App Connect

 View Only
  • 1.  HTTPSConnector:KeystoreFile not being picked up

    IBM Champion
    Posted Thu October 06, 2022 05:48 AM
    Edited by John Hawkins Thu October 06, 2022 05:49 AM
    Hi Folks,
    we're using ACE 11.0.0.10. I'm trying to set up TLS for HTTPS request nodes.
    I can set the JVM: keystoreFile property (lower case 'k') in server.conf.yaml. BUT, if I set HTTPSConnector:KeystoreFile (upper case 'K' !) it doesn't get used.  I can see that it has been set - just not used.

    Everything I read tells me it should get picked up and used. So, if I assume that a) the upper case 'K' is correct (I've tried it with both and neither work) then it looks like I'm forced into using the JVM Value. I would have preferred to keep the two separate - but not for any specific reason at this point, it just "feels" better that I have the flexibility.

    Has anyone come across this issue before?


    many thanks,
    John.

    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------


  • 2.  RE: HTTPSConnector:KeystoreFile not being picked up

    User Group Leader
    Posted Tue October 11, 2022 04:03 PM
    Edited by Gabriel Marte Blanco Tue October 11, 2022 04:03 PM

    Hello John, 

    I have escalated your question to our team and hopefully we are able to get you an answer as soon as possible. 

    I will get back to you as soon as I have something for you!



    ------------------------------
    Gabriel Marte Blanco
    Austin TX
    ------------------------------



  • 3.  RE: HTTPSConnector:KeystoreFile not being picked up

    Posted Tue October 11, 2022 04:12 PM

    Hi John,

    You are interacting with two unrelated properties, they are not interchangeable in ACE.  The HTTPSConnector KeystoreFile is only for inbound connections.  The JVM keystoreFile is only for outbound connections.  It sounds like you need an outbound connection and that is why the JVM works.

    If you are trying to use one for both, use the BrokerRegistry brokerKeystoreFile.

    FYI, you should be on 11.0.0.12 or higher.

    -Matthew



    ------------------------------
    MATTHEW SEGALL
    ------------------------------



  • 4.  RE: HTTPSConnector:KeystoreFile not being picked up

    IBM Champion
    Posted Wed October 12, 2022 04:31 AM
    Hi Matthew,
    Where is that documented ? I have found very few references to what each place does. However, one of them was Chris Phillips' blog - https://chrisphillips-cminion.github.io/mq/2020/03/16/mq-tls.html
    which seems to clearly say that HTTPSConnector is the right place for me?

    cheers,
    John.

    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------



  • 5.  RE: HTTPSConnector:KeystoreFile not being picked up

    Posted Wed October 12, 2022 04:49 AM
    Hi John,

    We have used TLS in the HTTPRequest node(for outbound) and below is how you should define the reference to the JKS.



    The below URL is for the old IIB version but also mentions that the HTTPSConnector KeystoreFile is only for inbound connections and  The JVM keystoreFile is only for outbound connections. Please check if this helps.

    https://www.ibm.com/support/pages/secure-communication-setting-iib-over-ssltls


    ------------------------------
    Prosanta Saha
    ------------------------------



  • 6.  RE: HTTPSConnector:KeystoreFile not being picked up

    Posted Wed October 12, 2022 11:38 AM
    Hello John,

     Chris Phillips is coming from an APIC point of view and is aiming at the inbound TLS case (as I think you may have commented on his blog).  HTTPSConnector settings only apply to inbound (the name is historical).

     Just in case it helps, the settings are
    BrokerRegistry:
      # Used as default for inbound and outbound if no other settings are present
      brokerKeystoreFile: '/home/tdolby/broker-keystore.jks'
    ResourceManagers:
      JVM:
        # Used as default for inbound and outbound; overrides brokerKeystoreFile
        keystoreFile: '/home/tdolby/jvm-keystore.jks'
      HTTPSConnector:
        # Specifies inbound keystore; overrides brokerKeystoreFile and JVM keystoreFile
        KeystoreFile: '/home/tdolby/https-keystore.jks'​

    and there isn't an equivalent of HTTPSConnector KeystoreFile for outbound TLS.

    To return to your original question: keeping the HTTPS outbound separate from the JVM setting isn't usually a problem, as the HTTPRequest node "SSL client authentication key alias" setting can be used to choose a specific key from the keystore. Inbound HTTPS can be kept separate by using the HTTPSConnector setting as shown.

    Hope this makes sense!



    ------------------------------
    Trevor Dolby
    ------------------------------