I've encountered a problem with setting tls on my queue manager.
Here are the commands that I've used on my windows 10 to create and setup queue manager aswell as channel and keystores.
"C:\Program Files\IBM\MQ\bin64\crtmqm.exe" QMTLS
"C:\Program Files\IBM\MQ\bin64\strmqm.exe" QMTLS
"C:\Program Files\IBM\MQ\bin64\runmqsc.exe" QMTLS
DEF LISTENER(TCP.1416) TRPTYPE(TCP) CONTROL(QMGR) PORT(1416) REPLACE
START LISTENER(TCP.1416)
DEF CHL(CONNECTION.TLS) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH('TLS_RSA_WITH_AES_128_CBC_SHA256') SSLCAUTH(REQUIRED) DESCR('Channel with tls support')
DEFINE CHANNEL (CONNECTION.TLS) CHLTYPE (CLNTCONN) TRPTYPE (TCP) CONNAME (127.0.0.1) QMNAME (QMTLS) SSLCIPH('TLS_RSA_WITH_AES_128_CBC_SHA256') MAXMSGL (104857600) DESCR ('Client connection to Server')
exit
cd C:\ProgramData\IBM\MQ\qmgrs\QMTLS\ssl
"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -keydb -create -db key.kdb -pw passw0rd -stash
"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -cert -create -db key.kdb -label ibmwebspheremqqmtls -stashed -size 2048 -sigalg SHA256WithRSA -dn CN=QMTLS -fips -ca false
"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -cert -extract -db key.kdb -label ibmwebspheremqqmtls -target qmtls.arm -stashed
mkdir jks
cd jks
"C:\Program Files\IBM\MQ\java\jre\bin\keytool.exe" -genkey -alias ibmwebspheremquser -keyalg RSA -sigalg SHA256withRSA -dname "cn=user#example.com,C=US" -keystore userkey.jks -storetype jks -storepass passw0rd -keypass passw0rd -validity 365 -keysize 2048
"C:\Program Files\IBM\MQ\java\jre\bin\keytool.exe" -export -keystore userkey.jks -alias ibmwebspheremquser -storepass passw0rd -file userkey.arm -rfc
cd ..
copy jks\userkey.arm userkey.arm
"C:\Program Files\IBM\MQ\bin64\runmqakm.exe" -cert -add -db key.kdb -stashed -file userkey.arm -label userkey -trust enable -fips
copy qmtls.arm jks\qmtls.arm
cd jks
"C:\Program Files\IBM\MQ\java\jre\bin\keytool.exe" -import -alias QMTLS -file qmtls.arm -storepass passw0rd -keystore userkey.jks
"C:\Program Files\IBM\MQ\bin64\runmqsc.exe" QMTLS
SET CHLAUTH('CONNECTION.TLS') TYPE(BLOCKUSER) USERLIST('*NOACCESS') DESCR('allow access to tls') WARN(NO) ACTION(ADD)
refresh security type(ssl)
exit
When I try to connect directly to queue manager with channel CONNECTION.TLS and userkey.jks keystore I get an error AMQ4199 with message:
Queue manager QMTLS is not available for client connection due to an SSL configuration error. (AMQ4199)
Queue manager QMTLS is not available for client connection due to an SSL configuration error. (AMQ4199)
Severity: 30 (Severe Error)
Explanation: The user is trying to connect to a remote queue manager using a secure connection.
Response: Check the SSL configuration of the target queue manager and the local SSL trust store.
Related
I'm trying to connect to a SSL enabled MQ channel in order to place a message using JMS(within Spring boot app) . below are the connection factory properties set before sending the message. I'm getting the
following error when jms trying to put the message.
Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR')....
.....
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:203)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
... 81 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
** certificates are already installed at QM level. it seems jms client is not picking the root certificate from the specified location. the CA root certificate(myCAcertfile.cer) (self signed) was generated using runmqckm tool in IBM mq.
