I am trying to set up a 2 way SSl using my java code. I am successful doing it one way that is server certificate gets validated from my side but when it comes to two way I get a 2397 Error code.
Steps followed by me are:
- Create a keystore with a self-signed certificate using Keytool, deploy it in truststore of MQ server.
- Create a keystore for MQ server and create a self-signed certificate.
- Deploy MQ server's certificate in my truststore.
Then I try to run my java Code. This works fine without SSL or One way SSL.But two way handshake if failing. Below is the code and stack trace:
//code to create MQ connectivity public static void main(String [] args){ System.setProperty("javax.net.debug","ssl"); //keystore path System.setProperty("javax.net.ssl.keyStore", "C:/keystores/keystore.jks"); System.setProperty("javax.net.ssl.keyStorePassword", "password"); //trsutstore path System.setProperty("javax.net.ssl.trustStore", "C:/keystores/truststore.jks"); System.setProperty("javax.net.ssl.trustStorePassword", "password"); //cipher spec MQEnvironment.sslCipherSuite = "SSL_RSA_WITH_NULL_MD5"; MQEnvironment.hostname = "*****-ws3717";//system name MQEnvironment.port = 1414; MQEnvironment.channel = "channel_name";//channel name MQQueueManager qm = null; try { qm = new MQQueueManager("QMNGR"); System.out.println("Conn Successs!!!"); } catch (MQException e) { e.printStackTrace(); } finally { try { qm.disconnect(); } catch (Exception e) { e.printStackTrace(); e.getCause(); } } } } Stack Trace is as follows:
keyStore is : C:/keystores/keystore.jks keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509 *** found key for : selfsigned chain [0] = [ [ Version: V3 Subject: CN=Pooja Joshi, OU=SGW, O=SUNGARD, L=PUNE, ST=MH, C=IN Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 Key: Sun RSA public key, 1024 bits modulus: 132473562370742919150140985227175013875110053845431438145351913928668686945002725183702560702247749924970161010103451411451345824467592557656888776558245848713650717773344294766986771753500118311618188922138349812131167438364266468003061810102502957510761089213138803410346480285664890149111581898928681089463 public exponent: 65537 Validity: [From: Fri May 25 13:54:00 IST 2012, To: Sat May 25 13:54:00 IST 2013] Issuer: CN=Pooja Joshi, OU=SGW, O=SUNGARD, L=PUNE, ST=MH, C=IN SerialNumber: [ 4fbf41a0] ] Algorithm: [MD5withRSA] Signature: 0000: 46 D0 CC DF AB 5F 6F D3 37 33 E1 64 F7 1B F7 3F F...._o.73.d...? 0010: 98 95 06 09 F9 84 C8 3A 65 CF A7 24 BB 46 95 DF .......:e..$.F.. 0020: 8B 30 F2 BC 5C F9 CC 31 E4 36 53 43 BB 50 1B EF .0..\..1.6SC.P.. 0030: 8C 9B DB C0 41 C9 2C 37 AD B6 1D 30 BF 6E 75 E4 ....A.,7...0.nu. 0040: A9 05 E7 30 5A B1 30 84 6B 8E B7 7A 83 2D 33 01 ...0Z.0.k..z.-3. 0050: A1 44 86 A0 11 30 C3 4D 5B 68 7E 0B 09 48 03 CC .D...0.M[h...H.. 0060: DF C5 97 AD 87 40 DC 2A 9A 3D ED FC 27 D3 8B 4F .....@.*.=..'..O 0070: F0 21 02 E8 62 6B 05 63 57 BB E8 4D 33 EA 35 9E .!..bk.cW..M3.5. ] *** trustStore is: C:\keystores\truststore.jks trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: Subject: CN=Pooja Joshi, OU=SGW, O=SUNGARD, L=PUNE, ST=MH, C=IN Issuer: CN=Pooja Joshi, OU=SGW, O=SUNGARD, L=PUNE, ST=MH, C=IN Algorithm: RSA; Serial number: 0x4fbf4261 Valid from Fri May 25 13:57:13 IST 2012 until Sat May 25 13:57:13 IST 2013 trigger seeding of SecureRandom done seeding SecureRandom Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false %% No cached client session *** ClientHello, SSLv3 RandomCookie: GMT: 1321485794 bytes = { 138, 193, 95, 113, 86, 252, 250, 50, 154, 121, 73, 8, 93, 116, 115, 184, 182, 142, 240, 205, 15, 250, 172, 171, 111, 5, 122, 52 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_NULL_MD5] Compression Methods: { 0 } Extension renegotiation_info, renegotiated_connection: <empty> *** main, WRITE: SSLv3 Handshake, length = 52 main, READ: SSLv3 Handshake, length = 4875 *** ServerHello, SSLv3 RandomCookie: GMT: 1321485794 bytes = { 250, 173, 248, 90, 241, 136, 107, 119, 99, 92, 80, 19, 223, 223, 152, 131, 216, 115, 242, 56, 198, 135, 156, 111, 210, 234, 220, 103 } Session ID: {240, 31, 0, 0, 80, 56, 194, 89, 112, 238, 203, 154, 79, 75, 68, 48, 106, 203, 19, 130, 88, 88, 88, 88, 226, 70, 196, 79, 