Prerequisites:
- For Connect 10r560+
- install Websphere 9.0.0.10+ with JDK 8
- install Websphere MQ 9.0+
WebSphere Configuration:
- Login in to WebSphere Administrative Console
- Navigate to Security - Global Security
- Expand RMI/IIOP security
- Click CSIv2 inbound communications
- Select SSL-Required on CSIv2 Transport Layer - Transport
- Click OK
- Save the configuration
- Click CSIv2 outbound communications
- Select SSL-Required on CSIv2 Transport Layer - Transport
- Click OK
- Save the configuration
- Restart WebSphere Application Server
Connect Environment Setup Steps:
- Copy the following files from WAS install folder
- -ssl.client.props (from WebSphere\AppServer\profiles\AppSrv01\properties\)
- -sas.client.props (from WebSphere\AppServer\profiles\AppSrv01\properties\)
- Creating jks keystore (3 options available):
- Java https://support.globalsign.com/customer/en/portal/articles/2121490-java-keytool---create-keystore
- Portecle http://portecle.sourceforge.net/create-keystore.html
- IBM Key Management from IBM MQ https://www.ibm.com/support/knowledgecenter/en/SSMKFH/com.ibm.apmaas.doc/install/wrt_config_https_keystore.htm
- Create a jks keystore mykeystore.jks with a password (example: mypassword)
- Create a jks truststore mytruststore.jks with password (example: mypassword)
- Export WebSphere Trusted Certificate in trust.cer
- Import WebSphere Trusted Certificate in mytruststore
SSL Configuration:
- Edit ssl.client.props and be sure that the following properties match
com.ibm.ssl.defaultAlias=DefaultSSLSettings
com.ibm.ssl.alias=DefaultSSLSettings
com.ibm.ssl.protocol=SSL
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustManager= SunX509
com.ibm.ssl.keyManager= SunX509
com.ibm.ssl.contextProvider= SunJSSE
com.ibm.ssl.enableSignerExchangePrompt=false
com.ibm.ssl.keyStoreName=ClientDefaultKeyStore
com.ibm.ssl.keyStore=c:/ssl/mykeystore.jks
(change this with the path to mykeystore.jks file copied to the node)
com.ibm.ssl.keyStorePassword=mypassword
(change this with the password of mykeystore.jks)
com.ibm.ssl.keyStoreType= JKS
com.ibm.ssl.keyStoreProvider= SUN
com.ibm.ssl.keyStoreFileBased=true
com.ibm.ssl.trustStoreName=ClientDefaultTrustStore
com.ibm.ssl.trustStore=c:/ssl/mytruststore. jks
(change this with the path to mytruststore.jks file copied to the node)
com.ibm.ssl.trustStorePassword=mypassword
(change this with the password of mytruststore.jks)
com.ibm.ssl.trustStoreType= JKS
com.ibm.ssl.trustStoreProvider= SUN
com.ibm.ssl.trustStoreFileBased=true
com.ibm.ssl.trustStoreReadOnly=false - Edit sas.client.props
com.ibm.CORBA.securityEnabled=true
com.ibm.CORBA.loginSource=none
com.ibm.CSI.performTransportAssocSSLTLSRequired=true
com.ibm.ssl.alias=DefaultSSLSettings - Copy orb.properties from IBM JRE to kc/java/lib/ on Connect node
(if using JRE for connect in other location then copy orb.properties in
that location ../jre/lib) - -or add the following line in Connect in jndi.properties textarea org.omg.CORBA.ORBClass=com.ibm.CORBA.iiop.ORB
Windows Configuration:
Edit crm.env and add to JAVAOPTIONS:
-Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props"
Example:
JAVAOPTIONS=-Xmx384m -Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props"
Linux Configuration:
- Edit runvm.sh and runmonitor.sh:
- Add in same line after -Dcom.kana.connect.NodeName=%CONNECT_NODENAME%:
-Dcom.ibm.SSL.ConfigURL="file:/home/connectuser/brickstSD/kc/kc/import.ext/ssl/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:/home/connectuser/brickstSD/kc/kc/import.ext/ssl/sas.client.props"
- Restart CRMMonitor/Connect service
- Start Connection Factory in Connect Admin console
Troubleshooting:
Add trace option to java processes
Windows:
- edit crm.env and add to JAVAOPTIONS:
-Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log
Example:
JAVAOPTIONS=-Xmx384m -Dcom.ibm.SSL.ConfigURL="file:c:/ssl.client.props" -Dcom.ibm.CORBA.ConfigURL="file:c:/sas.client.props" -Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log
- Restart CRMMonitor/connect service
- Check logs for errors or info
Linux:
edit runvm.sh and runmonitor.sh and add in same line after Dcom.kana.connect.NodeName=%CONNECT_NODENAME%:
-Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log
- restart CRMMonitor/connect service
- check logs for errors or info
Logs:
- client.log
- EventLoader log
- orbtrace files
- FFDC folder and files
- mqlog files
Errors:
