Sunday, June 10, 2012

Enabling SSL on MQ Series Adapter - Part 2

I've already explained the basic concepts in MQ Adapter and SSL - Part 1. This post explains how you can configure your MQ Adapter to use One-way or Two-way SSL.  To enable One-way or Two-way SSL on MQ Adapter, following steps need to be followed. I'm outlining the simplest possible steps. Once understood, they can be modified based on your security needs.
  • Get the Public certificate (.DER, .CER) of the MQ Server Queue Manager. Ask your MQ server Admin to give this to you.
  • Import this certificate into default Weblogic Trust store or you custom keystore if any (all Public certs are stored here because Weblogic trusts the certs imported here) at <WL_HOME>/server/lib/DemoTrust.jks using the following command. You need the keytool utility to execute following commands.
keytool -import -alias <choose_name_for_this_entry> -file <public_cert_received> -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
  • Verify the imported certificate by running following command. Your entry should be present here. 
keytool -list -v -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
Note: Below 3 steps are required only for configuring Two-way SSL on MQ Adapter. For One-way SSL, you must skip these steps.

For Two-way SSL, you need to provide Weblogic Public certificate to MQ server Admin team so that they can import it in MQ Server's Trust store. Follow the additional 2 steps for Two-way SSL.
1. Extract the PUBLIC certificate of your Weblogic from its identity and give this certficate to MQ Server team.
keytool -export -alias demoidentity -file WLS_PUBLIC_CERT.der -keystore <WL_HOME>\server\lib\DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase
2. Ask MQ server Admin to import the given certificate into the Server Trust store being used by the Queue Manager that you connect to.
 3. Ensure that the Private key and Identity Keystore passwords of your Keystore are same. Hence, change the keystore password to the Private key password by executing the following command.
keytool -storepasswd -new DemoIdentityPassPhrase -keystore <WL_HOME>\server\lib\DemoIdentity.jks
  • Next step is to create a simple BPEL process with MQ Adapter that connects to MQ using a JNDI configured on Weblogic Server. The key to configure SSL on MQ Adapter lies in this JNDI only.  To create a JNDI for MQ Adapter,  Follow How to create MQ Adapter JNDI . 
  • Once the JNDI is configured successfully and tested with a dummy BPEL process, edit the following JNDI properties. Remember to hit Enter after updating each property.
S. No
Property Name
Property Value
Description
1
channelName
<Channel Name>
The name of the channel which is of server-conection type. Ask your MQ Server Admin to provide with this detail. Your process will connect to this channel.
2
CipherSuite
SSL_RSA_EXPORT_WITH_ RC4_40_MD5
Cipher suite that will be used for Message Encryption. Ensure that this is same as CipherSpec set on the above channel. e.g. for CipherSpec to be set on Server Connection Channel for the mentioned CipherSuite is RC4_MD5_EXPORT
3
hostName 
<Host Name>
The host name of the MQ server
4
KeyStoreLocation
<Keystore Location>
For One-way SSL, specify this to the location of the keystore in which you imported the Public certificate of the MQ Server (in our example DemoTrust.jks). This property will be same as TrustStoreLocation in One-way SSL.

However, for Two-way SSL, specify the location of Identity keystore (in our example DemoIdentity,jks)
5
KeyStorePassword
<Keystore Password>
Specify the password to access the above keystore
6
KeyStoreType
jks
By default this is Java Keystore (jks). Ensure you create the Keystore of the .jks type.
7
password
<Password to access MQ>
Specify the password to access the MQ Server
8
portNumber
<MQ Server Port>
Network port to connect to MQ server
9
Protocol
TLS
The algorigthm used to manage the Keys. Default Value is TLS. Keep it as it is.
10
queueManagerName
<Queue Manager name on MQ Server>
Queue Manager provides access to the queues and also transfers messages to other queue managers through message channels.
11
SSLEnable
true
Set this value to true to tell MQ Adapter to use SSL
12
TrustStoreLocation
<Keystore Location>
Provide the Trust keystore location (e.g. /dir/DemoTrust.jks) in which you imported the PUBLIC cert of the MQ Queue Manager.
13
TrustStorePassword
<Keystore Password>
Provide the password for Trust Store
14
userID
<username to connect MQ>
User Id to access MQ server
15
XATransaction
false
By default this is False
  • Save the properties and Update the Adapter as given in create JNDI post.
And it's done. This will enable One-way SSL (or Two-way SSL) for your MQ Adapter communication.

Troubleshooting:
  • In case you encounter any errors, set the following EXTRA_JAVA_PROPERTIES in setDomainEnv.sh (or setDomainEnv.cmd) file and restart the servers.
set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true -Dweblogic.security.SSL.verbose=true
  • This will generate verbose logs for SSL to help you diagnose the errors. See the below logs for diagnosis.
<DOMAIN_HOME>/servers/soa_server1/logs/soa_server1.log
Still if you encounter any problems, I'm happy to help!