MQ channel information
CHANNEL(KAU.CONN) CHLTYPE(SVRCONN)
ALTDATE(2014-02-28) ALTTIME(17.28.55)
CERTLABL( ) COMPHDR(NONE)
COMPMSG(NONE)
DESCR(Server-connection to windows host)
DISCINT(0) HBINT(300)
KAINT(AUTO) MAXINST(999999999)
MAXINSTC(999999999) MAXMSGL(4194304)
MCAUSER( ) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(REQUIRED)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
SSLPEER( ) TRPTYPE(TCP)
JMS connection factory properties
// Create a connection factory
JmsFactoryFactory ff = JmsFactoryFactory.getInstance(WMQConstants.WMQ_PROVIDER);
JmsConnectionFactory cf = ff.createConnectionFactory();
// Set the properties
cf.setStringProperty(WMQConstants.WMQ_HOST_NAME, HOST);
cf.setIntProperty(WMQConstants.WMQ_PORT, PORT);
cf.setStringProperty(WMQConstants.WMQ_CHANNEL, CHANNEL);
cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);
cf.setStringProperty(WMQConstants.WMQ_QUEUE_MANAGER, QMGR);
cf.setStringProperty(WMQConstants.WMQ_APPLICATIONNAME, "Manual message publihser");
cf.setBooleanProperty(WMQConstants.USER_AUTHENTICATION_MQCSP, true);
cf.setStringProperty(WMQConstants.USERID, "");
cf.setStringProperty(WMQConstants.PASSWORD, "");
System.setProperty("com.ibm.mq.cfg.useIBMCipherMappings", "false" );
cf.setStringProperty("Djavax.net.ssl.trustStore", "D:\\mq-message-handler-1.0\\ssl\\myCAcertfile.cer");
cf.setStringProperty(WMQConstants.WMQ_SSL_CIPHER_SUITE, "TLS_RSA_WITH_AES_128_CBC_SHA256");
Commands used to create CA's certificate
runmqckm -keydb -create -db myCA.kdb -type cms -pw mycakeypassword -stash
runmqckm -cert -create -db myCA.kdb -type cms -label "myCAcertificate" -dn "CN=demmoCA,O=DemmoOrg,OU=DemmoDepartment,L=DemmoLocation,C=UK" -expire 1000 -size 1024
runmqckm -cert -extract -db myCA.kdb -type cms -label "myCAcertificate" -target myCAcertfile.cer -format ascii -stashed
then created the keystore for the client using above certificate using key tool
keytool -keystore kautstclient.jks -genkey -alias winclientcert -storepass clientpassword
keytool -import -keystore kautstclient.jks -file myCAcertfile.cer -alias theCARoot
30/02/2022 update > I have now added the certificates to the client side using below commands.
generating client side's CA to self sign the client's certificate
================================================================
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
creating certificate request from the jks in order to signed by the above CA.
===========================================================================
keytool -certreq -v -alias winclientcert -file kauclient.csr -keypass clientpassword -storepass clientpassword -keystore kautstclient.jks
signing the certificate requst(csr file) using the generated CA key
==================================================
openssl x509 -req -in kauclient.csr -CA cert.pem -CAkey key.pem -CAcreateserial -out kauclientown.crt
Import the the signed and then provided certificate certificate into your keystore using the following command:
========================================================================================
keytool -import -v -alias kauclientowncert -file kauclientown.crt -keystore kautstclient.jks -keypass clientpassword -storepass clientpassword
adding the client's key signed root CA in to queue manager's key.db
=================================================================
runmqckm -cert -add -db myqmgr.kdb -file cert.pem -label kauclientsignercertificate
Djavax.net.ssl.trustStore is not a connection factory property. You need to pass it as a Java system property. The value of the property needs to be either a JKS or PKCS12 file.
You can do this in two ways:
As a -D command line option:
-Djavax.net.ssl.trustStore=D:\mq-message-handler-1.0\ssl\myCAcertfile.jks
Using System.setProperty:
System.setProperty(javax.net.ssl.trustStore, "D:\mq-message-handler-1.0\ssl\myCAcertfile.jks");
In our Project, we use Netty as webserver, In spring boot project.
we would like to enable HTTPS and SSL in the project.
we added the certificate to the truststore by keytool.
keytool -keystore truststore.jks -import -noprompt -trustcacerts -alias "try" -file "test.cer" -keypass pass -storepass pass
Than added the keypath and keystore information in project yaml file as :
server:
ssl:
enabled: true
key-store: 'truststore.jks'
key-store-password: "pass"
key-store-type: JKS
key-alias: "try"
but eveytime we try to send request to https://127.0.0.1:8080
we get below exception :
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:100000ae:SSL routines:OPENSSL_internal:NO_CERTIFICATE_SET
Caused by: javax.net.ssl.SSLHandshakeException: error:100000ae:SSL routines:OPENSSL_internal:NO_CERTIFICATE_SET
There are two types of key store in java,
Truststore
Keystore
Truststore: stores all public keys that need to be added to communicate with the third-party systems.
Keystore: contains the private key.
I was putting the public key in Keystore and was the problem.
I need to import ssl certificate into java local keystore(cacerts) in order to get access to the remote ldaps server.