13, 0, 0, 0} Cipher Suite: SSL_RSA_WITH_NULL_MD5 Compression Method: 0 *** Warning: No renegotiation indication extension in ServerHello %% Created: [Session-1, SSL_RSA_WITH_NULL_MD5] ** SSL_RSA_WITH_NULL_MD5 *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=Pooja Joshi, OU=SGW, O=SUNGARD, L=PUNE, ST=MH, C=IN Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 Key: Sun RSA public key, 1024 bits modulus: 105605049659295333895264877648371480987144339115417104117025065956957634413900327625548229515098843172709660865042903412409581107015480309223474293490705595126088958625491899627683399717294708677347640098462040771799700233921554682196524988217754821345297656825451441457385676164016790486091736694366149540953 public exponent: 65537 Validity: [From: Fri May 25 13:57:13 IST 2012, To: Sat May 25 13:57:13 IST 2013] Issuer: CN=Pooja Joshi, OU=SGW, O=SUNGARD, L=PUNE, ST=MH, C=IN SerialNumber: [ 4fbf4261] ] Algorithm: [MD5withRSA] Signature: 0000: 81 F5 2C 2A 77 63 F1 CD D8 31 E1 BE B5 9B 28 C5 ..,*wc...1....(. 0010: 6B EA 24 BB 5C 3D EB D0 EB E3 86 2E D7 1C 0D 92 k.$.\=.......... 0020: 36 A2 79 13 BC 74 40 C4 BF 7C F7 1B 05 8C 6B CF [email protected]. 0030: EB 2C C2 0D E3 40 F7 F0 95 66 B6 85 AE 84 66 C9 .,[email protected]. 0040: B7 C5 29 BE 71 1F 28 C0 83 1C 94 41 08 2A 44 45 ..).q.(....A.*DE 0050: 99 FD C5 77 28 26 FC 50 A3 69 32 BD F5 8B 0C A6 ...w(&.P.i2..... 0060: 13 21 0F BA B2 C6 A2 71 18 17 94 31 3B 7E 88 63 .!.....q...1;..c 0070: C0 01 76 DC 60 47 BB 3F 2F 7E 2A 73 84 DA 60 79 ..v.`G.?/.*s..`y ] *** Found trusted certificate: [ [ Version: V3 Subject: CN=Pooja Joshi, OU=SGW, O=SUNGARD, L=PUNE, ST=MH, C=IN Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 Key: Sun RSA public key, 1024 bits modulus: 105605049659295333895264877648371480987144339115417104117025065956957634413900327625548229515098843172709660865042903412409581107015480309223474293490705595126088958625491899627683399717294708677347640098462040771799700233921554682196524988217754821345297656825451441457385676164016790486091736694366149540953 public exponent: 65537 Validity: [From: Fri May 25 13:57:13 IST 2012, To: Sat May 25 13:57:13 IST 2013] Issuer: CN=Pooja Joshi, OU=SGW, O=SUNGARD, L=PUNE, ST=MH, C=IN SerialNumber: [ 4fbf4261] ] Algorithm: [MD5withRSA] Signature: 0000: 81 F5 2C 2A 77 63 F1 CD D8 31 E1 BE B5 9B 28 C5 ..,*wc...1....(. 0010: 6B EA 24 BB 5C 3D EB D0 EB E3 86 2E D7 1C 0D 92 k.$.\=.......... 0020: 36 A2 79 13 BC 74 40 C4 BF 7C F7 1B 05 8C 6B CF [email protected]. 0030: EB 2C C2 0D E3 40 F7 F0 95 66 B6 85 AE 84 66 C9 .,[email protected]. 0040: B7 C5 29 BE 71 1F 28 C0 83 1C 94 41 08 2A 44 45 ..).q.(....A.*DE 0050: 99 FD C5 77 28 26 FC 50 A3 69 32 BD F5 8B 0C A6 ...w(&.P.i2..... 0060: 13 21 0F BA B2 C6 A2 71 18 17 94 31 3B 7E 88 63 .!.....q...1;..c 0070: C0 01 76 DC 60 47 BB 3F 2F 7E 2A 73 84 DA 60 79 ..v.`G.?/.*s..`y ] *** CertificateRequest Cert Types: RSA Cert Authorities: <[email protected], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA> <[email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA> <[email protected], CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA> <[email protected], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA> <[email protected], CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA> <CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US> <CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US> <CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US> <CN=VeriSign Class 4 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US> <OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US> <OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US> <OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US> <OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 4 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US> <OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US> <OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US> <OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US> <CN=VeriSign Class 3 Secure Server CA, OU=Terms of use at (c)05, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US> <CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU= incorp. by ref. (limits