Hermes jms ibmmq-ssl-channel-release2-with-mutual-authen

1,915 views

Published on

How to use Hemes with IBM MQ over SSL channel.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,915
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Hermes jms ibmmq-ssl-channel-release2-with-mutual-authen

  1. 1. This topic is about how to useHERMESJMS over SSL enabled MQChannel – (no MA setup).By Seri Charoensri 22 July 2012 (charoensri.seri@gmai.com)With IBM MQ Provider: If you experience error below with JSSE, certification not found.com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode 2 (MQCC_FAILED) reason 2397(MQRC_JSSE_ERROR).at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:223)at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:421)atcom.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:6807)at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:6204)at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:278)at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6155) 1. Hermes runs on standard JDK, with that Hermes is using JSSE security – cacerts (CA certificates store). Below we imported self-sign cert generated and extracted from IKEYMAN.IKEYMAN
  2. 2. qm5_cert.arm -----BEGIN CERTIFICATE----- MIIBsTCCARqgAwIBAgIIqwony8vuHkgwDQYJKoZIhvcNAQEEBQAwGzELMAkGA1UEBhMCVVMxDDAK BgNVBAMTA3FtNTAeFw0xMjA3MjAxMTE0NTlaFw0xMzA3MjExMTE0NTlaMBsxCzAJBgNVBAYTAlVT MQwwCgYDVQQDEwNxbTUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKH8o5PLJiJMKfihusFQ 7Y1XI3B/EuBIQZaBvQtF6fUVwmleedGBscc7v8Zac8P3AO6uQgv1INaZkQlKd4kDwzAG54wna4Jv S4PS47dOBlixSL0FGufILK63/utyshwfGY4vsEuToEjhL5DAgMqmMpZIUMu8UilV3wRNYDQ8w5bH AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAka8Fpec2GfS6dukxphyLe0jLWlbqrUdnMiRVmvcTIhM9 ukplpzDWUJ/f7Kof6cizSxYgvVjKYD2f4fEfgKHPU8hs/4UO0czdOM6cPobLOU6k5I9zN8o4eFqm V/iuPyhswriJG1gQH4f0dA1HL0Ruv9kbvt0m46qroYXU5Ka6slc= -----END CERTIFICATE-----HermesJMS JVM
  3. 3. C:Program Files (x86)Javajdk1.6.0_13jrelibsecuritycacerts (I just use the default/provide truststore by JDK, you can use your truststore, if you like). Hermes will check the MQ Server’s cert from this trustore.Keytool 2. For self-sign cert from MQ, you will need to import the cert into cacerts keystore, so that HERMES can hand-shake with MQ over SSL.C:Program Files (x86)Javajdk1.6.0_13jrebin>keytool -import -trustcacerts -alias qm5-file ..libsecurityQM12345-certQM5_cert.arm -keystore ..libsecuritycacertsEnter keystore password: changeit (default JSSE CA keystore)Owner: CN=qm5, C=USIssuer: CN=qm5, C=USSerial number: -54f5d8343411e1b8Valid from: Fri Jul 20 21:14:59 EST 2012 until: Sun Jul 21 21:14:59 EST 2013Certificate fingerprints: MD5: 7A:2C:20:3A:CE:94:2B:44:F0:C4:65:C8:FD:A4:17:9F SHA1: B5:D0:68:84:75:D2:6D:ED:61:AC:C6:32:87:F5:0C:69:28:AC:C0:6E Signature algorithm name: MD5withRSA Version: 3Trust this certificate? [no]: yCertificate was added to keystoreC:Program Files (x86)Javajdk1.6.0_13jrebin>HERMES JMS settingIBM MQ 7 Provider Lib: - don’t need all of those lib – I am lazy to pick just the jars required.
