I've already explained the basic concepts in MQ Adapter and SSL - Part 1. This post explains how you can configure your MQ Adapter to use One-way or Two-way SSL. To enable One-way or Two-way SSL on MQ Adapter, following steps need to be followed. I'm outlining the simplest possible steps. Once understood, they can be modified based on your security needs.
- Get the Public certificate (.DER, .CER) of the MQ Server Queue Manager. Ask your MQ server Admin to give this to you.
- Import this certificate into default Weblogic Trust store or you custom keystore if any (all Public certs are stored here because Weblogic trusts the certs imported here) at <WL_HOME>/server/lib/DemoTrust.jks using the following command. You need the keytool utility to execute following commands.
keytool -import -alias <choose_name_for_this_entry> -file <public_cert_received> -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
- Verify the imported certificate by running following command. Your entry should be present here.
keytool -list -v -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhraseNote: Below 3 steps are required only for configuring Two-way SSL on MQ Adapter. For One-way SSL, you must skip these steps.
For Two-way SSL, you need to provide Weblogic Public certificate to MQ server Admin team so that they can import it in MQ Server's Trust store. Follow the additional 2 steps for Two-way SSL.
1. Extract the PUBLIC certificate of your Weblogic from its identity and give this certficate to MQ Server team.
keytool -export -alias demoidentity -file WLS_PUBLIC_CERT.der -keystore <WL_HOME>\server\lib\DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase
2. Ask MQ server Admin to import the given certificate into the Server Trust store being used by the Queue Manager that you connect to.
3. Ensure that the Private key and Identity Keystore passwords of your Keystore are same. Hence, change the keystore password to the Private key password by executing the following command.
keytool -storepasswd -new DemoIdentityPassPhrase -keystore <WL_HOME>\server\lib\DemoIdentity.jks
- Next step is to create a simple BPEL process with MQ Adapter that connects to MQ using a JNDI configured on Weblogic Server. The key to configure SSL on MQ Adapter lies in this JNDI only. To create a JNDI for MQ Adapter, Follow How to create MQ Adapter JNDI .
- Once the JNDI is configured successfully and tested with a dummy BPEL process, edit the following JNDI properties. Remember to hit Enter after updating each property.
S. No
|
Property Name
|
Property Value
|
Description
|
---|---|---|---|
1
|
channelName
|
<Channel Name>
|
The name of the channel which is of server-conection type. Ask
your MQ Server Admin to provide with this detail. Your process
will connect to this channel.
|
2
|
CipherSuite
|
SSL_RSA_EXPORT_WITH_ RC4_40_MD5
|
Cipher suite that will be used for Message Encryption. Ensure that
this is same as CipherSpec set on the above channel. e.g. for
CipherSpec
to
be
set on
Server
Connection
Channel
for
the
mentioned
CipherSuite
is
RC4_MD5_EXPORT
|
3
|
hostName
|
<Host Name>
|
The host name of the MQ server
|
4
|
KeyStoreLocation
|
<Keystore Location>
|
For One-way SSL, specify this to the location of the keystore in
which you imported the Public certificate of the MQ Server (in our example DemoTrust.jks). This property will be same as TrustStoreLocation in One-way SSL.
However, for Two-way SSL, specify the location of Identity keystore (in our example DemoIdentity,jks) |
5
|
KeyStorePassword
|
<Keystore Password>
|
Specify the password to access the above keystore
|
6
|
KeyStoreType
|
jks
|
By default this is Java Keystore (jks). Ensure you create the
Keystore of the .jks type.
|
7
|
password
|
<Password to access MQ>
|
Specify the password to access the MQ Server
|
8
|
portNumber
|
<MQ Server Port>
|
Network port to connect to MQ server
|
9
|
Protocol
|
TLS
|
The algorigthm used to manage the Keys. Default Value is TLS. Keep
it as it is.
|
10
|
queueManagerName
|
<Queue Manager name on MQ Server>
|
Queue Manager provides access to the queues and also transfers
messages to other queue managers through message channels.
|
11
|
SSLEnable
|
true
|
Set this value to true to tell MQ Adapter to use SSL
|
12
|
TrustStoreLocation
|
<Keystore Location>
|
Provide the Trust keystore location (e.g. /dir/DemoTrust.jks) in which you imported the PUBLIC cert of the MQ Queue Manager.
|
13
|
TrustStorePassword
|
<Keystore Password>
|
Provide the password for Trust Store
|
14
|
userID
|
<username to connect MQ>
|
User Id to access MQ server
|
15
|
XATransaction
|
false
|
By default this is False
|
- Save the properties and Update the Adapter as given in create JNDI post.