liab.), O=Entrust.net, C=US> <CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU= incorp. by ref. (limits liab.), O=Entrust.net> <CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU= incorp. by ref. limits liab., O=Entrust.net, C=US> <CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU= incorp. by ref. (limits liab.), O=Entrust.net> <CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU= incorp. by ref. (limits liab.), O=Entrust.net> <CN=Pooja Joshi, OU=SGW, O=SUNGARD, L=PUNE, ST=MH, C=IN> *** ServerHelloDone matching alias: selfsigned *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=Pooja Joshi, OU=SGW, O=SUNGARD, L=PUNE, ST=MH, C=IN Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4 Key: Sun RSA public key, 1024 bits modulus: 132473562370742919150140985227175013875110053845431438145351913928668686945002725183702560702247749924970161010103451411451345824467592557656888776558245848713650717773344294766986771753500118311618188922138349812131167438364266468003061810102502957510761089213138803410346480285664890149111581898928681089463 public exponent: 65537 Validity: [From: Fri May 25 13:54:00 IST 2012, To: Sat May 25 13:54:00 IST 2013] Issuer: CN=Pooja Joshi, OU=SGW, O=SUNGARD, L=PUNE, ST=MH, C=IN SerialNumber: [ 4fbf41a0] ] Algorithm: [MD5withRSA] Signature: 0000: 46 D0 CC DF AB 5F 6F D3 37 33 E1 64 F7 1B F7 3F F...._o.73.d...? 0010: 98 95 06 09 F9 84 C8 3A 65 CF A7 24 BB 46 95 DF .......:e..$.F.. 0020: 8B 30 F2 BC 5C F9 CC 31 E4 36 53 43 BB 50 1B EF .0..\..1.6SC.P.. 0030: 8C 9B DB C0 41 C9 2C 37 AD B6 1D 30 BF 6E 75 E4 ....A.,7...0.nu. 0040: A9 05 E7 30 5A B1 30 84 6B 8E B7 7A 83 2D 33 01 ...0Z.0.k..z.-3. 0050: A1 44 86 A0 11 30 C3 4D 5B 68 7E 0B 09 48 03 CC .D...0.M[h...H.. 0060: DF C5 97 AD 87 40 DC 2A 9A 3D ED FC 27 D3 8B 4F .....@.*.=..'..O 0070: F0 21 02 E8 62 6B 05 63 57 BB E8 4D 33 EA 35 9E .!..bk.cW..M3.5. ] *** *** ClientKeyExchange, RSA PreMasterSecret, SSLv3 main, WRITE: SSLv3 Handshake, length = 711 SESSION KEYGEN: PreMaster Secret: 0000: 03 00 3D 04 C8 EF 08 83 A4 EF 85 1C D9 96 A0 77 ..=............w 0010: 32 2A A5 43 14 98 11 6F DD 01 52 73 4D DF B4 5A 2*.C...o..RsM..Z 0020: C5 2E FC 2A C0 F6 C2 9B 11 23 B2 C0 7B 59 E8 96 ...*.....#...Y.. CONNECTION KEYGEN: Client Nonce: 0000: 4F C4 46 E2 8A C1 5F 71 56 FC FA 32 9A 79 49 08 O.F..._qV..2.yI. 0010: 5D 74 73 B8 B6 8E F0 CD 0F FA AC AB 6F 05 7A 34 ]ts.........o.z4 Server Nonce: 0000: 4F C4 46 E2 FA AD F8 5A F1 88 6B 77 63 5C 50 13 O.F....Z..kwc\P. 0010: DF DF 98 83 D8 73 F2 38 C6 87 9C 6F D2 EA DC 67 .....s.8...o...g Master Secret: 0000: C0 20 A8 BC D1 A7 06 B0 C5 07 CA A7 83 C5 35 9E . ............5. 0010: 20 AB B6 28 8C 7E EF 14 CB 9D C1 ED C5 62 F8 A1 ..(.........b.. 0020: 6A DE 9F AF 16 5B 2F 1D 21 8F A3 2C F7 B9 3D 36 j....[/.!..,..=6 Client MAC write Secret: 0000: 09 E8 CE 6C D1 2D 43 86 7E 74 1C 5F 68 DA E2 AE ...l.-C..t._h... Server MAC write Secret: 0000: CE 62 DA F7 2C F2 2B 4A AD 47 8F 61 BD 58 51 BD .b..,.+J.G.a.XQ. ... no encryption keys used ... no IV used for this cipher *** CertificateVerify main, WRITE: SSLv3 Handshake, length = 134 main, WRITE: SSLv3 Change Cipher Spec, length = 1 *** Finished verify_data: { 4, 127, 139, 212, 93, 181, 170, 62, 121, 196, 243, 156, 251, 103, 206, 222, 2, 10, 84, 35, 186, 251, 144, 6, 31, 97, 135, 179, 160, 127, 204, 93, 100, 140, 74, 79 } *** main, WRITE: SSLv3 Handshake, length = 56 main, waiting for close_notify or alert: state 1 main, Exception while waiting for close java.net.SocketException: Software caused connection abort: recv failed main, handling exception: java.net.SocketException: Software caused connection abort: recv failed MQJE001: An MQException occurred: Completion Code 2, Reason 2397 MQJE030: IOException during security flows MQJE001: Completion Code 2, Reason 2397 com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2397 at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:219) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:318) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:338) at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:84) at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:168) at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:772) at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:697) at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:657) at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:153) at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:451) at