0

A vendor have given me a .jks to connect to their mq via jms. I am using the following code as a template for my proof of concept.

Connecting to a Websphere MQ in Java with SSL/Keystore

The creation of the Keystore is fine, however when it attempts to create a Truststore it loads a new .jks file. Am i supposed to generate this file or should it have been provided as currently I am unable to create it.

// instantiate a KeyStore with type JKS
 KeyStore ks = KeyStore.getInstance("JKS");
 // load the contents of the KeyStore
 ks.load(new FileInputStream("/home/hudo/hugo.jks"), KSPW);
 System.out.println("Number of keys on JKS: "
       + Integer.toString(ks.size()));

 // Create a keystore object for the truststore
 KeyStore trustStore = KeyStore.getInstance("JKS");
 // Open our file and read the truststore (no password)
 trustStore.load(new FileInputStream("/home/xwgztu2/xwgztu2.jks"), null);

Thanks

JoshMc
  • 10,239
  • 2
  • 19
  • 38
Biscuit128
  • 5,218
  • 22
  • 89
  • 149
  • 1
    *The creation of the Keystore is fine however when it attempts to create a Truststore it loads a new .jks file.* what? – Antoniossss Jul 18 '18 at 14:04
  • what exception do you get? – gusto2 Jul 18 '18 at 14:24
  • See my my answer to another question "[How to enable SSL with client certificate for Websphere MQ client?](https://stackoverflow.com/questions/46932203/how-to-enable-ssl-with-client-certificate-for-websphere-mq-client/47118882#47118882)". At any modern version of MQ you do not need to specifically setup the keystore and truststores, just pass the java system properties like `-Djavax.net.ssl.trustStore=trust.jks` for example. The same jks file you were provided can likely be passed as both the key store and trust store with out issue but normally you would not need the trust store separate. – JoshMc Oct 08 '18 at 07:54
  • The keystore they provided should include the client cert along with the signer chain of that cert, it is very likely that the vendor's queue manager cert's signers are already included in that jks and probably even the same as the client cert's signers. Java will trust CAcerts in the keystore, if you don't need to trust anything additional you shouldn't even need to specify a trust store. – JoshMc Oct 08 '18 at 07:56

1 Answers1

2

There are a lot of assumptions in this answer (as the question does't provide much of information), but I as well assume it comes with the amount of experience.

To create an SSL connection, the server must have a keypair (private, public key and a certificate bount to the public key) and client must trust the certificate (or its issuer). There is as well an option for mutual SSL (aka client auth ssl), where the client needs its own keypair and certificate and the server needs to trust the client's certificate.

Truststore it loads a new .jks file. Am i supposed to generate this file or should it have been provided as currently I am unable to create it.

The truststore should effectively contain the issuer certificate of the server's certificate (if a self-signed certificate is used, it is the same one).

You can get the certificate by connecting to the service

openssl s_client -connect host:port -showcerts

and then import the returned certificate into a new keystore (using e.g. keytool -importcert command)

keytool -importcert -keystore mytruststore.jks -alias mqserver -file servercert.pem

If the server returns you multiple certificates (certificate chain), you may import them all.

If you are not able to do so, just ask the service provider (someone who deploys the MQ) to provide you the certificate or the truststore.

gusto2
  • 11,210
  • 2
  • 17
  • 36