  4. 4. C:Program Files (x86)IBMWebSphere MQJavalibcom.ibm.mq.jarC:Program Files (x86)IBMWebSphere MQJavalibcom.ibm.mq.jms.Nojndi.jarC:Program Files (x86)IBMWebSphere MQJavalibcom.ibm.mq.soap.jarC:Program Files (x86)IBMWebSphere MQJavalibcom.ibm.mqjms.jarC:Program Files (x86)IBMWebSphere MQJavalibcommonservices.jarC:Program Files (x86)IBMWebSphere MQJavalibconnector.jarC:Program Files (x86)IBMWebSphere MQJavalibdhbcore.jarC:Program Files (x86)IBMWebSphere MQJavalibfscontext.jarC:Program Files (x86)IBMWebSphere MQJavalibjms.jarC:Program Files (x86)IBMWebSphere MQJavalibjndi.jarC:Program Files (x86)IBMWebSphere MQJavalibjta.jarC:Program Files (x86)IBMWebSphere MQJavalibldap.jarSSLCipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHAchannel qm5_ch1hostName 127.0.0.1port 1418queueManager QM5transportType 1IBM MQ setupOn the MQ we have “TRIPLE_DES_SHA_SA” SSL setup – no client SSL (SSLCAUTH) required.“Authentication of Parties initiating connections: - Optional”. In short, we trust the MQ server’s SSLcert only, no Mutual Authentication setup for now. I will show you how to do MA below.
  5. 5. NOTE: we have not set the SSLCAUTH to be required, or lock down the DN name specification toonly allow clients with the DN name come through.Test resultWe success fully retrieve data over SSL-enabled channel.
  6. 6. This topic is about how to useHERMESJMS over SSL enabled MQChannel – (with MA setup).With MA, the client (HERMESJMS in this case) will need to provide Client’sSSL to MQ server forClient Auth (SSLCAUTH-Required)Setup a new SVRCONN channel for MA with DN spec.
  7. 7. Need to create Client’s Keystore - hermesclientkey.jksNOTE: we use the default JDK truststore –cacerts to hold MQ SSL Cert (above). Alternatively, youcould create your TrustStore and manage MQ Cert separately.We will need create Hermes keystore since no default provided.default No default. * javax.net.ssl.keyStore system propertykeystore Note that the value NONE may be specified. This setting is appropriate if the keystore is not file-based (for example, it resides in a hardware token).default No default. * javax.net.ssl.keyStorePassword systemkeystore propertypassworddefault No default. * javax.net.ssl.keyStoreProvider systemkeystore propertyproviderdefault KeyStore.getDefaultType() * javax.net.ssl.keyStoreType system propertykeystoretypedefault jssecacerts, if it exists. * javax.net.ssl.trustStore system propertytruststore Otherwise, cacertsdefault No default. * javax.net.ssl.trustStorePassword systemtruststorepassword
  8. 8. propertydefault No default. * javax.net.ssl.trustStoreProvider systemtruststore propertyproviderdefault KeyStore.getDefaultType() * javax.net.ssl.trustSttruststoretypeExtract and Import our new Client Self-signed certs to MQ’s Keystore (CMS/KDB), so that MQ cantrust our new client cert (this is self-sign, not signed by well-known CA certs that come with thedefault keystore)HERMESJMS SETUP TO use the new personal keystoreThe HERMESJMSkeystore.jks holds its certificate which will be exchange (MA) with the MQ server.Since this is a self-sign, we have given the key to MQ servers’s keystore (CMS KDB)javax.net.ssl.keyStore = “C:/seri/HermesJMS/hermes client key/HERMESJMSkeystore.jks”javax.net.ssl.keyStorePassword = “MySecretSorry”
  9. 9. We will use Default SunJSSE provider!! – you can use IBM or BouncyCastle, etc if you like if you needhigher cipher e.g AES128. If you do so, don’t for get to add the Security Provider jars toC:Program Files (x86)Javajdk1.6.0_13jrelibext then “Add” the new security.provider to thejava.secuirty file.#java.security provider# List of providers and their preference orders (see above):#security.provider.1=sun.security.provider.Sunsecurity.provider.2=sun.security.rsa.SunRsaSignsecurity.provider.3=com.sun.net.ssl.internal.ssl.Providersecurity.provider.4=com.sun.crypto.provider.SunJCEsecurity.provider.5=sun.security.jgss.SunProvidersecurity.provider.6=com.sun.security.sasl.Providersecurity.