Integrate B2B's JMS1.1 client with ActiveMQ over 2-way SSL Authentication

Body

S1.1 Services and Adapter offered in IBM Sterling B2B Integrator (B2B in-short) can be configured to interact with various MQ servers. Here the list of servers and their versions supported as of B2B 5.2.6.3_5 iFix release. Some of these server connections can happen over SSL mode as described in the link above.

In this article, I am going to cover steps involved to integrate B2B's JMS1.1 Client with ActiveMQ 5.14 server supporting 2-way SSL.

NOTE : I am using ActiveMQ 5.14 version here just for this demo. Please refer to B2B product documentation to know MQ server version that is actually supported.

Also IBM doesn't support ActiveMQ product as such. Users would have to troubleshoot errors and configuration issues on ActiveMQ side.

ActiveMQ server Configuration

1) Downloaded ActiveMQ server bundle from http://activemq.apache.org/download-archives.html and extract the contents.

2) Before ActiveMQ is started, Create Certificate and keystore. Doc can be found here - http://activemq.apache.org/how-do-i-use-ssl.html

I used keytool that comes with IBM JDK 7 (<jdk_home>/bin/keytool)

#Using keytool, create a certificate for the activemq broker: Server's private key

#Choose pasword of your choice for keystore.ks
keytool -genkey -alias broker -keyalg RSA -keystore broker.ks

#Export the broker's certificate so it can be checked into B2B: Server's public certificate
keytool -export -alias broker -keystore broker.ks -file broker_cert.cer

#Create a self-signed system certificate on B2B dashboard : Client's private key

#Check-out public part of this system certificate from B2B dashboard. I saved it as "jms_clientauth.cer". (Client's public certificate)

#Created truststore with B2B's public cert. Choose password of your choice for truststore.ks
keytool -import -file jms_clientauth.cer -alias jms_b2b_clientauth -keystore truststore.ks

Now I got keystore.ks and truststore.ks ready to be associated with ActiveMQ server.

3) Next go to <ActiveMQ_Home>/conf/activemq.xml and make following changes marked in green

Changes are to enable ssl URL for ActiveMQ and associate keystore files created in previous step

 <transportConnectors>
            <!--transportConnector name="openwire" uri="tcp://0.0.0.0:61616?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/-->
            <transportConnector name="openwire" uri="ssl://0.0.0.0:61617?needClientAuth=true&amp;maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
        </transportConnectors>

    <sslContext>
      <sslContext
            keyStore="<folder_path>/broker.ks" keyStorePassword="password"
                trustStore="<folder_path>/truststore.ks" trustStorePassword="sterling"/>
    </sslContext>

NOTE : Make sure needClientAuth attribute os appended broker's SSL URL.

4) Start ActiveMQ by issueing "./bin/activemq start" from <ActiveMQ_Home>

activemq.log is located under <ActiveMQ_Home>/data folder to troubleshoot any errors.

ActiveMQ Web UI can be opened through browser. activemq.log should have URL for this.

My activemq.log had ActiveMQ WebConsole available at http://0.0.0.0:8161/

B2B JMS1.1 client configuration

Check-in broker_cert.cer (i.e., broker's public certificate from previous section) as CA certificate in B2B dashboard. I used 5263_5 env.

Configure "JMS 1.1 Async Receive Adapter" as client to poll on a JMS Topic and consume messages posted. As you see this is configured over 2-way SSL.

You would see this line in jms.log in DEBUG mode that confirms adapter is successfully enabled

DEBUG Async thread starting the adapter finished successfully KK.JMS.Aync.ActiveMQ

Similarly, configuration of JMS1.1 Acquire Connection and Session Service below

Sample bpml to send messages to JMS Topic over 2-way SSL connection to ActiveMQ

Troubleshooting Tips

*If there is ssl handshake failures, capture tcpdump and ssl logs

How to get tcpdump - http://www-01.ibm.com/support/docview.wss?uid=swg21701509

To capture ssl logs -

add property to customer_overrides.properties security.EnableSSLTrace=all

and restart B2B. ssl logs from your testing would go into noapp.log.<datetime>

*If you see "certificate unknown" error in tcpdump while using CA signed certificates (NOT self-signed) in your test, you may try to add all CA Certs into one single Certificate Group. You can do this through Edit screens of CA Certificates that were already checked-in.

* I have seen following exception while connecting to ActiveMQ installed Open JDK version 8. But no such connection errors when ActiveMQ runs on IBM JDK 7.

I suspect there are some incompatibilities when JMS client runs on IBM JDK 7 (i.e., B2B 5.2.6.3_5 is supported on JDK 7) and ActiveMQ Broker runs on JDK 8.

[2018-06-04 11:51:16.542] ERROR Marking this as failed connection as an exception was recieved
[2018-06-04 11:51:16.542] ERROR Unknown data type: 47
[2018-06-04 11:51:16.542] ERRORDTL javax.jms.JMSException: Unknown data type: 47
at org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:49)
at org.apache.activemq.ActiveMQConnection.onAsyncException(ActiveMQConnection.java:1773)
at org.apache.activemq.ActiveMQConnection.onException(ActiveMQConnection.java:1790)
at org.apache.activemq.transport.TransportFilter.onException(TransportFilter.java:99)
at org.apache.activemq.transport.ResponseCorrelator.onException(ResponseCorrelator.java:114)
at org.apache.activemq.transport.TransportFilter.onException(TransportFilter.java:99)
at org.apache.activemq.transport.TransportFilter.onException(TransportFilter.java:99)
at org.apache.activemq.transport.WireFormatNegotiator.onException(WireFormatNegotiator.java:152)
at org.apache.activemq.transport.InactivityMonitor.onException(InactivityMonitor.java:244)
at org.apache.activemq.transport.TransportSupport.onException(TransportSupport.java:96)
at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:189)
at java.lang.Thread.run(Thread.java:795)

Please post your comments, questions below.