ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SSL Authentication issue between JAVA 8 client and IBM MQ 8

Post new topic  Reply to topic Goto page Previous  1, 2, 3, 4  Next
 SSL Authentication issue between JAVA 8 client and IBM MQ 8 « View previous topic :: View next topic » 
Author Message
tczielke
PostPosted: Tue Sep 03, 2019 3:39 am    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

riyaz_tak wrote:
tczielke wrote:
Can you also explain how you are setting the keystore type to be a jceks. Is it through a Java system property? Programmatically?


I have created makefile which is creating keystore.

runmqckm -keydb -create \
-db key.jck -pw xxxx \
-type jceks


No, I mean in your JMS application that uses this jck file, how are you explicitly setting the keystore type to be jceks? If you don't set the keystore type explicitly, it will default to jks. That at least has been my experience.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
tczielke
PostPosted: Tue Sep 03, 2019 1:25 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

I played around with this some this afternoon, and I could not get the IBM MQ Classes for JMS or Java to work with a JCEKS keystore when using the javax.net.ssl system properties to set the keystore. I could only get it to work when I programmatically created a Keystore that was a JCEKS instance and then set the MQEnvironment.sslSocketFactory accordingly. If I had to guess, the IBM MQ software is defaulting to a JKS Keystore, if the MQEnvironment.sslSocketFactory is not set, and you are not currently able to use a JCEKS with the javax.net.ssl system properties. If someone is able to do that, I would like to know.

riyaz_tak - If you are trying to do this using the javax.net.ssl system properties, that might be your issue that IBM MQ does not seem to support this for a JCEKS keystore. At least that is what I have found, so far, with my testing.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Tue Sep 03, 2019 8:38 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

tczielke wrote:
riyaz_tak wrote:
tczielke wrote:
Can you also explain how you are setting the keystore type to be a jceks. Is it through a Java system property? Programmatically?


I have created makefile which is creating keystore.

runmqckm -keydb -create \
-db key.jck -pw xxxx \
-type jceks


No, I mean in your JMS application that uses this jck file, how are you explicitly setting the keystore type to be jceks? If you don't set the keystore type explicitly, it will default to jks. That at least has been my experience.


I am creating jceks keystore explicitly and copying the keystore to the file system using package.
I am not setting it programmatically but the same scenario was working perfectly fine with IBM MQ 7.5.
So is it because of IBM MQ 8 ?

In java code I have used JNDI to get the values

def qcf(mq) qmanager(xxxx) transport(client) hostname(localhost) port(51410) channel(xxxxx) sslciphersuite(TLS_RSA_WITH_AES_256_CBC_SHA256)

Here channel is srvconn .I am creating QueueConnectionFactory and then after that I am trying to get the QueueConnection,but at the moment I get Invalid KeyStore exception.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Sep 03, 2019 10:37 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

tczielke wrote:
I played around with this some this afternoon, and I could not get the IBM MQ Classes for JMS or Java to work with a JCEKS keystore when using the javax.net.ssl system properties to set the keystore. I could only get it to work when I programmatically created a Keystore that was a JCEKS instance and then set the MQEnvironment.sslSocketFactory accordingly. If I had to guess, the IBM MQ software is defaulting to a JKS Keystore, if the MQEnvironment.sslSocketFactory is not set, and you are not currently able to use a JCEKS with the javax.net.ssl system properties. If someone is able to do that, I would like to know.

riyaz_tak - If you are trying to do this using the javax.net.ssl system properties, that might be your issue that IBM MQ does not seem to support this for a JCEKS keystore. At least that is what I have found, so far, with my testing.

Have you tried with -Djavax.net.ssl.keystoretype="JECKS" or something like it??
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
riyaz_tak
PostPosted: Tue Sep 03, 2019 10:43 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

fjb_saper wrote:
tczielke wrote:
I played around with this some this afternoon, and I could not get the IBM MQ Classes for JMS or Java to work with a JCEKS keystore when using the javax.net.ssl system properties to set the keystore. I could only get it to work when I programmatically created a Keystore that was a JCEKS instance and then set the MQEnvironment.sslSocketFactory accordingly. If I had to guess, the IBM MQ software is defaulting to a JKS Keystore, if the MQEnvironment.sslSocketFactory is not set, and you are not currently able to use a JCEKS with the javax.net.ssl system properties. If someone is able to do that, I would like to know.

riyaz_tak - If you are trying to do this using the javax.net.ssl system properties, that might be your issue that IBM MQ does not seem to support this for a JCEKS keystore. At least that is what I have found, so far, with my testing.

Have you tried with -Djavax.net.ssl.keystoretype="JECKS" or something like it??


