,

I have upgraded MQ to 8.0.0.5 but now java client is throwing error .

JMS Common Client First Failure Symptom Report

Product :- IBM WebSphere MQ classes for JMS Date/Time :- Wed Aug 28 09:24:59 GMT 2019 System time :- 1566984299972 Operating System :- SunOS UserID :- root Java Vendor :- Oracle Corporation Java Version :- 25.191-b12

Source Class :- com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection Source Method :- getNonFipsSocketFactory() ProbeID :- 03 Thread :- name=xxx priority=5 group=main ccl=sun.misc.Launcher$AppClassLoader@6e0be858
Data
----

| Description :- Cannot open keystore file | Exception message :- Invalid keystore format


I can run /opt/mqm/bin/runmqckm utility to list all the certificate stored in keystore but java client is still throwing error.
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Wed Aug 28, 2019 2:46 am    Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 732
Location: Germany

It's essential, that the Java application is able to open its keystore. upgrading the MQ Client does'n effect the keystore .

You have to exchange a couple of jar-files named "com.ibm.mq.*"
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
riyaz_tak
PostPosted: Wed Aug 28, 2019 9:22 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

ERR JMSException: JMSWMQ0018: Failed to connect to queue manager 'xxxxx' with connection mode 'Client' and host name 'null'.
Thu Aug 29 05:14:26 2019 ERR Ops!com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager xxxx with connection mode 'Client' and host name 'null'.
Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.


when I set TLS_RSA_WITH_AES_256_CBC_SHA256 as ciphersuit and cipherspec ,I get above error in java client log.
If while starting java client ,I put -Dcom.ibm.mq.cfg.useIBMCipherMappings=false as JVM argument then FFDC file is created stating invalid keystore so I removed that line and started java client but again I received above error.

So should I set -Dcom.ibm.mq.cfg.useIBMCipherMappings=false as jvm argument or not ?
I used TLS_RSA_WITH_AES_256_CBC_SHA256 as well as TLS_RSA_WITH_AES_128_CBC_SHA but both doesn't seems to be working.
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Aug 28, 2019 11:37 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

riyaz_tak wrote:
Description :- Cannot open keystore file
Exception message :- Invalid keystore format

Please confirm the format of your keystore. It should be JKS. Is it?

rivaz_tak wrote:
So should I set -Dcom.ibm.mq.cfg.useIBMCipherMappings=false as jvm argument or not ?

Since you are using an Oracle JVM, then yes, you should be setting the above argument. When you don't set this, other errors would appear to be masking your real problem.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
riyaz_tak
PostPosted: Thu Aug 29, 2019 12:33 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Yes it's JKS (key.jck).

When I am trying to run Java client ,I am getting below error :

com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'xxxxx' with connection mode 'Client' and host name 'localhost(xxxx)'.

I am using TLS_RSA_WITH_AES_256_CBC_SHA256 as ssl ciphersuite.

I am setting the said JVM parameter butalways getting error and not able to connect.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Aug 29, 2019 1:19 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

riyaz_tak wrote:
Yes it's JKS (key.jck)

Odd extension to use for a JKS file?

riyaz_tak wrote:
I can run /opt/mqm/bin/runmqckm utility to list all the certificate stored in keystore but java client is still throwing error.

Can you show us the command you use that works to list all the certificates?

riyaz_tak wrote:
When I am trying to run Java client ,I am getting below error :

com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'xxxxx' with connection mode 'Client' and host name 'localhost(xxxx)'.

Is this a different error? Did you change something to get rid of the "Invalid keystore format" error you previously reported?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2, 3, 4  Next Page 1 of 4

MQSeries.net Forum Index » IBM MQ Security » SSL Authentication issue between JAVA 8 client and IBM MQ 8
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.