I created a document about my POCs on SSL One-way and Two-way ...I am presenting the document for you ..Hope this helps for those who are working with SSL in WMB
1. Objective
To execute SSL One-way and Two-way authentication in Message broker.
This document focus only on the SSL configurations and execution.This document will not talk about the Webservices and WSDL configurations.
2. Assumptions
We are simulating SSL Client and Server One-way and Two-way authentications by having two flows deployed in two execution groups.
All the properties set for the Client and Server flow should use Execution group wide properties and should not use broker-wide properties.This helps to easily differentiate between the SSL client and SSL server.
We are going to use Selfsigned certificate for Testing purpose.
For Production,use CA signed certificate only.
default is the SSL Server Execution group
TestSSLis the SSL Client Execution group
3. Prerequisite Requirements
We need to develop two message flows.One acting as SSL server and the other acting as SSL client.
3.1. SSL Server
SOAP Input node -> Compute node -> SOAP Reply node
SOAPInput node -Properties
Use HTTPS -Checked
3.2. SSL Client
MQ Input node ->SOAP Request node ->MQOutput node
SOAPRequest node-Properties
Web service URL – eg: https://localhost:7800/Calculator
Protocol - SSL
4. SSL One-way Configurations
Client authenticates the Server.
Server has Keystore.Client has Truststore,where the Server’s certificate in Truststore will be verified during SSL handshake for authentication.
4.1. Service side configurations
Create keystore for Server
keytool -genkey -alias selfsigned2 -keyalg RSA -keypasspassoneway4 -keystore keystore2.jks -storepasspassoneway4
Export certificate to keystore
keytool -export -file myselfsigned2.cert -keypasspassoneway4 -keystore keystore2.jks -storepasspassoneway4 -alias selfsigned2
Certificate and KeystoreVerifications
keytool -list -v -keystore keystore2.jks -storepasspassoneway4
keytool -printcert -file myselfsigned2.cert
keytool -list -v -keystore Truststore2.jks -storepasspassoneway4
Execution group configurations
mqsichangepropertiesBroker1 -e default -o ComIbmJVMManager -n keystoreFile -v D:\SSL\keystore2.jks
mqsisetdbparmsBroker1 -n Keystore2::passoneway4 -u ignore -p passoneway4
mqsichangepropertiesBroker1 -e default -o ComIbmJVMManager -n keystorePass -v Keystore2::passoneway4
mqsichangepropertiesBroker1 -e default -o ComIbmJVMManager -n truststoreFile -v “”
mqsichangepropertiesBroker1 -e default -o ComIbmJVMManager -n truststoreType -v “”
mqsichangepropertiesBroker1 -e default -o ComIbmJVMManager -n truststorePass -v “”
mqsichangepropertiesBroker1 -e default -o HTTPSConnector -n sslProtocol -v SSL
Verifications
mqsireportpropertiesBroker1 -e default -o ComIbmJVMManager –r
mqsireportpropertiesBroker1 -e default -o HTTPSConnector -r
4.2. Client side configurations
Import certificate to Truststore
keytool -importcert -alias selfsigned2 -file myselfsigned2.cert -keystore Truststore2.jks
Execution group configurations
mqsichangepropertiesBroker1 -e TestSSL -o ComIbmJVMManager -n truststoreFile -v D:\SSL\Truststore2.jks
mqsichangepropertiesBroker1 -e TestSSL -o HTTPSConnector -n sslProtocol -v SSL
mqsisetdbparmsBroker1 -n Truststore2::passoneway4 -u ignore -p passoneway4
mqsichangepropertiesBroker1 -e TestSSL -o ComIbmJVMManager -n truststorePass -v Truststore2::passoneway4
mqsireportpropertiesBroker1 -e TestSSL -o ComIbmJVMManager –r
mqsireportpropertiesBroker1 -e TestSSL -o HTTPSConnector–r
4.3. Testing
When you test SSL client and SSL server flows,you will be getting the response without any issues.
4.4. Debugging
If you are not getting any response,checkfor specific errors in Debug mode and also in <Broker Work path>/components/<Brokername>/<EG uuid>/console file.
5. SSL Two-way configurations
Client authenticates the Server.And also Server authenticates the Client.
Server has Keystore.Client has Truststore,where the Server’s certificate in Truststore will be verified during SSL handshake for authentication.
Similarly Client has keystore.Server has Truststore ,where the Client’s certificate in Truststore will be verified during SSL handshake for authentication.