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRIsecurity.provider.8=sun.security.smartcardio.SunPCSCsecurity.provider.9=sun.security.mscapi.SunMSCAPISyntax:% java -Djavax.net.ssl.keyStore=keystore -Djavax.net.ssl.keyStorePassword=password Server% java -Djavax.net.ssl.trustStore=truststore -Djavax.net.ssl.trustStorePassword=trustword ClientExampleC:seriHermesJMSbinHermes.batstart "HermesJMS" "%JAVA_HOME%binjavaw" -XX:NewSize=256m -Xmx1024m-Djavax.net.ssl.keyStore="C:seriHermesJMShermes client keyhermesclientkey.jks"-Djavax.net.ssl.keyStorePassword="secretPWD!"-Djavax.net.debug="ssl,keymanager"-Dhermes.home="%HERMES_HOME%" %HERMES_OPTS%-Dlog4j.configuration="file:%HERMES_HOME%binlog4j.props"-Dsun.java2d.noddraw=true-Dhermes="%HERMES_CONFIG%hermes-config.xml"-Dhermes.libs="%HERMES_LIBS%" hermes.browser.HermesBrowser
  10. 10. NOTE: again, I simply leverage JDK’s truststore “cacerts” in ..libsecurityNOTE: HermesJMS will now start with the keystore hermesclientkey.jks for it to authenticateitself to MQ Server.Test result with MA – no SSLPeer restrictionWith MQ Sever’s SSLPeer restriction:
  11. 11. Hermes will fail since our CN is NOT “aa” – but cn=hermesclientkey
  12. 12. com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode 2 (MQCC_FAILED) reason 2059(MQRC_Q_MGR_NOT_AVAILABLE). at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:223) at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:421) atcom.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:6807) at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:6204) at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:278) at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6155) at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:115) at com.ibm.mq.jms.MQQueueConnectionFactory.createConnection(MQQueueConnectionFactory.java:198) at hermes.impl.jms.ConnectionManagerSupport.createConnection(ConnectionManagerSupport.java:122) at hermes.impl.jms.ConnectionManagerSupport.createConnection(ConnectionManagerSupport.java:92) at hermes.impl.jms.ConnectionSharedManager.reconnect(ConnectionSharedManager.java:81) at hermes.impl.jms.ConnectionSharedManager.connect(ConnectionSharedManager.java:91) at hermes.impl.jms.ConnectionSharedManager.getConnection(ConnectionSharedManager.java:104) at hermes.impl.jms.ConnectionSharedManager.getObject(ConnectionSharedManager.java:142) at hermes.impl.jms.ThreadLocalSessionManager.connect(ThreadLocalSessionManager.java:190) at hermes.impl.jms.ThreadLocalSessionManager.getSession(ThreadLocalSessionManager.java:570) at hermes.impl.jms.AbstractSessionManager.getDestination(AbstractSessionManager.java:460)
  13. 13. at hermes.impl.DefaultHermesImpl.getDestination(DefaultHermesImpl.java:367) at hermes.browser.tasks.BrowseDestinationTask.invoke(BrowseDestinationTask.java:141) at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:175) at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:170) at java.lang.Thread.run(Thread.java:619)Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host 127.0.0.1(1418) rejected.[1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2059;AMQ9643: Remote SSL peer name error for channel qm5_ch3_ma.[3=qm5_ch3_ma]],3=127.0.0.1(1418),5=RemoteConnection.analyseErrorSegment] at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:1809) at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:336) ... 20 moreCaused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9643: Remote SSL peer name error for channel qm5_ch3_ma.[3=qm5_ch3_ma] at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4223) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.receiveTSH(RemoteConnection.java:2822) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.initSess(RemoteConnection.java:1399) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect(RemoteConnection.java:1078) at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool.getConnection(RemoteConnectionPool.java:338) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:1488) ... 21 more
