Sunday, June 10, 2012

MQ Adapter and SSL - Part 1

Oracle MQ Series Adapter enables applications to connect to MQ Series queue managers and enqueue/dequeue messages to/from the Queues. MQ Series supports secure communication through the use of SSL. SSL stands for Secure Socket Layer. Oracle MQ Series Adapter can be easily configured to support SSL to secure the data-communication between Adapter and Server.

The article further explains some general concepts of SSL on MQ Adapter and points how you can enable SSL on Oracle MQ Adapter.

There are 2 types of SSL that can be configured on MQ Adapter:

One-Way SSL: 
In this SSL pattern, only the server gets authenticated. This ensures that the server to which MQ adapter is connecting is valid and correct. When MQ Adapter connects to MQ server, it requests the MQ server-certificate. On providing the certificate by MQ server, MQ Adapter verifies and matches it against the list of certificates available with it in its store. If the certificate match is found, the certificate is considered valid and the SSL connection is established.

Two-Way SSL:
In two-way SSL, both Client and Server are authenticated. The connection process is very similar to One-way SSL except that client is also authenticated in two-way SSL. When MQ Adapter connects to MQ server, it requests the server-certificate. MQ server provides the appropriate certificate. This certificate is verified by the MQ Adapter against the list of certificates available with it. After this certficate is validated by MQ Adapter (client), MQ server (server) then requests the client certificate to ensure that the requesting client is also valid. MQ Adapter, then, presents its certificate to MQ server which is verified by the server against the list of certificates available with it. If both the client and server certificates are found valid, SSL connection is established.

Two-way SSL is always enforced by the server. Hence, to enable two-way SSL on MQ Series, MQ Server needs to enforce Two-way SSL on incoming channel. On the server side, set the property Authentication of Parties initiating connection to Required as shown in the screenshot. This will enforce the clients connecting to it to present their certificates for validation before an SSL connection can be established.

Also ensure that this channel must be of Server-connection type. Contact your MQ Server Administrator to confirm this.


Further, to configure One-way or Two-way SSL on MQ Adapter and simultaneously keeping this post short and sweet, follow another post Enabling SSL on MQ Series Adapter - Part 2.

Enabling SSL on MQ Series Adapter - Part 2

I've already explained the basic concepts in MQ Adapter and SSL - Part 1. This post explains how you can configure your MQ Adapter to use One-way or Two-way SSL.  To enable One-way or Two-way SSL on MQ Adapter, following steps need to be followed. I'm outlining the simplest possible steps. Once understood, they can be modified based on your security needs.
  • Get the Public certificate (.DER, .CER) of the MQ Server Queue Manager. Ask your MQ server Admin to give this to you.
  • Import this certificate into default Weblogic Trust store or you custom keystore if any (all Public certs are stored here because Weblogic trusts the certs imported here) at <WL_HOME>/server/lib/DemoTrust.jks using the following command. You need the keytool utility to execute following commands.
keytool -import -alias <choose_name_for_this_entry> -file <public_cert_received> -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
  • Verify the imported certificate by running following command. Your entry should be present here. 
keytool -list -v -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
Note: Below 3 steps are required only for configuring Two-way SSL on MQ Adapter. For One-way SSL, you must skip these steps.

For Two-way SSL, you need to provide Weblogic Public certificate to MQ server Admin team so that they can import it in MQ Server's Trust store. Follow the additional 2 steps for Two-way SSL.
1. Extract the PUBLIC certificate of your Weblogic from its identity and give this certficate to MQ Server team.
keytool -export -alias demoidentity -file WLS_PUBLIC_CERT.der -keystore <WL_HOME>\server\lib\DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase
2. Ask MQ server Admin to import the given certificate into the Server Trust store being used by the Queue Manager that you connect to.
 3. Ensure that the Private key and Identity Keystore passwords of your Keystore are same. Hence, change the keystore password to the Private key password by executing the following command.
keytool -storepasswd -new DemoIdentityPassPhrase -keystore <WL_HOME>\server\lib\DemoIdentity.jks
  • Next step is to create a simple BPEL process with MQ Adapter that connects to MQ using a JNDI configured on Weblogic Server. The key to configure SSL on MQ Adapter lies in this JNDI only.  To create a JNDI for MQ Adapter,  Follow How to create MQ Adapter JNDI . 
  • Once the JNDI is configured successfully and tested with a dummy BPEL process, edit the following JNDI properties. Remember to hit Enter after updating each property.
S. No
Property Name
Property Value
Description
1
channelName
<Channel Name>
The name of the channel which is of server-conection type. Ask your MQ Server Admin to provide with this detail. Your process will connect to this channel.
2
CipherSuite
SSL_RSA_EXPORT_WITH_ RC4_40_MD5
Cipher suite that will be used for Message Encryption. Ensure that this is same as CipherSpec set on the above channel. e.g. for CipherSpec to be set on Server Connection Channel for the mentioned CipherSuite is RC4_MD5_EXPORT
3
hostName 
<Host Name>
The host name of the MQ server
4
KeyStoreLocation
<Keystore Location>
For One-way SSL, specify this to the location of the keystore in which you imported the Public certificate of the MQ Server (in our example DemoTrust.jks). This property will be same as TrustStoreLocation in One-way SSL.

