Configure SSL between Websphere App Server and Websphere MQ

Question

I try connect to WMQ from a simple web service launched on WebSphere app server.

On WMQ I have channel with SSL. I use self-signed certificates for now.

In the case of glassfish I just add this cert to key store in domain and all works well(off cause I configure my MQQueueConnectionFactory).

But on WebSphere this trick don't work:

[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O %% Invalidated:  [Session-94, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O jmsContainer-1, SEND SSLv3 ALERT:  fatal, description = certificate_unknown
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O jmsContainer-1, WRITE: SSLv3 Alert, length = 2
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O [Raw write]: length = 7
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O 0000: 15 03 00 00 02 02 2e                               .......

[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O jmsContainer-1, called closeSocket()
[5/13/13 14:00:25:058 FET] 00000060 SystemOut     O jmsContainer-1, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
[5/13/13 14:00:25:058 FET] 00000060 DefaultMessag E org.springframework.jms.listener.DefaultMessageListenerContainer refreshConnectionUntilSuccessful Could not refresh JMS Connection for destination 'fromESB' - retrying in 5000 ms. Cause: JMSWMQ0018: Failed to connect to queue manager 'qm1' with connection mode 'Client' and host name '192.168.56.101(1414)'.; nested exception is com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').

How do I configure WebSphere app server to use ssl(how to add server(WMQ) certificate to trust store? or where is the trust store?)?

Answer 1

Ok. I solve this by myself.

Configure WMQ:

1. Create keystore

   runmqckm -keydb -create -db "c:\dev\sslqm001\sslqm001.kdb" -pw serverpass -type cms -expire 365 -stash

2. Create certificate and add it to keystore

   runmqckm -cert -create -db "c:\dev\sslqm001\sslqm001.kdb" -pw serverpass -label ibmwebspheremqssl_qm001 -dn "CN=SSL_QM001,OU=IT,O=SomeCompany,L=Minsk,ST=Belarus,C= BY" -expire 365

3. Export this certificate from keystore to file.

   runmqckm -cert -extract -db "c:\dev\sslqm001\sslqm001.kdb" -pw serverpass -label ibmwebspheremqssl_qm001 -target SSL_QM001.crt -format ascii

4. In Queue Manager settings, tab "SSL" set path to keystore without .kdb and FIPS to No:

   ALTER QMGR SSLKEYR('c:\dev\sslqm001\sslqm001') ALTER QMGR SSLFIPS(NO)

5. Create new channel

6. In channel settings, tab "SSL" set cipher to some value(with works for me: DES_SHA_EXPORT), and auth to optional

   DEFINE CHANNEL('SSL_CHANNEL') CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH(DES_SHA_EXPORT) SSLCAUTH(OPTIONAL) REPLACE

7. In Queue Manager refresh SSL:

   REFRESH SECURITY TYPE(SSL)

Change your appcontex:

<bean id="mqConnectionFactory" class="com.ibm.mq.jms.MQQueueConnectionFactory">
    <property name="hostName" value="${queue_hostname}"/>
    <property name="port" value="${queue_port}"/>
    <property name="queueManager" value="${queue_manager}"/>
    <property name="transportType" value="1"/>
    <property name="SSLCipherSuite" value="SSL_RSA_EXPORT_WITH_RC4_40_MD5"/>
    <property name="channel" value="ssl_channel"/>
</bean>

Setup SSL on WAS

1. Go To:

   Security → SSL certificate and key management → SSL configurations → NodeDefaultSSLSettings → Key stores and certificates → NameOfStore → Signer certificates

2. Add your certificate, that we export in step 3