IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this community and its apps will no longer be available. More details available on our FAQ.
Topic
  • No replies
FQHR_Peter_Ward
FQHR_Peter_Ward
1 Post

Pinned topic MQ JMS Classes V9.1.0.1 fails to establish secure TLS connection as it does not use the default SSLContext

‏2019-02-08T03:38:16Z |

I am upgrading a Java MQ JMS application from Java V6 to Java V8, as well as upgrading the MQ Java Classes from V7.5 to V9.1.0.1. Plus using TLSv1.2 and cipher TLS_RSA_WITH_AES_256_CBC_SHA256.

When attempting to connect to the queue manager channel it fails with an SSL handshake exception. The root cause it that although the application has configured an SSLContext with the required keystore and trust store, and set it as the default SSLContext, the MQ Java classes are not using this default SSLContext. The MQ Java classes appear to create their own SSLContext, which uses the default trust store of cacerts (eg: /usr/java8_64/jre/lib/security/cacerts).

Could you please confirm if this is the case and if so indicate when a fix will be available?

Note that this appears to be the same issue as "IT16056: JMS applications using the MQ V8 JCA resource adapter running inLiberty cannot establish secure TLS connections"
https://www-01.ibm.com/support/docview.wss?uid=swg1IT16056

Thanks,
Peter

Software versions:-
IBM MQ Java Classes - V9.1.0.1

java version '1.8.0_171'
Java(TM) SE Runtime Environment (build 8.0.5.15 - pap6480sr5fp15-20180502_01(SR5 FP15))
IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64 Compressed References 20180425_385365 (JIT enabled, AOT enabled) 

The following code fragment shows what the application is doing.
 
    KeyStore ks = KeyStore.getInstance("JKS");
    ks.load(new FileInputStream(new File(keyStorePath)), keyStorePassword.toCharArray());
    String kmfa = KeyManagerFactory.getDefaultAlgorithm();
    KeyManagerFactory kmf = KeyManagerFactory.getInstance(kmfa);
    kmf.init(ks, keyStorePassword.toCharArray());
    
    KeyStore ts = KeyStore.getInstance("JKS");
    ts.load(new FileInputStream(new File(trustStorePath)), trustStorePassword.toCharArray());
    String tmfa = TrustManagerFactory.getDefaultAlgorithm();
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfa);
    tmf.init(ts);
    
    SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
    sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
    SSLContext.setDefault(sslContext);
    
    Hashtable<String, String> env = new Hashtable<String, String>();
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.fscontext.RefFSContextFactory");
    env.put(Context.PROVIDER_URL, jndiContext);
    InitialContext ctx = new InitialContext(env);

    QueueConnectionFactory qcf = (QueueConnectionFactory) ctx.lookup(queueConnectionFactory);
    QueueConnection con = (QueueConnection) qcf.createQueueConnection();
    con.start();