com.test.SSlTest.main(SSlTest.java:68) Caused by: java.net.SocketException: Software caused connection abort: recv failed at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:129) at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293) at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1493) at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103) at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:689) at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:985) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:904) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:238) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149) at com.ibm.mq.SSLHelper.configureSSLSocket(SSLHelper.java:567) at com.ibm.mq.SSLHelper.createSSLSocket(SSLHelper.java:150) at com.ibm.mq.MQInternalCommunications.createSocketConnection(MQInternalCommunications.java:2264) at com.ibm.mq.MQv6InternalCommunications$1.run(MQv6InternalCommunications.java:157) at java.security.AccessController.doPrivileged(Native Method) at com.ibm.mq.MQv6InternalCommunications.initialize(MQv6InternalCommunications.java:154) at com.ibm.mq.MQv6InternalCommunications.<init>(MQv6InternalCommunications.java:102) at com.ibm.mq.MQSESSIONClient.MQCONNX(MQSESSIONClient.java:1337) at com.ibm.mq.MQSESSIONClient.MQCONN(MQSESSIONClient.java:1246) at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:184) ... 10 more Kindly help me....
1 Answer
Your debugging process is perfect! When setting up SSL for the first time, always test first without SSL (validates channel name spelling, listener port, etc.), then check with anonymous SSL (validates that the client can validate the QMgr's certificate) then finally check with mutually authenticated SSL.
In this case the failure is in that final step. By this point we know that the QMgr can read it's KDB and that the client can read its trust store. There are very few possible issues at this point and the primary ones are that the client cannot find its private key or that the QMgr cannot validate the client's key.
Since the trace shows the client is able to access its key, we know that's not the problem. In most cases then, this points to a problem on the QMgr's side. There are two problems typical in this case.
- The client's key is not properly loaded into the QMgr's keystore (or perhaps a prior version of the key is loaded).
- The QMgr does not have the current version of the KDB loaded.
Since you provided the stack trace and all other aspects of key exchange appear to be good, I'm going to take a wild guess and say the cause is #2 above. If so then it is easily fixed. You can use runmqsc to enter the command REFRESH SECURITY TYPE(SSL) which causes the QMgr to stop all SSL channels and flush the KDB from its cache. There is an equivalent command in WMQ Explorer found by right-clicking on the QMgr. Or just bounce the QMgr, which accomplishes the same thing. Either of these methods result in the QMgr reloading the KDB which gives it access to the new certificate.
UPDATE:
Sorry that was not the issue. Can you recreate the failure and look at the QMgr's error logs? You should see the error at the bottom of /var/mqm/qmgrs/<qmgrname>/errors/AMQERR01.LOG right after the failure.
You can also dump the certificate details on the client and QMgr to verify they match and are marked as trusted in the QMgr's kdb. You already know how to do this with keytool. Depending on your version of WMQ server, you can use gsk7capicmd or gsk8capicmd or with WMQ v7.1 runmqakm. First dump the QMgr's KDB using the -cert -list command, then dump the client's cert using the -cert -details and post the results as an update to your question.
The commands will give you help with the needed parameters. If you want the deep details, go to where you will find links to the GSKit 7 and GSKit 8 manuals about halfway down the page. The runmqakm command is a wrapper over GSKit 8 so if the QMgr is running WMQ v7.1 use the GSKit 8 manual.