  14. 14. Adjust SSLPeer to be the same as the client cert’s DN name – this should allow Hermes to besuccessful authenticated with MA, plus DN validation.Test result with MA and DN lock-down on the MQ Server side.Also Hermes as a JMS client can request MQ Cert’s DN forSSLPeer validation. That’s Q Client can check the MQ server SSL Cert’ DN name. Below is the MQServer cert labled: ibmwebspheremq<QMGR> ie.”ibmwebspheremqqm5” with CN = qm5
  15. 15. Hermes will need to setup SSLPeer (MQ server’s cert) to check for “cn=qm5”SSLCipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHAchannel qm5_ch3_mahostName 127.0.0.1port 1418queueManager QM5transportType 1SSLPeerName cn=qm5
  16. 16. Try the “cn=qm5-bad-PEERNAME”com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode 2 (MQCC_FAILED) reason 2398(MQRC_SSL_PEER_NAME_MISMATCH).Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2398;AMQ9204: Connection to host 127.0.0.1(1418) rejected.[1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2398;AMQ9636: SSL distinguished name does not match peer name, channel ?.[4=CN=qm5, C=US]],3=127.0.0.1(1418),5=RemoteTCPConnection.protocolConnect]Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2398;AMQ9636: SSL distinguished name does not match peer name, channel ?.[4=CN=qm5, C=US]
  17. 17. jrelibsecuritycacerts -listing.C:Program Files (x86)Javajdk1.6.0_13bin> keytool -list -v -keystore ..jrelibsecuritycacertsEnter keystore password:Keystore type: JKSKeystore provider: SUNYour keystore contains 72 entriesdigicertassuredidrootca, 08/01/2008, trustedCertEntry,Certificate fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72trustcenterclass2caii, 08/01/2008, trustedCertEntry,Certificate fingerprint (MD5): CE:78:33:5C:59:78:01:6E:18:EA:B9:36:A0:B9:2E:23thawtepremiumserverca, 13/02/1999, trustedCertEntry,Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3Aswisssignsilverg2ca, 14/08/2008, trustedCertEntry,Certificate fingerprint (MD5): E0:06:A1:C9:7D:CF:C9:FC:0D:C0:56:75:96:D8:62:13swisssignplatinumg2ca, 14/08/2008, trustedCertEntry,Certificate fingerprint (MD5): C9:98:27:77:28:1E:3D:0E:15:3C:84:00:B8:85:03:E6equifaxsecureebusinessca2, 19/07/2003, trustedCertEntry,Certificate fingerprint (MD5): AA:BF:BF:64:97:DA:98:1D:6F:C6:08:3A:95:70:33:CAequifaxsecureebusinessca1, 19/07/2003, trustedCertEntry,Certificate fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3Dthawteserverca, 13/02/1999, trustedCertEntry,Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1Dentrustglobalclientca, 10/01/2003, trustedCertEntry,Certificate fingerprint (MD5): 9A:77:19:18:ED:96:CF:DF:1B:B7:0E:F5:8D:B9:88:2E
  18. 18. utnuserfirstclientauthemailca, 02/05/2006, trustedCertEntry,Certificate fingerprint (MD5): D7:34:3D:EF:1D:27:09:28:E1:31:02:5B:13:2B:DD:F7thawtepersonalfreemailca, 13/02/1999, trustedCertEntry,Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9utnuserfirsthardwareca, 02/05/2006, trustedCertEntry,Certificate fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39certumca, 11/02/2009, trustedCertEntry,Certificate fingerprint (MD5): 2C:8F:9F:66:1D:18:90:B1:47:26:9D:8E:86:82:8C:A9addtrustclass1ca, 02/05/2006, trustedCertEntry,Certificate fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FCequifaxsecureca, 19/07/2003, trustedCertEntry,Certificate fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4digicerthighassuranceevrootca, 08/01/2008, trustedCertEntry,Certificate fingerprint (MD5): D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8Asecomvalicertclass1ca, 02/05/2008, trustedCertEntry,Certificate fingerprint (MD5): 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EBequifaxsecureglobalebusinessca1, 19/07/2003, trustedCertEntry,Certificate fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CCverisignclass3ca, 28/10/2003, trustedCertEntry,Certificate fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67deutschetelekomrootca2, 07/11/2008, trustedCertEntry,Certificate fingerprint (MD5): 74:01:4A:91:B1:08:C4:58:CE:47:CD:F0:DD:11:53:08verisignclass2ca, 28/10/2003, trustedCertEntry,Certificate fingerprint (MD5): B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3Eutnuserfirstobjectca, 02/05/2006, trustedCertEntry,Certificate fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9thawtepersonalpremiumca, 13/02/1999, trustedCertEntry,
  19. 19. Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0Dentrustgsslca, 10/01/2003, trustedCertEntry,Certificate fingerprint (MD5): 9D:66:6A:CC:FF:D5:F5:43:B4:BF:8C:16:D1:2B:A8:99verisignclass1ca, 26/03/2004, trustedCertEntry,Certificate fingerprint (MD5): 97:60:E8:57:5F:D3:50:47:E5:43:0C:94:36:8A:B0:62baltimorecodesigningca, 10/05/2002, trustedCertEntry,Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22baltimorecybertrustca, 10/05/2002, trustedCertEntry,Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4starfieldclass2ca, 21/01/2005, trustedCertEntry,Certificate fingerprint (MD5): 32:4A:4B:BB:C8:63:69:9B:BE:74:9A:C6:DD:1D:46:24qm5, 21/07/2012, trustedCertEntry,Certificate fingerprint (MD5): 7A:2C:20:3A:CE:94:2B:44:F0:C4:65:C8:FD:A4:17:9Fcamerfirmachamberscommerceca, 11/10/2008, trustedCertEntry,Certificate fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84qm4, 21/07/2012, trustedCertEntry,Certificate fingerprint (MD5): F0:32:DA:62:D7:4E:EF:28:04:5C:EA:B7:AA:06:10:E1qm3, 21/07/2012, trustedCertEntry,Certificate fingerprint (MD5): 1D:CA:FA:2F:0F:AD:01:0B:BD:8E:23:9B:39:FB:44:55ttelesecglobalrootclass3ca, 11/02/2009, trustedCertEntry,Certificate fingerprint (MD5): CA:FB:40:A8:4E:39:92:8A:1D:FE:8E:2F:C4:27:EA:EFqm2, 21/07/2012, trustedCertEntry,Certificate fingerprint (MD5): 9A:9F:EA:DC:8D:4B:73:74:09:08:60:3B:06:B4:7F:A2qm1, 21/07/2012, trustedCertEntry,Certificate fingerprint (MD5): 74:92:C7:FD:7E:0F:E4:08:3E:D9:8F:46:B1:4F:C0:E1trustcenteruniversalcai, 08/01/2008, trustedCertEntry,Certificate fingerprint (MD5): 45:E1:A5:72:C5:A9:36:64:40:9E:F5:E4:58:84:67:8C
  20. 20. ttelesecglobalrootclass2ca, 11/02/2009, trustedCertEntry,Certificate fingerprint (MD5): 2B:9B:9E:E4:7B:6C:1F:00:72:1A:CC:C1:77:79:DF:6Averisignclass3g3ca, 26/03/2004, trustedCertEntry,Certificate fingerprint (MD5): CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09certumtrustednetworkca, 11/02/2009, trustedCertEntry,Certificate fingerprint (MD5): D5:E9:81:40:C5:18:69:FC:46:2C:89:75:62:0F:AA:78verisignclass3g2ca, 26/03/2004, trustedCertEntry,Certificate fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9utndatacorpsgcca, 02/05/2006, trustedCertEntry,Certificate fingerprint (MD5): B3:A5:3E:77:21:6D:AC:4A:C0:C9:FB:D5:41:3D:CA:06secomscrootca1, 02/05/2008, trustedCertEntry,Certificate fingerprint (MD5): F1:BC:63:6A:54:E0:B5:27:F5:CD:E7:1A:E3:4D:6E:4Agtecybertrustglobalca, 10/05/2002, trustedCertEntry,Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DBtrustcenterclass4caii, 08/01/2008, trustedCertEntry,Certificate fingerprint (MD5): 9D:FB:F9:AC:ED:89:33:22:F4:28:48:83:25:23:5B:E0globalsignr2ca, 02/08/2007, trustedCertEntry,Certificate fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30entrustclientca, 10/01/2003, trustedCertEntry,Certificate fingerprint (MD5): 0C:41:2F:13:5B:A0:54:F5:96:66:2D:7E:CD:0E:03:F4digicertglobalrootca, 08/01/2008, trustedCertEntry,Certificate fingerprint (MD5): 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2Eglobalsignca, 27/03/2008, trustedCertEntry,Certificate fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8Ageotrustglobalca, 19/07/2003, trustedCertEntry,Certificate fingerprint (MD5): F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5soneraclass2ca, 29/03/2006, trustedCertEntry,
