This topic is about how to use HERMESJMS over SSL enabled MQ Channel – (no MA setup). By Seri Charoensri 22 July 2012 ([email protected]) With IBM MQ Provider: If you experience error below with JSSE, certification not found. com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR'). at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:223) at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:421) at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnection Factory.java:6807) at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFa ctory.java:6204) at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImp l.java:278) at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6155) 1. Hermes runs on standard JDK, with that Hermes is using JSSE security – cacerts (CA certificates store). Below we imported self-sign cert generated and extracted from IKEYMAN. IKEYMAN
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
This topic is about how to use HERMESJMS over SSL enabled MQ Channel – (no MA setup).
1. Hermes runs on standard JDK, with that Hermes is using JSSE security – cacerts (CA certificates store). Below we imported self-sign cert generated and extracted from IKEYMAN.
C:\Program Files (x86)\Java\jdk1.6.0_13\jre\lib\security\cacerts (I just use the default/provide truststore by JDK, you can use your truststore, if you like). Hermes will check the MQ Server’s cert from this trustore.
Keytool
2. For self-sign cert from MQ, you will need to import the cert into cacerts keystore, so that HERMES can hand-shake with MQ over SSL.
On the MQ we have “TRIPLE_DES_SHA_SA” SSL setup – no client SSL (SSLCAUTH) required. “Authentication of Parties initiating connections: - Optional”. In short, we trust the MQ server’s SSL cert only, no Mutual Authentication setup for now. I will show you how to do MA below.
NOTE: we have not set the SSLCAUTH to be required, or lock down the DN name specification to only allow clients with the DN name come through.
Test result
We success fully retrieve data over SSL-enabled channel.
This topic is about how to use HERMESJMS over SSL enabled MQ Channel – (with MA setup).
With MA, the client (HERMESJMS in this case) will need to provide Client’s SSL to MQ server for Client Auth (SSLCAUTH-Required)
Setup a new SVRCONN channel for MA with DN spec.
Need to create Client’s Keystore - hermesclientkey.jks
NOTE: we use the default JDK truststore – cacerts to hold MQ SSL Cert (above). Alternatively, you could create your TrustStore and manage MQ Cert separately.
We will need create Hermes keystore since no default provided.
default keystore
No default. * javax.net.ssl.keyStore system propertyNote that the value NONE may be specified. This setting is appropriate if the keystore is not file-based (for example, it resides in a hardware token).
default keystore password
No default. * javax.net.ssl.keyStorePassword system property
default keystore provider
No default. * javax.net.ssl.keyStoreProvider system property
default keystore type
KeyStore.getDefaultType() * javax.net.ssl.keyStoreType system property
default truststore
jssecacerts, if it exists. Otherwise, cacerts
* javax.net.ssl.trustStore system property
default truststore password
No default. * javax.net.ssl.trustStorePassword system property
default truststore provider
No default. * javax.net.ssl.trustStoreProvider system property
default truststore type
KeyStore.getDefaultType() * javax.net.ssl.trustSt
Extract and Import our new Client Self-signed certs to MQ’s Keystore (CMS/KDB), so that MQ can trust our new client cert (this is self-sign, not signed by well-known CA certs that come with the default keystore)
HERMESJMS SETUP TO use the new personal keystore
The HERMESJMSkeystore.jks holds its certificate which will be exchange (MA) with the MQ server. Since this is a self-sign, we have given the key to MQ servers’s keystore (CMS KDB)
We will use Default SunJSSE provider!! – you can use IBM or BouncyCastle, etc if you like if you need higher cipher e.g AES128. If you do so, don’t for get to add the Security Provider jars to
C:\Program Files (x86)\Java\jdk1.6.0_13\jre\lib\ext then “Add” the new security.provider to the java.secuirty file.
#java.security provider
# List of providers and their preference orders (see above):
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:223)
at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:421)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:6807)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:6204)
at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:278)
at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6155)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:115)
at com.ibm.mq.jms.MQQueueConnectionFactory.createConnection(MQQueueConnectionFactory.java:198)
at hermes.impl.jms.ConnectionManagerSupport.createConnection(ConnectionManagerSupport.java:122)
at hermes.impl.jms.ConnectionManagerSupport.createConnection(ConnectionManagerSupport.java:92)
at hermes.impl.jms.ConnectionSharedManager.reconnect(ConnectionSharedManager.java:81)
at hermes.impl.jms.ConnectionSharedManager.connect(ConnectionSharedManager.java:91)
at hermes.impl.jms.ConnectionSharedManager.getConnection(ConnectionSharedManager.java:104)
at hermes.impl.jms.ConnectionSharedManager.getObject(ConnectionSharedManager.java:142)
at hermes.impl.jms.ThreadLocalSessionManager.connect(ThreadLocalSessionManager.java:190)
at hermes.impl.jms.ThreadLocalSessionManager.getSession(ThreadLocalSessionManager.java:570)
at hermes.impl.jms.AbstractSessionManager.getDestination(AbstractSessionManager.java:460)
at hermes.impl.DefaultHermesImpl.getDestination(DefaultHermesImpl.java:367)
at hermes.browser.tasks.BrowseDestinationTask.invoke(BrowseDestinationTask.java:141)
at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:175)
at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:170)
at java.lang.Thread.run(Thread.java:619)
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host '127.0.0.1(1418)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2059;AMQ9643: Remote SSL peer name error for channel 'qm5_ch3_ma'. [3=qm5_ch3_ma]],3=127.0.0.1(1418),5=RemoteConnection.analyseErrorSegment]
at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:1809)
at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:336)
... 20 more
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9643: Remote SSL peer name error for channel 'qm5_ch3_ma'. [3=qm5_ch3_ma]
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4223)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.receiveTSH(RemoteConnection.java:2822)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.initSess(RemoteConnection.java:1399)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect(RemoteConnection.java:1078)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool.getConnection(RemoteConnectionPool.java:338)
at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:1488)
... 21 more
Adjust SSLPeer to be the same as the client cert’s DN name – this should allow Hermes to be successful authenticated with MA, plus DN validation.
Test result with MA and DN lock-down on the MQ Server side.
Also Hermes as a JMS client can request MQ Cert’s DN for
SSLPeer validation. That’s Q Client can check the MQ server SSL Cert’ DN name. Below is the MQ Server cert labled: ibmwebspheremq<QMGR> ie.” ibmwebspheremqqm5” with CN = qm5
Hermes will need to setup SSLPeer (MQ server’s cert) to check for “cn=qm5”