Troubleshooting:
- In case you encounter any errors, set the following EXTRA_JAVA_PROPERTIES in setDomainEnv.sh (or setDomainEnv.cmd) file and restart the servers.
set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true -Dweblogic.security.SSL.verbose=true
- This will generate verbose logs for SSL to help you diagnose the errors. See the below logs for diagnosis.
<DOMAIN_HOME>/servers/soa_server1/logs/soa_server1.log
Hi,
ReplyDeleteWhen I try to establish SSL connectivity to MQ SSL channel from Oracle SOA Suite - MQ adapter, I get the below error:
0Exception occured when binding was invoked. Exception occured during invocation of JCA binding: "JCA Binding execute of Reference operation 'Enqueue' failed due to: JCA Binding Component connection issue. JCA Binding Component is unable to create an outbound JCA (CCI) connection. PutShipmentMessageIntoMQ:MQ_PutShipmentStatusUpdate [ Enqueue_ptt::Enqueue(body) ] : The JCA Binding Component was unable to establish an outbound JCA CCI connection due to the following issue: BINDING.JCA-13001 Failed to connect to QueueManager. Failed to connect to QueueManager. [ManagedConnectionImpl] Error while connecting to QueueManager: "MQAA". Refer WebSphere MQ Reference Manual for Reason Code 2,400 and fix the cause of the error.
Steps followed:
1. Imported Public certificate (.DER, .CER) of the MQ Server Queue Manager certificate into Weblogic Trust store
Certificate details:
Alias name: mqaaca
Creation date: Dec 15, 2015
Entry type: trustedCertEntry
Owner: CN=Personal Certificate for MQAA, OU=Company, C=GB
Issuer: OU=Company SSL CA, O=Company SSL, C=GB
Serial number: 1
Valid from: Fri Dec 04 00:00:00 UTC 2015 until: Mon Dec 31 23:59:59 UTC 2040
Certificate fingerprints:
MD5: 1E:CC:BE:78:97:27:73:5A:AC:9C:BA:A7:F1:86:CB:17
SHA1: 6B:E7:82:77:FC:57:EC:CE:A8:DD:8E:C0:B4:83:20:69:4B:59:D8:CC
SHA256: 91:D8:B1:83:08:A4:6A:AE:9E:1A:0B:E5:44:D0:CD:DF:EC:BA:7D:9C:81:98:C4:5A:77:6C:6A:7F:E1:53:F3:BC
Signature algorithm name: SHA256withRSA
Version: 3
2. Configured the MQ outbound connection pool:
Queue Manager and connection details configured.
Channel name: FUSIONSSL
KeyStoreLocation -> identity.jks
KeyStorePassword -> <>
TrustStoreLocation -> trust.jks
Protocol: TLS
CipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA (same is set as CipherSpec on the MQ channel)
SSLPeerName: null
SSLEnable = true
CipherSpec configured on FUSIONSSL channel: TLS_RSA_WITH_AES_128_CBC_SHA
The MQ error reason code 2400 indicates a mimatch in the Ciphersuite and cipherspec combination used. I've tried TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256 and TLS_RSA_WITH_AES_256_CBC_SHA256 as the CipherSuites in the adapter configuration without any luck.
I've also found that there are some incompatibilty issues with IBM MQ when connected from non-IBM JRE (http://www-01.ibm.com/support/docview.wss?uid=swg1IV66840 )
I'm able to communicate successfully with the MQ queues over a non-SSL channel.
Please help.
Thanks
sorted thanks. Important is the MQ jars in FMW have to be consistent with what are there in the MQ server. IBM APAR had changed the jars. Also, the 2-way ssl is must, so necessary public certs to be imported at both MQ and FMW ends.
Deletei am seeing below error while connecting to MQ V9 Server:
ReplyDeleteException occurred when binding was invoked.
Exception occurred during invocation of JCA binding: "JCA Binding execute of Reference operation 'Enqueue' failed due to: JCA Binding Component connection issue.
JCA Binding Component is unable to create an outbound JCA (CCI) connection.
DOMAIN: HTTP2MQ9Tester:mqReference [ Enqueue_ptt::Enqueue(body) ] : The JCA Binding Component was unable to establish an outbound JCA CCI connection due to the following issue: BINDING.JCA-13001
Failed to connect to QueueManager.
Failed to connect to QueueManager.
[ManagedConnectionImpl] Error while connecting to QueueManager: "WMQT524".
Refer WebSphere MQ Reference Manual for Reason Code 2,035 and fix the cause of the error.
Please make sure that the JCA connection factory and any dependent connection factories have been configured with a sufficient limit for max connections. Please also make sure that the physical connection to the backend EIS is available and the backend itself is accepting connections.
".
The invoked JCA adapter raised a resource exception.
Please examine the above error message carefully to determine a resolution.