  21. 21. Certificate fingerprint (MD5): A3:EC:75:0F:2E:88:DF:FA:48:01:4E:0B:5C:48:6F:FBverisigntsaca, 14/08/2008, trustedCertEntry,Certificate fingerprint (MD5): 7F:66:7A:71:D3:EB:69:78:20:9A:51:14:9D:83:DA:20soneraclass1ca, 29/03/2006, trustedCertEntry,Certificate fingerprint (MD5): 33:B7:84:F5:5F:27:D7:68:27:DE:14:DE:12:2A:ED:6Fvalicertclass2ca, 21/01/2005, trustedCertEntry,Certificate fingerprint (MD5): A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87comodoaaaca, 02/05/2006, trustedCertEntry,Certificate fingerprint (MD5): 49:79:04:B0:EB:87:19:AC:47:B0:BC:11:51:9B:74:D0aolrootca2, 27/03/2008, trustedCertEntry,Certificate fingerprint (MD5): D6:ED:3C:CA:E2:66:0F:AF:10:43:0D:77:9B:04:09:BFaddtrustqualifiedca, 02/05/2006, trustedCertEntry,Certificate fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BBaolrootca1, 18/01/2008, trustedCertEntry,Certificate fingerprint (MD5): 14:F1:08:AD:9D:FA:64:E2:89:E7:1C:CF:A8:AD:7D:5Everisignclass2g3ca, 26/03/2004, trustedCertEntry,Certificate fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6addtrustexternalca, 02/05/2006, trustedCertEntry,Certificate fingerprint (MD5): 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3Fverisignclass2g2ca, 26/03/2004, trustedCertEntry,Certificate fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1swisssigngoldg2ca, 14/08/2008, trustedCertEntry,Certificate fingerprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93entrust2048ca, 10/01/2003, trustedCertEntry,Certificate fingerprint (MD5): BA:21:EA:20:D6:DD:DB:8F:C1:57:8B:40:AD:A1:FC:FCgtecybertrust5ca, 10/05/2002, trustedCertEntry,Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E
  22. 22. camerfirmachambersignca, 11/10/2008, trustedCertEntry,Certificate fingerprint (MD5): 9E:80:FF:78:01:0C:2E:C1:36:BD:FE:96:90:6E:08:F3verisignserverca, 30/06/1998, trustedCertEntry,Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93camerfirmachambersca, 11/10/2008, trustedCertEntry,Certificate fingerprint (MD5): 5E:80:9E:84:5A:0E:65:0B:17:02:F3:55:18:2A:3E:D7entrustsslca, 10/01/2003, trustedCertEntry,Certificate fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EEgodaddyclass2ca, 21/01/2005, trustedCertEntry,Certificate fingerprint (MD5): 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67verisignclass1g3ca, 26/03/2004, trustedCertEntry,Certificate fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73secomevrootca1, 02/05/2008, trustedCertEntry,Certificate fingerprint (MD5): 22:2D:A6:01:EA:7C:0A:F7:F0:6C:56:43:3F:77:76:D3thawtepersonalbasicca, 13/02/1999, trustedCertEntry,Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41verisignclass1g2ca, 26/03/2004, trustedCertEntry,Certificate fingerprint (MD5): DB:23:3D:F9:69:FA:4B:B9:95:80:44:73:5E:7D:41:83C:Program Files (x86)Javajdk1.6.0_13bin>
  23. 23. com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode 2(MQCC_FAILED) reason 2397 (MQRC_JSSE_ERROR). at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:223) at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:421) atcom.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:6807) atcom.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:6204) atcom.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:278) atcom.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6155) atcom.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:115) atcom.ibm.mq.jms.MQQueueConnectionFactory.createConnection(MQQueueConnectionFactory.java:198) athermes.impl.jms.ConnectionManagerSupport.createConnection(ConnectionManagerSupport.java:122) athermes.impl.jms.ConnectionManagerSupport.createConnection(ConnectionManagerSupport.java:92) athermes.impl.jms.ConnectionSharedManager.reconnect(ConnectionSharedManager.java:81) at hermes.impl.jms.ConnectionSharedManager.connect(ConnectionSharedManager.java:91) athermes.impl.jms.ConnectionSharedManager.getConnection(ConnectionSharedManager.java:104)