Hence this is called as Mutual authentication.
5.1. Service side configurations
Create keystore for Server
keytool -genkey -alias selfsigned2 -keyalg RSA -keypasspassoneway4 -keystore keystore2.jks -storepasspassoneway4
Export certificate to keystore
keytool -export -file myselfsigned2.cert -keypasspassoneway4 -keystore keystore2.jks -storepasspassoneway4 -alias selfsigned2
Import certificate to Truststore
keytool -importcert -alias selfsigned3 -file myselfsigned3.cert -keystore Truststore3.jks
Certificate and KeystoreVerifications
keytool -list -v -keystore keystore2.jks -storepasspassoneway4
keytool -printcert -file myselfsigned2.cert
keytool -list -v -keystore Truststore2.jks -storepasspassoneway4
Execution group configurations
mqsichangeproperties Broker1 -e default -o ComIbmJVMManager -n keystoreFile -v D:\SSL\keystore2.jks
mqsisetdbparms Broker1 -n Keystore2::passoneway4 -u ignore -p passoneway4
mqsichangeproperties Broker1 -e default -o ComIbmJVMManager -n keystorePass -v Keystore2::passoneway4
mqsisetdbparmsBroker1 -n Truststore3::passtwoway4 -u ignore -p passtwoway4
mqsichangepropertiesBroker1 -e default -o ComIbmJVMManager -n truststorePass -v Truststore3::passtwoway4
mqsichangepropertiesBroker1 -e default -o ComIbmJVMManager -n truststoreFile -v D:\SSL\Truststore3.jks
mqsichangepropertiesBroker1 -e default -o ComIbmJVMManager -n truststoreType -v JKS
mqsichangepropertiesBroker1 -e default -o ComIbmJVMManager -n truststorePass -v Truststore3::passtwoway4
mqsichangepropertiesBroker1 -e default -o HTTPSConnector -n sslProtocol -v SSL
mqsichangepropertiesBroker1 -e default -o HTTPSConnector -n clientAuth -v true
Verifications
mqsireportproperties Broker1 -e default -o ComIbmJVMManager –r
mqsireportproperties Broker1 -e default -o HTTPSConnector -r
5.2. Client side configurations
Create keystore for Server
keytool -genkey -alias selfsigned3 -keyalg RSA -keypasspasstwoway4 -keystore keystore3.jks -storepasspasstwoway4
export certificate to keystore
keytool -export -file myselfsigned3.cert -keypasspasstwoway4 -keystore keystore3.jks -storepasspasstwoway4 -alias selfsigned3
Import certificate to Truststore
keytool -importcert -alias selfsigned2 -file myselfsigned2.cert -keystore Truststore2.jks
Execution group configurations
mqsichangeproperties Broker1 -e TestSSL -o ComIbmJVMManager -n truststoreFile -vD:\SSL\Truststore2.jks
mqsichangeproperties Broker1 -e TestSSL -o HTTPSConnector -n sslProtocol -v SSL
mqsisetdbparms Broker1 -n Truststore2::passoneway4 -u ignore -p passoneway4
mqsichangeproperties Broker1 -e TestSSL -o ComIbmJVMManager -n truststorePass -v Truststore2::passoneway4
mqsichangepropertiesBroker1 -e TestSSL -o ComIbmJVMManager -n keystoreFile -v D:\SSL\keystore3.jks
mqsichangepropertiesBroker1 -e TestSSL -o HTTPSConnector -n sslProtocol -v SSL
mqsisetdbparmsBroker1 -n Keystore3::passtwoway4 -u ignore -p passtwoway4
mqsichangepropertiesBroker1 -e TestSSL -o ComIbmJVMManager -n keystorePass -v Keystore3::passtwoway4
mqsireportpropertiesBroker1 -e TestSSL -o ComIbmJVMManager –r
mqsireportpropertiesBroker1 -e TestSSL -o HTTPSConnector -r
5.3. Testing
When you test SSL client and SSL server flows,you will be getting the response without any issues.
5.4. Debugging
If you are not getting any response,checkfor specific errors in Debug mode and also in <Broker Work path>/components/<Brokername>/<EG uuid>/console file.
The explanation is really neat and clear, Keep up the good work Radha.
ReplyDeleteBeing in the web hosting industry, I can assure the importance of SSL on websites. Thank you for sharing useful information, keep updating it with us
ReplyDeleteWebsite Security Certificate | SSL certificate Prices | SSL Certificate Integration Service