3 comments:

  1. Hi,
    When I try to establish SSL connectivity to MQ SSL channel from Oracle SOA Suite - MQ adapter, I get the below error:
    0Exception occured when binding was invoked. Exception occured during invocation of JCA binding: "JCA Binding execute of Reference operation 'Enqueue' failed due to: JCA Binding Component connection issue. JCA Binding Component is unable to create an outbound JCA (CCI) connection. PutShipmentMessageIntoMQ:MQ_PutShipmentStatusUpdate [ Enqueue_ptt::Enqueue(body) ] : The JCA Binding Component was unable to establish an outbound JCA CCI connection due to the following issue: BINDING.JCA-13001 Failed to connect to QueueManager. Failed to connect to QueueManager. [ManagedConnectionImpl] Error while connecting to QueueManager: "MQAA". Refer WebSphere MQ Reference Manual for Reason Code 2,400 and fix the cause of the error.

    Steps followed:
    1. Imported Public certificate (.DER, .CER) of the MQ Server Queue Manager certificate into Weblogic Trust store

    Certificate details:
    Alias name: mqaaca
    Creation date: Dec 15, 2015
    Entry type: trustedCertEntry
    Owner: CN=Personal Certificate for MQAA, OU=Company, C=GB
    Issuer: OU=Company SSL CA, O=Company SSL, C=GB
    Serial number: 1
    Valid from: Fri Dec 04 00:00:00 UTC 2015 until: Mon Dec 31 23:59:59 UTC 2040
    Certificate fingerprints:
    MD5: 1E:CC:BE:78:97:27:73:5A:AC:9C:BA:A7:F1:86:CB:17
    SHA1: 6B:E7:82:77:FC:57:EC:CE:A8:DD:8E:C0:B4:83:20:69:4B:59:D8:CC
    SHA256: 91:D8:B1:83:08:A4:6A:AE:9E:1A:0B:E5:44:D0:CD:DF:EC:BA:7D:9C:81:98:C4:5A:77:6C:6A:7F:E1:53:F3:BC
    Signature algorithm name: SHA256withRSA
    Version: 3

    2. Configured the MQ outbound connection pool:
    Queue Manager and connection details configured.
    Channel name: FUSIONSSL
    KeyStoreLocation -> identity.jks
    KeyStorePassword -> <>
    TrustStoreLocation -> trust.jks
    Protocol: TLS
    CipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA (same is set as CipherSpec on the MQ channel)
    SSLPeerName: null
    SSLEnable = true
    CipherSpec configured on FUSIONSSL channel: TLS_RSA_WITH_AES_128_CBC_SHA

    The MQ error reason code 2400 indicates a mimatch in the Ciphersuite and cipherspec combination used. I've tried TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256 and TLS_RSA_WITH_AES_256_CBC_SHA256 as the CipherSuites in the adapter configuration without any luck.
    I've also found that there are some incompatibilty issues with IBM MQ when connected from non-IBM JRE (http://www-01.ibm.com/support/docview.wss?uid=swg1IV66840 )

    I'm able to communicate successfully with the MQ queues over a non-SSL channel.
    Please help.
    Thanks

    ReplyDelete
    Replies
    1. sorted thanks. Important is the MQ jars in FMW have to be consistent with what are there in the MQ server. IBM APAR had changed the jars. Also, the 2-way ssl is must, so necessary public certs to be imported at both MQ and FMW ends.

      Delete
  2. i am seeing below error while connecting to MQ V9 Server:

    Exception occurred when binding was invoked.
    Exception occurred during invocation of JCA binding: "JCA Binding execute of Reference operation 'Enqueue' failed due to: JCA Binding Component connection issue.
    JCA Binding Component is unable to create an outbound JCA (CCI) connection.
    DOMAIN: HTTP2MQ9Tester:mqReference [ Enqueue_ptt::Enqueue(body) ] : The JCA Binding Component was unable to establish an outbound JCA CCI connection due to the following issue: BINDING.JCA-13001
    Failed to connect to QueueManager.
    Failed to connect to QueueManager.
    [ManagedConnectionImpl] Error while connecting to QueueManager: "WMQT524".
    Refer WebSphere MQ Reference Manual for Reason Code 2,035 and fix the cause of the error.

    Please make sure that the JCA connection factory and any dependent connection factories have been configured with a sufficient limit for max connections. Please also make sure that the physical connection to the backend EIS is available and the backend itself is accepting connections.
    ".
    The invoked JCA adapter raised a resource exception.
    Please examine the above error message carefully to determine a resolution.

    ReplyDelete