1 Reply Latest reply: Jul 13, 2011 11:50 AM by Todd Little-Oracle RSS

    Java IBM MQ with SSL X509

    875222
      Hi

      I need some help to figure out how to solve this problem.

      I have a Java 6 Application (SUN JRE 6) that connect to and IBM MQ 7.
      Without SSL i am able to connect and put some content on the queue!

      But the trouble begins when we are enabling security.

      We have got an X509 certificate from a signing company.
      We have imported this key into a java keystore (with help from the signing company)
      we used the IBM Key Managment Tool for this.

      So we now having a key file: key.jks which are placed right beside the java application in the same folder.

      We have been told to use SSL CipherSpec: TLS_RSA_WITH_AES_128_CBC_SHA
      But does this mean that we must use the CipherSuite: SSL_RSA_WITH_AES_128_CBC_SHA ???

      We are using the following code to connect with SSL:

      // Queue manager details
      String qmgrName = this.qManager;
      Hashtable props = new Hashtable();
      props.put(MQC.CHANNEL_PROPERTY, this.channel);
      props.put(MQC.HOST_NAME_PROPERTY, this.hostname);
      props.put(MQC.PORT_PROPERTY, new Integer(1410));

      // SSL details

      //should we use the ciphersuite or the cipherspec???
      props.put(MQC.SSL_CIPHER_SUITE_PROPERTY, "SSL_RSA_WITH_AES_128_CBC_SHA");

      //Are the relative path OK to use or should we use an absolute path?
      String keyStorePath = "key.jks";
      String trustStorePath = "key.jks";
      String password = "thecode";

      // Create a keystore object for the keystore
      KeyStore keyStore = KeyStore.getInstance("JKS");

      // Open our file and read the keystore
      FileInputStream keyStoreInput = new FileInputStream(keyStorePath);
      try
      {
      keyStore.load(keyStoreInput, password.toCharArray());
      }
      finally
      {
      keyStoreInput.close();
      }

      // Create a keystore object for the truststore
      KeyStore trustStore = KeyStore.getInstance("JKS");

      // Open our file and read the truststore (no password)
      FileInputStream trustStoreInput = new FileInputStream(trustStorePath);
      try {
      trustStore.load(trustStoreInput, null);
      } finally { trustStoreInput.close(); }

      // Create a default trust and key manager
      TrustManagerFactory trustManagerFactory =
      TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
      KeyManagerFactory keyManagerFactory =
      KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

      // Initialise the managers
      trustManagerFactory.init(trustStore);
      keyManagerFactory.init(keyStore,password.toCharArray());

      // Get an SSL context. For more information on providers see:
      // http://www.ibm.com/developerworks/library/j-ibmsecurity.html
      // Note: Not all providers support all CipherSuites.
      SSLContext sslContext = SSLContext.getInstance("TLS_SSL");//getDefault();
      System.out.println("SSLContext provider: " +
      sslContext.getProvider().toString());

      // Initialise our SSL context from the key/trust managers
      //sslContext.init(keyManagerFactory.getKeyManagers(),
      // trustManagerFactory.getTrustManagers(), null);

      // Get an SSLSocketFactory to pass to WMQ
      SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

      // Set the socket factory in our WMQ parameters
      props.put(MQC.SSL_SOCKET_FACTORY_PROPERTY, sslSocketFactory);

      // Connect to WMQ
      MQQueueManager qmgr = new MQQueueManager(qmgrName, props);
      try {

      // Query the description
      String desc = qmgr.getDescription();

      // Output the description
      System.out.println("Queue Manager DESCR: \"" + desc + "\"");

      } finally { qmgr.disconnect();}
      In this line we are having some problems:
      SSLContext sslContext = SSLContext.getInstance("SSL_TLS");//getDefault();
      This Exception is being thrown: java.security.NoSuchAlgorithmException: SSL_TLS SSLContext not available

      If we instead use:
      SSLContext sslContext = SSLContext.getDefault();

      We can continue to the line:
      MQQueueManager qmgr = new MQQueueManager(qmgrName, props);
      But then it is throwing this exception:
      com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host '*********(****)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentExceptionUnsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA],3=131.165.93.73/131.165.93.73:1414 (131.165.93.73),4=SSLSocket.createSocket,5=com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl@151f910]],3=131.165.93.73(1414),5=RemoteTCPConnection.makeSocketSecure

      What does this mean? Does it mean that the IBM MQ Server are saying that the specified ciphersuite is not supported? Or?

      What about JSSE Java Secure Socket Extension is this bundled into Java 6 - 1.6 ?

      Is it enough to use SUN JRE 6 with som additional jars in order to use IBM MQ with SSL and X509 or should real IBM MQ client software be installed on my PC and on the resulting production machine

      Are we doing something in the wrong manner?