This discussion is archived
1 Reply Latest reply: Jul 13, 2011 9:50 AM by Todd Little RSS

Java IBM MQ with SSL X509

875222 Newbie
Currently Being Moderated
Hi

I need some help to figure out how to solve this problem.

I have a Java 6 Application (SUN JRE 6) that connect to and IBM MQ 7.
Without SSL i am able to connect and put some content on the queue!

But the trouble begins when we are enabling security.

We have got an X509 certificate from a signing company.
We have imported this key into a java keystore (with help from the signing company)
we used the IBM Key Managment Tool for this.

So we now having a key file: key.jks which are placed right beside the java application in the same folder.

We have been told to use SSL CipherSpec: TLS_RSA_WITH_AES_128_CBC_SHA
But does this mean that we must use the CipherSuite: SSL_RSA_WITH_AES_128_CBC_SHA ???

We are using the following code to connect with SSL:

// Queue manager details
String qmgrName = this.qManager;
Hashtable props = new Hashtable();
props.put(MQC.CHANNEL_PROPERTY, this.channel);
props.put(MQC.HOST_NAME_PROPERTY, this.hostname);
props.put(MQC.PORT_PROPERTY, new Integer(1410));

// SSL details

//should we use the ciphersuite or the cipherspec???
props.put(MQC.SSL_CIPHER_SUITE_PROPERTY, "SSL_RSA_WITH_AES_128_CBC_SHA");

//Are the relative path OK to use or should we use an absolute path?
String keyStorePath = "key.jks";
String trustStorePath = "key.jks";
String password = "thecode";

// Create a keystore object for the keystore
KeyStore keyStore = KeyStore.getInstance("JKS");

// Open our file and read the keystore
FileInputStream keyStoreInput = new FileInputStream(keyStorePath);
try
{
keyStore.load(keyStoreInput, password.toCharArray());
}
finally
{
keyStoreInput.close();
}

// Create a keystore object for the truststore
KeyStore trustStore = KeyStore.getInstance("JKS");

// Open our file and read the truststore (no password)
FileInputStream trustStoreInput = new FileInputStream(trustStorePath);
try {
trustStore.load(trustStoreInput, null);
} finally { trustStoreInput.close(); }

// Create a default trust and key manager
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

// Initialise the managers
trustManagerFactory.init(trustStore);
keyManagerFactory.init(keyStore,password.toCharArray());

// Get an SSL context. For more information on providers see:
// http://www.ibm.com/developerworks/library/j-ibmsecurity.html
// Note: Not all providers support all CipherSuites.
SSLContext sslContext = SSLContext.getInstance("TLS_SSL");//getDefault();
System.out.println("SSLContext provider: " +
sslContext.getProvider().toString());

// Initialise our SSL context from the key/trust managers
//sslContext.init(keyManagerFactory.getKeyManagers(),
// trustManagerFactory.getTrustManagers(), null);

// Get an SSLSocketFactory to pass to WMQ
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

// Set the socket factory in our WMQ parameters
props.put(MQC.SSL_SOCKET_FACTORY_PROPERTY, sslSocketFactory);

// Connect to WMQ
MQQueueManager qmgr = new MQQueueManager(qmgrName, props);
try {

// Query the description
String desc = qmgr.getDescription();

// Output the description
System.out.println("Queue Manager DESCR: \"" + desc + "\"");

} finally { qmgr.disconnect();}
In this line we are having some problems:
SSLContext sslContext = SSLContext.getInstance("SSL_TLS");//getDefault();
This Exception is being thrown: java.security.NoSuchAlgorithmException: SSL_TLS SSLContext not available

If we instead use:
SSLContext sslContext = SSLContext.getDefault();

We can continue to the line:
MQQueueManager qmgr = new MQQueueManager(qmgrName, props);
But then it is throwing this exception:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host '*********(****)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentExceptionUnsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA],3=131.165.93.73/131.165.93.73:1414 (131.165.93.73),4=SSLSocket.createSocket,5=com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl@151f910]],3=131.165.93.73(1414),5=RemoteTCPConnection.makeSocketSecure

What does this mean? Does it mean that the IBM MQ Server are saying that the specified ciphersuite is not supported? Or?

What about JSSE Java Secure Socket Extension is this bundled into Java 6 - 1.6 ?

Is it enough to use SUN JRE 6 with som additional jars in order to use IBM MQ with SSL and X509 or should real IBM MQ client software be installed on my PC and on the resulting production machine

Are we doing something in the wrong manner?

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points