I have been unable to find any posts specifically about this scenario but I’m hoping someone will have the insight to see what I’m doing wrong. I have no prior SSL experience and am pretty sure I am just stumbling on setting up my certs properly. I’ve got two 6.5 Integration Servers set up; one in the DMZ and one internally. I have a SOCK reverse invoke connection setup from the internal out to the DMZ and have Http connections from external to the DMZ machine working. I am now trying to introduce Https into the fold. I have created a private key using openssl on my DmzIs and created a certificate from that.
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ./keys/dmzPrivateKey.key -out ./certs/dmzSelfSignedCertificate.crt
On the DmzIs I have nothing set up in Security → Certificates. Under my Https Port I have the following configuration
HTTPS Listener Configuration Client Authentication None Listener Specific Credentials (Optional) Server's Certificate /DmzIs/IntegrationServer/config/ssl/certs/dmzSelfSignedCertificate.crt Authority's Certificate /DmzIs/IntegrationServer/config/ssl/certs/dmzSelfSignedCertificate.crt Private Key /DmzIs/IntegrationServer/config/ssl/keys/dmzPrivateKey.key Trusted Authority Directory /DmzIs/IntegrationServer/config/ssl/certs
I have also enabled SSL debugging as outlined in this post: How to enable SSL handshake debugging for IS
When I enable the Https port I see this message in the server logs
[ISC.0006.0008D] Listener HTTPSListener@XXXX loaded certificate authorities from location /DmzIs/IntegrationServer/config/ssl/certs
I have a Java application that I coded to test the port for Http and have modified it for use with Https. I have imported the dmzSelfSignedCertificate into a keystore and use the keystore while connecting to the DmzIs. When I try to connect from java I see this in the server log:
[ISP.0047.0018V1] Aborting connection from 220.127.116.11/18.104.22.168:
In the client (java) output I see this:
javax.net.ssl.SSLException: Received close_notify during handshake at com.ibm.jsse2.n.a(n.java:38) at com.ibm.jsse2.sc.a(sc.java:442) at com.ibm.jsse2.sc.a(sc.java:563) at com.ibm.jsse2.sc.b(sc.java:8) at com.ibm.jsse2.sc.a(sc.java:381) at com.ibm.jsse2.sc.g(sc.java:437) at com.ibm.jsse2.sc.a(sc.java:544) at com.ibm.jsse2.sc.startHandshake(sc.java:124) at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:48) at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:39) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:899) at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:47)
In my std err output on DmzIs I see:
ssl_debug(1): Starting handshake (iSaSiLk 3.03)... ssl_debug(1): Received v3 client_hello handshake message. ssl_debug(1): Client requested SSL version 3.0, selecting version 3.0. ssl_debug(1): Shutting down SSL layer... ssl_debug(1): Sending alert: Alert Warning: close notify ssl_debug(1): Closing transport...
My current train of thought is that perhaps I need to use SSLSOCK for the reverse invoke connection or to have certificates set up between the DmzIs and InternalIs.
Has anyone been down this road before and have any tips? They would be greatly appreciated