This articles explains how we can use WSO2 ESB4.9.0 to connect to IBM Websphere MQ through SSL communication. In this article covering the below sections, which will give a brief guide to setup a environment with SSL 1-way
communication with WSO2 ESB4.9.0 with specific cipher’s for communication.
Contents Included
1) Prerequisite
2) Configuring Key Repository in IBM Websphere MQ
3) Building the IBM Client bundle to use in WSO2 ESB 4.9.0
4) Information about the cipher’s used in the communication.
5) Configuring QueueManager, Queue, Channel, ConnectionFactory and Destination in IBM Websphere MQ for SSL communication
6) Configuring WSO2 ESB4.9.0 to handle the SSL communication using specific ciphers.
7) Logging the SSL communication handshaking
8) Configuring TLS cipher suites.
1) Prerequisite
WSO2 ESB4.9.0
JDK1.8.0_91 installed with latest policy files for Unlimited ciphers. ( Can be downloaded from
IBM Websphere MQ8 - 8.0.0.4 ( Download it from IBM Website and you can follow the below blog to install it in linux
2) Configuring Key Repository in IBM Websphere MQ
As here we are considering the 1-way communication, we need to setup a keystore with private and public key of IBM websphere MQ server’s queue manager and then we need to upload the public key of the IBM to WSO2 ESB4.9.0 client-trustore.jks.
To start the key Repository creation in IBM Websphere MQ, first we need to create a Queue Manager, to which we need to create the key repository.
Go to Queue Managers -> New -> Queue Manager... Then follow the below screens to create a new Queue Manager.
After successfully create the Queue Manager, Go to IBM Websphere MQ Explorer and click on Manage SSL Certificates...
Go to Key Database File -> New and the below screen will appear. Select the key type as CMS, then provide a file name and a location to store.
After Clicking OK, in the next screen, provide a password and select the stash password to a file option.
Now we have the key repository and we need to create a self signed certificate to load into it. To do that, select Personal Certificates and click on the New Self-signed...
The important thing when create the personal certificate is the Key Label, the name of the Key Label must be in small letters and it should start with “ibmwebspheremq+queue manager name in small letters.
Now we have the self signed certificate for the queue manager, we need to extract the public certificate of this to upload it into the client’s trustore, here it is the client-trustore.jks of WSO2 ESB. To do that, select the self signed certificate created above and then click Extract Certificate.
Now in the key_repo folder will have the below files.
Now we need to configure the queue manager to use these certificates.
Right click on the queue manager and select properties and will get the below screen. In that select SSL.
Here, in SSL Key Repository need to point the key repository created in the above step. Copy the ESB.QM1_REPO.kdb and ESB.QM1_REPO.sth to /var/mqm/qmgrs/ESB!QM1/ssl/ directory and specify the repo as “/var/mqm/qmgrs/ESB!QM1/ssl/ESB.QM1_REPO”.
Now we have successfully configured the Key repository for IBM Websphere MQ.
3) Building the IBM Client bundle to use in WSO2 ESB 4.9.0
To create the client bundle to use with WSO2 ESB, follow the below steps.
i) Create a folder named “wmq-client-8.0.0.4” and copy the below pom.xml file into it.
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>wmq-client</groupId>
<artifactId>wmq-client</artifactId>
<version>8.0.0.4</version>
<packaging>bundle</packaging>
<dependencies>
<dependency>
<groupId>com.ibm</groupId>
<artifactId>fscontext</artifactId>
<version>8.0.0.4</version>
<scope>system</scope>
<systemPath>${basedir}/lib/fscontext.jar</systemPath>
</dependency>
<dependency>
<groupId>com.ibm</groupId>
<artifactId>providerutil</artifactId>
<version>8.0.0.4</version>
<scope>system</scope>
<systemPath>${basedir}/lib/providerutil.jar</systemPath>
</dependency>
<dependency>
<groupId>com.ibm</groupId>
<artifactId>allclient</artifactId>
<version>8.0.0.4</version>
<scope>system</scope>
<systemPath>${basedir}/lib/com.ibm.mq.allclient.jar</systemPath>
</dependency>
<dependency>
<groupId>javax.jms</groupId>
<artifactId>jms</artifactId>
<version>1.1</version>
<scope>system</scope>
<systemPath>${basedir}/lib/jms.jar</systemPath>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-bundle-plugin</artifactId>
<version>2.3.4</version>
<extensions>true</extensions>
<configuration>
<instructions>
<Bundle-SymbolicName>${project.artifactId}</Bundle-SymbolicName>
<Bundle-Name>${project.artifactId}</Bundle-Name>
<Export-Package>*;-split-package:=merge-first</Export-Package>
<Private-Package />
<Import-Package/>
<Embed-Dependency>*;scope=system;inline=true</Embed-Dependency>
<DynamicImport-Package>*</DynamicImport-Package>
</instructions>
</configuration>
</plugin>
</plugins>
</build>
</project>
Then create a folder “lib”. Your folder structure will look like below.