Hostname issues: org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible vmcid: IBM minor code: E07 completed: No
RMI/IIOP SSL enabled on WAS but no certificate in connect: org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible vmcid: 0x4942f000 minor code: 3591 completed: No
Incorrect username/password: com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager … with connection mode 'Client' and host name .... Please check if the supplied username and password are correct on the QueueManager you are connecting to ("JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager
orb.properties not present in jre/lib: StackOverflow error
REQUIRED JARS FROM MQ & WAS:
From MQ 9.1.1.0 (UPDATED 14/01/2019)
c:\IBM\MQ\java\lib\com.ibm.mq.allclient.jar
c:\IBM\MQ\java\lib\com.ibm.mq.connector.jar
c:\IBM\MQ\java\lib\com.ibm.mq.headers.jar
c:\IBM\MQ\java\lib\com.ibm.mq.jar
c:\IBM\MQ\java\lib\com.ibm.mq.jmqi.jar
c:\IBM\MQ\java\lib\com.ibm.mq.pcf.jar
c:\IBM\MQ\java\lib\com.ibm.mq.traceControl.jar
c:\IBM\MQ\java\lib\com.ibm.mqjms.jar
c:\IBM\MQ\java\lib\fscontext.jar
c:\IBM\MQ\java\lib\jms.jar
c:\IBM\MQ\java\lib\providerutil.jar
From WAS 9.0.0.10
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.jaxrs1.1.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.jaxrs2.0.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.jaxws.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.admin.client_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\\com.ibm.ws.ejb.portable_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.ejb.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.jpa-2.0.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.jpa-2.1.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.messagingClient.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.orb_9.0.jar
c:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.runtime.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.sib.client.thin.jms_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.sib.client_ExpeditorDRE_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.ws.webservices.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\runtimes\com.ibm.xml.thinclient_9.0.jar
c:\IBM\WebSphere\AppServer\plugins\com.ibm.tx.ltc.jar
c:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.security.crypto.jar
c:\IBM\WebSphere\AppServer\plugins\com.ibm.ws.sib.server.jar
c:\IBM\WebSphere\AppServer\java\8.0\jre\lib\ext\ibmkeycert.jar
c:\IBM\WebSphere\AppServer\java\8.0\jre\lib\ibmpkcs.jar
IBM MQ SSL SERVER CONFIG
- Create keystore with stashed password for IBM MQ Server using IBM Key Management
- MQ Explorer - right click IBM WebSphere MQ - Manage SSL Certificates - New - type CMS, name key.kdb, stash password checked, location c:/Program Data/IBM/MQ/Qmgrs/ConnectQueueManager/ssl, password mypassword
- Create new self-signed certificate with name ibmwebspheremqconnectqueuemanager with signature algorithm SHA256WithRSA
- Extract certificate
- Using IBM Key Management create keystores of type JKS, password mypassword
- Create keyStoreMQ.jks - or use the one created above
- Create trustStoreMQ.jks; import certificate from key.kdb
- MQ Explorer - right click IBM WebSphere MQ - Preferences - Client Connections - SSL Key Repositories
- "Enable default SSL options"
- Set path and password for trust store C:\IBM\MQ\qmgrs\ConnectQueueManager\ssl\trustStoreMQ.jks, mypassword or C:\ProgramData\IBM\MQ\qmgrs\ConnectQueueManager\ssl\trustStoreMQ.jks
- Set path and password for personal store: C:\IBM\MQ\qmgrs\ConnectQueueManager\ssl\keyStoreMQ.jks, mypassword or C:\ProgramData\IBM\MQ\qmgrs\ConnectQueueManager\ssl\keyStoreMQ.jks
SETUP MQ SERVER TO USE SSL
- Setup CipherSpec for MQ to TLS_RSA_WITH_AES_128_CBC_SHA256 (or TLS_RSA_WITH_3DES_EDE_CBC_SHA or other supported CipherSpec)
- MQ Explorer - right click IBM WebSphere MQ - Preferences - Client Connections - SSL Options - SSL CipherSpec
- Setup path for ConnectQueueManager - SSL - SSL Key Repository to "c:/Program Data/IBM/MQ/Qmgrs/ConnectQueueManager\ssl\key"
- Setup CipherSpec for Channel ConnectionChannel to TLS_RSA_WITH_AES_128_CBC_SHA256 (or TLS_RSA_WITH_3DES_EDE_CBC_SHA or other supported CipherSpec)
- Set SSL Authentication from Optional to Required
- Setup CipherSpec for Channel SYSTEM.DEF.SRVCONN (click Show System Objects near right Refresh button) to TLS_RSA_WITH_AES_128_CBC_SHA256 (or TLS_RSA_WITH_3DES_EDE_CBC_SHAor other supported CipherSpec)
- Refresh SSL
- ConnectQueueManager - Security - Refresh SSL...