Yes I have.
I am setting below JVM arguments at the time of starting JAVA Client :

-Djavax.net.ssl.trustStorePassword=xxxx \
-Djavax.net.ssl.trustStoreType=jceks \
-Djavax.net.ssl.keyStore=/dir/key.jck \
-Djavax.net.ssl.keyStorePassword=xxxx \
-Djavax.net.ssl.keyStoreType=jceks \
Back to top
View user's profile Send private message
tczielke
PostPosted: Wed Sep 04, 2019 7:24 am    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

riyaz_tak wrote:
fjb_saper wrote:
tczielke wrote:
I played around with this some this afternoon, and I could not get the IBM MQ Classes for JMS or Java to work with a JCEKS keystore when using the javax.net.ssl system properties to set the keystore. I could only get it to work when I programmatically created a Keystore that was a JCEKS instance and then set the MQEnvironment.sslSocketFactory accordingly. If I had to guess, the IBM MQ software is defaulting to a JKS Keystore, if the MQEnvironment.sslSocketFactory is not set, and you are not currently able to use a JCEKS with the javax.net.ssl system properties. If someone is able to do that, I would like to know.

riyaz_tak - If you are trying to do this using the javax.net.ssl system properties, that might be your issue that IBM MQ does not seem to support this for a JCEKS keystore. At least that is what I have found, so far, with my testing.

Have you tried with -Djavax.net.ssl.keystoretype="JECKS" or something like it??


Yes I have.
I am setting below JVM arguments at the time of starting JAVA Client :

-Djavax.net.ssl.trustStorePassword=xxxx \
-Djavax.net.ssl.trustStoreType=jceks \
-Djavax.net.ssl.keyStore=/dir/key.jck \
-Djavax.net.ssl.keyStorePassword=xxxx \
-Djavax.net.ssl.keyStoreType=jceks \


I was using something similar, as well, for the keyStoreType and trustStoreType. I tried both jceks and JCEKS. I am not sure if this is an issue introduced at v8, but I can confirm that I see the same issue with MQ 9.1.0.1 of getting an invalid keystore when relying on the javax.net.ssl system properties to set the keystore and type for a jceks.

I am able to get this to work with JMS by using the IBM MQ JMS Extensions and creating my own sslSocketFactory that has a properly built JCEKS Keystore. Of course, this does move you away from portable JMS, if that is something you care about.

You might want to open a PMR with IBM on what you are experiencing here, because it looks like a potential defect, to me.
_________________
Working with MQ since 2010.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Sep 04, 2019 9:49 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

riyaz_tak wrote:
fjb_saper wrote:

Have you tried with -Djavax.net.ssl.keystoretype="JECKS" or something like it??



Yes I have.
I am setting below JVM arguments at the time of starting JAVA Client :

-Djavax.net.ssl.trustStorePassword=xxxx \
-Djavax.net.ssl.trustStoreType=jceks \
-Djavax.net.ssl.keyStore=/dir/key.jck \
-Djavax.net.ssl.keyStorePassword=xxxx \
-Djavax.net.ssl.keyStoreType=jceks \

I hope this is not a cut and paste. Because I believe the format should be
Code:
java -D<propertyname>="<value>"

Notice that the value is in between double quotes, which you do not seem to have done in your example here...
Thus it should read
Code:
         -Djavax.net.ssl.trustStorePassword="xxxx"     \
         -Djavax.net.ssl.trustStoreType="jceks"            \
         -Djavax.net.ssl.keyStore="/dir/key.jck"   \
         -Djavax.net.ssl.keyStorePassword="xxxx"       \
         -Djavax.net.ssl.keyStoreType="jceks"       \

Enjoy
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
riyaz_tak
PostPosted: Wed Sep 04, 2019 10:02 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

fjb_saper wrote:
riyaz_tak wrote:
fjb_saper wrote:

Have you tried with -Djavax.net.ssl.keystoretype="JECKS" or something like it??



Yes I have.
I am setting below JVM arguments at the time of starting JAVA Client :

-Djavax.net.ssl.trustStorePassword=xxxx \
-Djavax.net.ssl.trustStoreType=jceks \
-Djavax.net.ssl.keyStore=/dir/key.jck \
-Djavax.net.ssl.keyStorePassword=xxxx \
-Djavax.net.ssl.keyStoreType=jceks \

I hope this is not a cut and paste. Because I believe the format should be
Code:
java -D<propertyname>="<value>"

Notice that the value is in between double quotes, which you do not seem to have done in your example here...
Thus it should read
Code:
         -Djavax.net.ssl.trustStorePassword="xxxx"     \
         -Djavax.net.ssl.trustStoreType="jceks"            \
         -Djavax.net.ssl.keyStore="/dir/key.jck"   \
         -Djavax.net.ssl.keyStorePassword="xxxx"       \
         -Djavax.net.ssl.keyStoreType="jceks"       \