Go to the installation directory of IBM Websphere MQ ( You can find it at /opt/mqm/java/lib, if you followed the blog mentioned in Prerequisite ) and copy the below JARS into the lib folder of the “wmq-client-8.0.0.4”.
com.ibm.mq.allclient.jar
fscontext.jar
jms.jar
providerutil.jar
ii) Run mvn clean install. Now we will have the wmq-client-8.0.0.4.jar.
4) Information about the cipher’s used in the communication.
When considering the SSL communication with IBM Websphere MQ, need to consider about the cipher suites supported by Oracle JDK1.8 and the cipher suites supported by the IBM Websphere MQ.
To get the list of cipher suites supported by Oracle JDK refer
To get the list of cipher suites supported by IBM Websphere MQ refer
Further, the important consideration on cipher’s is cipher suite and cipher spec mapping. The cipher spec is specified at server side and cipher suite is specified at client side. When using the combination, need to consider the correct mapping of them. You can find the mappings at http://www.ibm.com/support/knowledgecenter/en/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q113210_.htm
Note: When we use non-IBM java environments, like Oracle, although the IBM have the mappings for cipher suite to cipher spec for both SSL and TLS protocols, only the SSL protocol CipherSuites could be used.
To use the TLS CipherSuite to CipherSpec mappings as detailed in http://www-01.ibm.com/support/docview.wss?uid=swg1IV66840
To enable these non-default mappings ( TLS CipherSuite to CipherSpec mappings ) for non-IBM runtime environments, the following Java System Property:
com.ibm.mq.cfg.useIBMCipherMappings
must be set to the value:
false
For example, this can be configured by using the JVM argument:
-Dcom.ibm.mq.cfg.useIBMCipherMappings=false
5) Configuring Queue, Channel, ConnectionFactory and Destination in IBM Websphere MQ for SSL communication
As we already configured the Queue Manager ( ESB.QM1 ), the SSL setting will look like below.
Create a Queue.
Create a server connection channel
Create the .bindings file.
Create Destination.
Now we have done the configuration at IBM Websphere MQ side.
6) Configuring WSO2 ESB4.9.0 to handle the SSL communication using specific ciphers.
i) Copy the bundle created during step 2 ( wmq-client-8.0.0.4.jar ) into ESB_HOME/repository/components/dropins
ii) Copy the jta-1.1.jar from /opt/mqm/java/lib and copy to ESB_HOME/repository/components/lib.
iii) Remove following line from <ESB_4.9..0_Home>\repository\conf\etc\launch.ini
javax.jms,\
iv) Add the below to the axis2.xml and enable the JMSSender configuration.