I have run the following command:
keytool -keystore C:\Program Files\Java\jdk1.8.0_211\jre\lib\security\cacerts -import -alias myalias -file <PATH_TO_CERTIFICATE>/certificate.cer
The certificate successfully added to the keystore:
keytool -list -alias myalias -keystore C:\Program Files\Java\jdk1.8.0_211\jre\lib\security\cacerts
Enter keystore password:
myalias, 24.10.2019, trustedCertEntry
My application properties:
ssl:
key-alias: myalias
key-store-password: changeit
key-store: C:\Program Files\Java\jdk1.8.0_211\jre\lib\security\cacerts
When I run the app I have the following exception:
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124)
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1210)
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:586)
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005)
... 14 more
Caused by: java.io.IOException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:328)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
I am using Spring boot 2.2.0
Who knows what is the problem?
What you are doing in your application.properties is, you are securing your springboot application. Which is different from what you are trying to do (call ldaps server).
When you added the ldap server certificate into your cacerts, you don't need to do anything else. You can just make the call.
If you get PKIX exception when you make the call, then you need to make sure the CA and SubCA(s) of the ldap server certificate are trusted as well.
you need to import private key to keystore.
Step1: You need to download openSSL and then move to C:\OpenSSL-win64\bin Next, type this command:
openssl pkcs12 -export -in C:\Keystore\certificate.crt -inkey C:\Keystore\name_key.key -out C:\Keystore\server.p12 -name [name_alias] -CAfile C:\Keystore\rootCA.crt -caname root
Note: if you use alias "tomcat" in server.xml
keyAlias="tomcat"
keystoreFile="C:\Keystore\server.jks"
keystorePass="your pass"
then [name_alias] = tomcat
Step 2: use cmd and move to C:\program files\java\jdk..\ bin and type this command to convert p12 file to jks file:
keytool -importkeystore -deststorepass mypass -destkeystore C:\Keystore\server.jks -srckeystore C:\Keystore\server.p12 -srcstoretype PKCS12
Restart your tomcat server
I am looking for a detailed guide to configure SSl in JBOSS 7. I am not using any front end server but only JBOSS. Can anybody guide me through the steps of generating a key from an authorised certificate and configuring the connector under jboss?
Use the following procedure for self-signed certificate
1.Generate key + keystore
$JAVA_HOME/bin/keytool -genkey -alias your_alias_here -keyalg RSA -keypass PASSWORD -storepass PASSWORD -keystore ENTER_KEYSTORE_NAME
2.Configure jboss for SSL ( file server.xml )
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="PATH_TO_KEYSTORE"
keystorePass="PASSWORD" sslProtocol = "TLS" />
2.Import certs
$JAVA_HOME/bin/keytool -import -v -alias your_alias_here -file FILE_YOU_RECEIVED_FROM_CA -keystore ENTER_KEYSTORE_NAME -storepass PASSWORD -keypass PASSWORD
I have a web application which tries to hit a https url. I have a set of 4 certificates which I import in one common file using keytool
keytool -import -v -alias a_base64 -trustcacerts -file a_Base64.cer -keystore testcacerts
keytool -import -v -alias b_base64 -trustcacerts -file b_base64.cer -keystore testcacerts
keytool -import -v -alias c_base64 -trustcacerts -file c_Base64.cer -keystore testcacerts
keytool -import -v -alias d_base64 -trustcacerts -file d_base64.cer -keystore testcacerts
The file testcacerts is generated fine. In my eclipse IDE, I have a java program that will hit the https url. While running the program, I gave the following in the VM arguments
-Djavax.net.ssl.keyStore=c://testcacerts
The java program ran fine. Now I am deploying the war of the project in tomcat server 7. When my application tries to access https url, it gives the following exception
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
I set the environment variables CATALINA_OPTS and JAVA_OPTS to point to that testcacerts location
JAVA_OPTS=-Djavax.net.ssl.trustStore=/temp/testcacerts
After I re start my tomcat, when my application hits the https url, am getting the same exception.
I even tried to change the configuration in server.xml in tomcat conf as given below
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100"
scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="/temp/testcacerts" keystorePass="samplePassword" />
The password in keystorePass is the one that I gave while generating the keystore.
Even after the above changes, I was getting the same exception.
I am currently running the application in Unix environment and the tomcat is present in Unix server as well. I don't have access to the java installation directory and because of which I am not able to place this certificate file in the jre\lib\security folder.
Am I missing anything here. Please guide me.
In case it is valid self-signed certificates you should select one certificate for the SSL connector. Please add keyAlias with the selected certificate (e.g. a_base64) to your connector configuration
<Connector port="8443" ... keyAlias="a_base64" />
Usefull links:
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
You may remove your -Djavax settings.