Enjoy


It's an old code and was working with MQ7.5
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Wed Sep 04, 2019 10:03 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

tczielke wrote:
riyaz_tak wrote:
fjb_saper wrote:
tczielke wrote:
I played around with this some this afternoon, and I could not get the IBM MQ Classes for JMS or Java to work with a JCEKS keystore when using the javax.net.ssl system properties to set the keystore. I could only get it to work when I programmatically created a Keystore that was a JCEKS instance and then set the MQEnvironment.sslSocketFactory accordingly. If I had to guess, the IBM MQ software is defaulting to a JKS Keystore, if the MQEnvironment.sslSocketFactory is not set, and you are not currently able to use a JCEKS with the javax.net.ssl system properties. If someone is able to do that, I would like to know.

riyaz_tak - If you are trying to do this using the javax.net.ssl system properties, that might be your issue that IBM MQ does not seem to support this for a JCEKS keystore. At least that is what I have found, so far, with my testing.

Have you tried with -Djavax.net.ssl.keystoretype="JECKS" or something like it??


Yes I have.
I am setting below JVM arguments at the time of starting JAVA Client :

-Djavax.net.ssl.trustStorePassword=xxxx \
-Djavax.net.ssl.trustStoreType=jceks \
-Djavax.net.ssl.keyStore=/dir/key.jck \
-Djavax.net.ssl.keyStorePassword=xxxx \
-Djavax.net.ssl.keyStoreType=jceks \


I was using something similar, as well, for the keyStoreType and trustStoreType. I tried both jceks and JCEKS. I am not sure if this is an issue introduced at v8, but I can confirm that I see the same issue with MQ 9.1.0.1 of getting an invalid keystore when relying on the javax.net.ssl system properties to set the keystore and type for a jceks.

I am able to get this to work with JMS by using the IBM MQ JMS Extensions and creating my own sslSocketFactory that has a properly built JCEKS Keystore. Of course, this does move you away from portable JMS, if that is something you care about.

You might want to open a PMR with IBM on what you are experiencing here, because it looks like a potential defect, to me.


I will open a PMR with IBM and let you know the resolution.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Sep 04, 2019 10:05 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

So it worked with Java 6 or java 7...
Doesn't mean that java 8 or java 12 will work without the quotes for the values...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
riyaz_tak
PostPosted: Wed Sep 04, 2019 10:18 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

fjb_saper wrote:
So it worked with Java 6 or java 7...
Doesn't mean that java 8 or java 12 will work without the quotes for the values...


Not working even after putting "".
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Mon Sep 09, 2019 1:42 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Here key.kdb is keystore at MQ side and key.jks is keystore at Java client side.


1. runmqckm -keydb -create -db key.jck -pw xxx -type JKS

no issue here.

2. runmqckm -cert -export -db /mqDir/key.kdb -pw xxx -label javaclient -target key.jck -target_pw xxx -type JKS

An IO Exception has occurred:

Invalid keystore format



key.kdb keystore at MQ side was generated using gsk6kit and it contains couple of certificates.

​When we are trying to export one of the certificate using runmqckm utility from /mqDir/key.kdb to key.jck (java client side keystore ) , we are getting error.


But if I remove -type jks at step 2 ,I am not getting any error.​

runmqckm -cert -export -db /mqDir/key.kdb -pw xxx -label javaclient -target key.jck -target_pw xxx -type JKS

Why is it so ? How can I export the certificate?
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Sep 09, 2019 1:49 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

riyaz_tak wrote:
2. runmqckm -cert -export -db /mqDir/key.kdb -pw xxx -label javaclient -target key.jck -target_pw xxx -type JKS

An IO Exception has occurred:

Invalid keystore format


Remember that the runmqckm command has two types. If you forget the syntax remember you can use ? at any point. So to see the specific fields for -cert -export, just type in the following:-

Code:
runmqckm -cert -export ?


When you do this you'll see that there are two types. There's a -type for the type of the -db keystore. And then there's a -target_type for the -target keystore.

So your command is saying that the -db /mqDir/key.kdb is of -type JKS which is clearly not true. Try the following command instead:-

Code:
runmqckm -cert -export -db /mqDir/key.kdb -type CMS -pw xxx -label javaclient -target key.jck -target_pw xxx -target_type JKS


Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software


Last edited by hughson on Wed Sep 11, 2019 2:04 am; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
riyaz_tak
PostPosted: Mon Sep 09, 2019 2:39 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Thanks A lot.
you are rockstart. This resolved my issue.I was getting incorrect keystore type error because my command was wrong.
Thanks a lot again.
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Sep 09, 2019 2:44 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

riyaz_tak wrote:
Thanks A lot.

You are welcome - glad it is working for you now.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Goto page Previous  1, 2, 3, 4  Next Page 3 of 4

MQSeries.net Forum Index » IBM MQ Security » SSL Authentication issue between JAVA 8 client and IBM MQ 8
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.