- Create user connectuser for ConnectQueueManager in MQExplorer give connectuser access to queues:
ConnectQueueManager -> Queues -> RequestQueue -> right click - Object Authorities - Manage Authority Records... - Specific Profiles - RequestQueue - new user - connecuser - select all
ConnectQueueManager - Queues - ResponseQueue - right click - Object Authorities - Manage Authority Records... - Specific Profiles - ResponseQueue - new user - connecuser - select all
SETUP WAS TO USE SSL FOR MQ
- WAS - Resources - JMS - Queue connection factories - jms.cellQueueConnectionFactory - check "Use SSL to secure communication with WebSphere MQ"
- Restart WAS
SETUP CONNECT
Windows:
- Add truststore, keystore files to deployer
- Add path to files and CipherSuite in crm.env for windows
- When using JAVA8 the following system property must be added for some Cipher Spec:
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
JAVAOPTIONS=-Xmx384m -Djavax.net.ssl.trustStore="c:/trustStoreMQ.jks" -Djavax.net.ssl.keyStore="c:/keyStoreMQ.jks" -Djavax.net.ssl.keyStorePassword=mypassword -Djavax.net.ssl.trustStorePassword=mypassword -Dconnect.jms.cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256 - Restart vms
Finally with both HTTPS JNDI RMI IIOP and IBM MQ SERVER SSL enabled the JAVAOPTIONS should look like:
for windows (crm.env)
JAVAOPTIONS=-Xmx384m -Dcom.ibm.SSL.ConfigURL=file:c:/ssl.client.props -Dcom.ibm.CORBA.ConfigURL=file:c:/sas.client.props -Dconnect.jms.cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256 -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -Djavax.net.ssl.trustStore=c:/trustStoreMQ.jks -Djavax.net.ssl.trustStorePassword=mypassword -Djavax.net.ssl.keyStore=c:/keyStoreMQ.jks -Djavax.net.ssl.keyStorePassword=mypassword
Linux:
- Add truststore, keystore files to deployer
- Add path to files and CipherSuite in runvm.sh/runmonitor.sh for linux
- When using JAVA8 the following system property must be added for some Cipher Spec:
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
-Djavax.net.ssl.trustStore="c:/trustStoreMQ.jks" -Djavax.net.ssl.keyStore="c:/keyStoreMQ.jks" -Djavax.net.ssl.keyStorePassword=mypassword -Djavax.net.ssl.trustStorePassword=mypassword -Dconnect.jms.cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256 - Restart vms
Finally with both HTTPS JNDI RMI IIOP and IBM MQ SERVER SSL enabled the line with exec $JAVAEXE from runvm.sh should look like:
exec $JAVAEXE ${BITTYPE} $JAVAOPTIONS $JAVAOPTIONS2 $JAVA_DEBUG -Dcom.kana.connect.NodeName=$CONNECT_NODENAME -Dcom.ibm.SSL.ConfigURL=file:/ssl.client.props -Dcom.ibm.CORBA.ConfigURL=file:/sas.client.props -Dconnect.jms.cipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256 -Dcom.ibm.mq.cfg.useIBMCipherMappings=false -Djavax.net.ssl.trustStore=/trustStoreMQ.jks -Djavax.net.ssl.trustStorePassword=mypassword -Djavax.net.ssl.keyStore=/keyStoreMQ.jks -Djavax.net.ssl.keyStorePassword=mypassword -Djava.vm=kc$1 -Dkc.depl=$CONNECT_DEPLOYMENTID -classpath $CLASSPATH com.kana.connect.server.CRM -vmid $1 -disableConsoleOutput
Comments
0 comments
Please sign in to leave a comment.