This topic is about how to useHERMESJMS over SSL enabled MQChannel – (no MA setup).By Seri Charoensri Friday, 13 July 2012...
qm5_cert.arm-----BEGIN CERTIFICATE-----MIIBsTCCARqgAwIBAgIIqwony8vuHkgwDQYJKoZIhvcNAQEEBQAwGzELMAkGA1UEBhMCVVMxDDAKBgNVBAM...
ukplpzDWUJ/f7Kof6cizSxYgvVjKYD2f4fEfgKHPU8hs/4UO0czdOM6cPobLOU6k5I9zN8o4eFqm    V/iuPyhswriJG1gQH4f0dA1HL0Ruv9kbvt0m46qroY...
C:Program Files (x86)IBMWebSphere MQJavalibcom.ibm.mq.jarC:Program Files (x86)IBMWebSphere MQJavalibcom.ibm.mq.jms.Nojndi....
NOTE: we have not set the SSLCAUTH to be required, or lock down the DN name specification toonly allow clients with the DN...
Hermes jms ibmmq-ssl-channel-release1
Hermes jms ibmmq-ssl-channel-release1
Hermes jms ibmmq-ssl-channel-release1
Upcoming SlideShare
Loading in …5
×

Hermes jms ibmmq-ssl-channel-release1

1,901 views
1,607 views

Published on

How to use HERMESJMS with IBM MQ over SSL enabled channel.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,901
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Hermes jms ibmmq-ssl-channel-release1

  1. 1. This topic is about how to useHERMESJMS over SSL enabled MQChannel – (no MA setup).By Seri Charoensri Friday, 13 July 2012With IBM MQ Provider: If you experience error below with JSSE, certification not found.com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode 2(MQCC_FAILED) reason 2397 (MQRC_JSSE_ERROR).at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:223)at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:421)atcom.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:6807)atcom.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:6204)atcom.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:278)atcom.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6155) 1. Hermes runs on standard JDK, with that Hermes is using JSSE security – cacerts (CA certificates store). Below we imported self-sign cert generated and extract from IKEYMAN.IKEYMAN
  2. 2. qm5_cert.arm-----BEGIN CERTIFICATE-----MIIBsTCCARqgAwIBAgIIqwony8vuHkgwDQYJKoZIhvcNAQEEBQAwGzELMAkGA1UEBhMCVVMxDDAKBgNVBAMTA3FtNTAeFw0xMjA3MjAxMTE0NTlaFw0xMzA3MjExMTE0NTlaMBsxCzAJBgNVBAYTAlVTMQwwCgYDVQQDEwNxbTUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKH8o5PLJiJMKfihusFQ7Y1XI3B/EuBIQZaBvQtF6fUVwmleedGBscc7v8Zac8P3AO6uQgv1INaZkQlKd4kDwzAG54wna4JvS4PS47dOBlixSL0FGufILK63/utyshwfGY4vsEuToEjhL5DAgMqmMpZIUMu8UilV3wRNYDQ8w5bHAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAka8Fpec2GfS6dukxphyLe0jLWlbqrUdnMiRVmvcTIhM9
  3. 3. ukplpzDWUJ/f7Kof6cizSxYgvVjKYD2f4fEfgKHPU8hs/4UO0czdOM6cPobLOU6k5I9zN8o4eFqm V/iuPyhswriJG1gQH4f0dA1HL0Ruv9kbvt0m46qroYXU5Ka6slc= -----END CERTIFICATE-----HermesJMS JVM C:Program Files (x86)Javajdk1.6.0_13jrelibsecuritycacertsKeytool 2. For self-sign cert from MQ, you will need to import the cert into cacerts keystore, so that HERMES can hand-shake with MQ over SSL.C:Program Files (x86)Javajdk1.6.0_13jrebin>keytool -import -trustcacerts -alias qm5-file ..libsecurityQM12345-certQM5_cert.arm -keystore ..libsecuritycacertsEnter keystore password: changeit (default JSSE CA keystore)Owner: CN=qm5, C=USIssuer: CN=qm5, C=USSerial number: -54f5d8343411e1b8Valid from: Fri Jul 20 21:14:59 EST 2012 until: Sun Jul 21 21:14:59 EST 2013Certificate fingerprints: MD5: 7A:2C:20:3A:CE:94:2B:44:F0:C4:65:C8:FD:A4:17:9F SHA1: B5:D0:68:84:75:D2:6D:ED:61:AC:C6:32:87:F5:0C:69:28:AC:C0:6E Signature algorithm name: MD5withRSA Version: 3Trust this certificate? [no]: yCertificate was added to keystoreC:Program Files (x86)Javajdk1.6.0_13jrebin>HERMES JMS settingIBM MQ 7 Provider Lib: - don’t need all of those lib – I am lazy to pick just the jars required.
  4. 4. C:Program Files (x86)IBMWebSphere MQJavalibcom.ibm.mq.jarC:Program Files (x86)IBMWebSphere MQJavalibcom.ibm.mq.jms.Nojndi.jarC:Program Files (x86)IBMWebSphere MQJavalibcom.ibm.mq.soap.jarC:Program Files (x86)IBMWebSphere MQJavalibcom.ibm.mqjms.jarC:Program Files (x86)IBMWebSphere MQJavalibcommonservices.jarC:Program Files (x86)IBMWebSphere MQJavalibconnector.jarC:Program Files (x86)IBMWebSphere MQJavalibdhbcore.jarC:Program Files (x86)IBMWebSphere MQJavalibfscontext.jarC:Program Files (x86)IBMWebSphere MQJavalibjms.jarC:Program Files (x86)IBMWebSphere MQJavalibjndi.jarC:Program Files (x86)IBMWebSphere MQJavalibjta.jarC:Program Files (x86)IBMWebSphere MQJavalibldap.jarSSLCipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHAchannel qm5_ch1hostName 127.0.0.1port 1418queueManager QM5transportType 1IBM MQ setupOn the MQ we have “TRIPLE_DES_SHA_SA” SSL setup – no client SSL (SSLCAUTH) required. Ie. Trustthe MQ server only, no Mutual Authentication setup.
  5. 5. NOTE: we have not set the SSLCAUTH to be required, or lock down the DN name specification toonly allow clients with the DN name come through.Test resultWe success fully retrieve data over SSL-enabled channel.

×