  24. 24. athermes.impl.jms.ConnectionSharedManager.getObject(ConnectionSharedManager.java:142) athermes.impl.jms.ThreadLocalSessionManager.connect(ThreadLocalSessionManager.java:190) athermes.impl.jms.ThreadLocalSessionManager.getSession(ThreadLocalSessionManager.java:570) athermes.impl.jms.AbstractSessionManager.getDestination(AbstractSessionManager.java:460) at hermes.impl.DefaultHermesImpl.getDestination(DefaultHermesImpl.java:367) at hermes.browser.tasks.BrowseDestinationTask.invoke(BrowseDestinationTask.java:141) at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:175) at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:170) at java.lang.Thread.run(Thread.java:619)Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host127.0.0.1(1418) rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSLhandshake failed. [1=java.net.SocketException[java.security.NoSuchAlgorithmException: Errorconstructing implementation (algorithm: Default, provider: SunJSSE, class:com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)],3=Seri-THINK/127.0.0.1:1418 (Seri-THINK),4=SSLSocket.createSocket,5=default]],3=127.0.0.1(1418),5=RemoteTCPConnection.makeSocketSecure] at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:1809) at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:336) ... 20 moreCaused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9771: SSL handshake failed.[1=java.net.SocketException[java.security.NoSuchAlgorithmException: Error constructingimplementation (algorithm: Default, provider: SunJSSE, class:com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)],3=Seri-THINK/127.0.0.1:1418 (Seri-THINK),4=SSLSocket.createSocket,5=default] atcom.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:1621) atcom.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.connnectUsingLocalAddress(RemoteTCPConnection.java:618)
  25. 25. atcom.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:935) atcom.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect(RemoteConnection.java:1075) atcom.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool.getConnection(RemoteConnectionPool.java:338) at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:1488) ... 21 moreCaused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructingimplementation (algorithm: Default, provider: SunJSSE, class:com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl) at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:179) at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:199) atcom.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:1614) ... 26 moreCaused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm:Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl) at java.security.Provider$Service.newInstance(Provider.java:1245) at sun.security.jca.GetInstance.getInstance(GetInstance.java:220) at sun.security.jca.GetInstance.getInstance(GetInstance.java:147) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68) at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102) atcom.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.chooseSocketFactory(RemoteTCPConnection.java:2073)
  26. 26. atcom.ibm.mq.jmqi.remote.internal.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:1604) ... 26 moreCaused by: java.security.NoSuchProviderException: no such provider: sun.security.provider.Sun11 at sun.security.jca.GetInstance.getService(GetInstance.java:66) at sun.security.jca.GetInstance.getInstance(GetInstance.java:190) at java.security.Security.getImpl(Security.java:662) at java.security.KeyStore.getInstance(KeyStore.java:632) atcom.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultKeyManager(DefaultSSLContextImpl.java:145) at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) atsun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) atsun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at java.security.Provider$Service.newInstance(Provider.java:1221) ... 33 more

×