However, for Two-way SSL, specify the location of Identity keystore (in our example DemoIdentity,jks)
5
KeyStorePassword
<Keystore Password>
Specify the password to access the above keystore
6
KeyStoreType
jks
By default this is Java Keystore (jks). Ensure you create the Keystore of the .jks type.
7
password
<Password to access MQ>
Specify the password to access the MQ Server
8
portNumber
<MQ Server Port>
Network port to connect to MQ server
9
Protocol
TLS
The algorigthm used to manage the Keys. Default Value is TLS. Keep it as it is.
10
queueManagerName
<Queue Manager name on MQ Server>
Queue Manager provides access to the queues and also transfers messages to other queue managers through message channels.
11
SSLEnable
true
Set this value to true to tell MQ Adapter to use SSL
12
TrustStoreLocation
<Keystore Location>
Provide the Trust keystore location (e.g. /dir/DemoTrust.jks) in which you imported the PUBLIC cert of the MQ Queue Manager.
13
TrustStorePassword
<Keystore Password>
Provide the password for Trust Store
14
userID
<username to connect MQ>
User Id to access MQ server
15
XATransaction
false
By default this is False
  • Save the properties and Update the Adapter as given in create JNDI post.
And it's done. This will enable One-way SSL (or Two-way SSL) for your MQ Adapter communication.

Troubleshooting:
  • In case you encounter any errors, set the following EXTRA_JAVA_PROPERTIES in setDomainEnv.sh (or setDomainEnv.cmd) file and restart the servers.
set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true -Dweblogic.security.SSL.verbose=true
  • This will generate verbose logs for SSL to help you diagnose the errors. See the below logs for diagnosis.
<DOMAIN_HOME>/servers/soa_server1/logs/soa_server1.log
Still if you encounter any problems, I'm happy to help!

How to create a JNDI for MQ Adapter on Weblogic

This post explains how to create a simple JNDI for MQ Adapter in Weblogic 10.3.x. This JNDI properties can be further changed to configure One-way or Two-way SSL on MQ Adapter as explained in post Enabling SSL on MQ Series Adapter - Part 2.
  • Login to Weblogic Server Administration Console and navigate to Deployments > MQSeriesAdapter > Configuration Tab > Outbound Connection Pool.


  • Click on New button and select javax.resource.cci.ConnectionFactory and click Next.
  • Give an appropriate JNDI name and press Finish. This JNDI name will be used by your MQ Adapter inside the BPEL process. If it asks to Create/Save a Deployment Plan, Create/Save a deployment plan for this JNDI reference.
  • Go back to the MQSeriesAdapter > Configuration Tab > Outbound Connection Pool and expand the connection factory  javax.resource.cci.ConnectionFactory. Click on the JNDI created by you above.


  • Set the following properties for the above created JNDI. Leave the other properties to their default. Remember to hit Enter after updating each property. 

    S. No
    Property Name
    Property Value
    Description
    1
    channelName
    <Channel Name>
    The name of the channel which is of server-conection type. Ask your MQ Server Admin to provide this detail. Your process will connect to this channel.
    2
    hostName 
    <Host Name>
    The host name of the MQ server
    3
    password
    <Password to access MQ>
    Specify the password to access the MQ Server
    4
    portNumber
    <MQ Server Port>
    Network port to connect to MQ server
    5
    queueManagerName
    <Queue Manager name on MQ Server>
    Queue Manager provides access to the queues and also transfers messages to other queue managers through message channels.
    6
    SSLEnable
    false
    By default this value is false. As we're not using any SSL in this post, leave this value as false.
    7
    userID
    <username to connect MQ>
    User Id to access MQ server
    8
    XATransaction
    false
    By default this is False. Keep it false unless you want to enable global transactions on this adapter.

  • Save the properties by hitting the Save button at the bottom of the properties page.
  • Navigate back to Deployments and check MQSeriesAdapter. Now press Update button on the top.
  • On the next page, choose to Redeploy this application using the following deployment files and hit Finish.
After the JNDI is created successfully and properties are set as above, use this JNDI in a simple BPEL process to enqueue a message in MQ. If this is successful, JNDI configuration is correct.