<transportReceiver name="jms" class="org.apache.axis2.transport.jms.JMSListener">
<parameter name="default" locked="false">
<parameter name="java.naming.factory.initial" locked="false">com.sun.jndi.fscontext.RefFSContextFactory</parameter>
<parameter name="java.naming.provider.url" locked="false">file:///home/mqm/wso2/IBM/bindesbqm1/</parameter>
<parameter name="transport.jms.ConnectionFactoryJNDIName" locked="false">ConnectionFactoryESBQM1</parameter>
<parameter name="transport.jms.ConnectionFactoryType" locked="false">queue</parameter>
<parameter name="transport.jms.UserName" locked="false">mqm</parameter>
<parameter name="transport.jms.Password" locked="false">1qaz2wsx@</parameter>
<parameter name="transport.jms.ReconnectInterval">300000</parameter>
</parameter>
<parameter name="myQueueConnectionFactory1" locked="false">
<parameter name="java.naming.factory.initial" locked="false">com.sun.jndi.fscontext.RefFSContextFactory</parameter>
<parameter name="java.naming.provider.url" locked="false">file:///home/mqm/wso2/IBM/bindesbqm1/</parameter>
<parameter name="transport.jms.ConnectionFactoryJNDIName" locked="false">ConnectionFactoryESBQM1</parameter>
<parameter name="transport.jms.ConnectionFactoryType" locked="false">queue</parameter>
<parameter name="transport.jms.UserName" locked="false">mqm</parameter>
<parameter name="transport.jms.Password" locked="false">1qaz2wsx@</parameter>
<parameter name="transport.jms.ReconnectInterval">300000</parameter>
</parameter>
</transportReceiver>
v) Upload the public key certificate extracted from the Key repository. ( esb.qm1_pubkey.arm )
keytool -import -file esb.qm1_pubkey.arm -alias ibmwebspheremqesb.qm1 -keystore client-truststore.jks -storepass wso2carbon
Result:
mqm@ajanthan-ThinkPad-T440p:~/wso2/blog/wso2esb-4.9.0-blog/repository/resources/security$ keytool -import -file esb.qm1_pubkey.arm -alias ibmwebspheremqesb.qm1 -keystore client-truststore.jks -storepass wso2carbon Owner: CN=ajanthan-ThinkPad-T440p, OU=esb, O=wso2, L=colombo, ST=west, C=LK Issuer: CN=ajanthan-ThinkPad-T440p, OU=esb, O=wso2, L=colombo, ST=west, C=LK Serial number: 58651782 Valid from: Thu Dec 29 19:32:42 IST 2016 until: Fri Dec 29 19:32:42 IST 2017 Certificate fingerprints: MD5: 4F:B2:E9:93:74:C9:C8:7B:ED:7B:9C:5E:70:A7:2F:89 SHA1: 6A:25:71:50:C9:73:B9:E7:A2:77:49:3D:60:DF:C7:8E:81:6B:D9:C2 SHA256: 54:7A:9B:26:72:14:75:BB:6C:45:E8:E0:9F:DA:CB:9A:F0:22:57:CC:B2:83:76:E7:86:04:D4:AA:1B:C8:84:72 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 04 28 CD 25 B5 2B BE 52 .(.%.+.R ] ] #2: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 04 28 CD 25 B5 2B BE 52 .(.%.+.R ] ] Trust this certificate? [no]: yes Certificate was added to keystore mqm@ajanthan-ThinkPad-T440p:~/wso2/blog/wso2esb-4.9.0-blog/repository/resources/security$
vi) Add the below to wso2server.sh
-DCMQC.SSL_CIPHER_SUITE_PROPERTY="SSL_RSA_WITH_3DES_EDE_CBC_SHA" \
vii) Disable Channel Authentication in IBM Websphere MQ.
Consider we are doing this only for testing purpose, to enable our mqm user to authenticate through channel.
IBM Websphere have an option to secure the channels. By default it will block all the remote users created during installation.
To fully disable the Channel Authentication for a particular Queue Manager,
Go to /opt/mqm/bin and run ./runmqsc ESB.QM1 then use the below commands.
ALTER QMGR CHLAUTH(DISABLED)
REFRESH SECURITY TYPE(CONNAUTH)
Or else we can allow our mqm user by removing the default “*MQADMIN” in the below screen and add a new value there.
The continuation of the blog can be find at PART2.
http://ajanthane.blogspot.com/2017/01/1-way-ssl-communication-between-wso2_3.html
http://ajanthane.blogspot.com/2017/01/1-way-ssl-communication-between-wso2_3.html
Thank you for sharing this.Its very useful. In my case, I used IBM 9.2 and EI 6.6.0 and its works fine too. However, if we set SSLAuthentication= required in the Server channel SSL, then getting SSL handshake error. After debugging , I found out that, no cert is loaded in the "Produced client client certificate" portion of ssl handshake process. do you know any other setting need to be defined in wso2 side for "SSLAuthentication= required"
ReplyDelete