1

I am trying to connect to a remote QM using SSL from an AIX Machine.

I have setup my QM and Channel to allow SSL connections. SSL Cipher Spec

I have created a KeyStore on the Server (Machine containing the above QM + Channel) and have exported its self signed certificate and imported the certificate from the Client. Self signed Cert - Server Signed Cert - Client

I have used GSK on the AIX machine to create an Keystore in which both Self Signed and Signer of the Server are present. Client Side Certs

Client Code is as below when trying to connect to the QM. This code does work on Windows however does not work on AIX which leads me to believe this is a certificate issue which i have done wrong and not a code issue.

the CipherSpec is - TLS_RSA_WITH_AES_256_CBC_SHA256 and the keystore location is correct.

m_QChannel.setChannelName(m_strChannelName);
    m_QChannel.setConnectionName(m_pParent->GetName());
    m_QChannel.setTransportType( MQXPT_TCP );

    if (!m_strCipherSpec.IsEmpty())
    {
        m_QChannel.setSslCipherSpecification(m_strCipherSpec);

        if (!m_strKeyStore.IsEmpty())
        {
            m_QMgr.setKeyRepository(m_strKeyStore);
        }
        else
        {
            CString strKeyStore = getenv("MQSSLKEYR");
            m_QMgr.setKeyRepository(strKeyStore);
        }
    }

    //Set the queue manager options
    m_QMgr.setName(m_strName);
    m_QMgr.setChannelReference(&m_QChannel);

    if (!m_QMgr.connect()) 
    {
        m_iLastError =m_QMgr.reasonCode( ) ;

        return false;         
    }

However when i try to run my application to connect i get a MQRC 2393 Error returned, When checking the Error logs it complains about the Certificates.

Error 2393 Error Log

I have tried Restarting the QM, Restarting the Channel, Refreshing the SSL but all with no luck. What have i missed ?

Any help appreciated.

PowPowPowell
  • 255
  • 1
  • 2
  • 11
  • What version of MQ client are you using? – JoshMc Jul 03 '18 at 16:31
  • For future users to be able to find this content it would be better to paste in the text that is shown in the screenshots in your question instead of screen shots since those errors will then be searchable in Google and Stackoverflow. Once you paste text for example from the AMQERR01.LOG you can highlight it and click the `"` icon at the top, it will insert 4 spaces at the start of each line causing it to keep the same format as you pasted. – JoshMc Jul 03 '18 at 16:39
  • Show the 'client-side' code or MQ JNDI or CCDT values for the channel that the application is using. It appears you have not defined the SSL/TLS values on the client-side. – Roger Jul 03 '18 at 15:29
  • Hi Roger, Thanks for the comment, I have added the Client code used to connect to the QM above. As above this is working for my Windows Unit tests – PowPowPowell Jul 03 '18 at 15:57

1 Answers1

2

The current label of the client cert you have is ibmwebspherebldaix02.

For a MQI client app the default cert label that MQ will look for is the string ibmwebspheremq followed by the name of the user that the application is running as all in lowercase.

In this case it does not meet the first part of the default's requirement since it starts out as ibmwebsphere and is missing the mq and is then followed by bldaix02.

You have a few options:

  1. If the user is bldaix02 then you can rename the cert in the keystore to ibmwebspheremqbldaix02. If that is not the username then rename the cert to ibmwebspheremq<username> all in lowercase. This option should work with all version of the IBM MQ product.
  2. If you are using IBM MQ v7.0 - 7.5 (these are all out of support), you could tell MQ to use the Default cert by setting the environment variable AMQ_SSL_ALLOW_DEFAULT_CERT to any value before starting the application or if doing it within the program, do it before calling connect. Note this feature was removed in the initial versions of IBM MQ v8.0 and v9.0 but was later added back at 8.0.0.7 and 9.0.0.1 and later.

  3. If you are using IBM MQ v8.0 or later (you should be since these are the only currently supported versions) you can tell MQ to look for a different label. You can do this in four ways:

    1. If using a CCDT set the CERTLABL attribute of the CLNTCONN channel.
    2. Programmatically set the CertificateLabel attribute in the MQSCO
    3. Set the environment variable MQCERTLABL before starting the application or if doing it within the program, do it before calling connect.
    4. Using the CertificateLabel attribute of the SSL: stanza in the mqclient.ini.
      Note: there are various ways MQ will find the mqclient.ini and these are detailed in both the IBM MQ Knowledge center and various answers here on StackOverflow.

You can find more information in the following links:

  1. Technote: Specifying the userid in the SSL certificate label for an MQ client
  2. IBM MQ 8.0.0 Knowledge Center > IBM MQ > Security > Security overview > IBM MQ security mechanisms > Security protocols in IBM MQ> The SSL or TLS key repository > Digital certificate labels, understanding the requirements
JoshMc
  • 10,239
  • 2
  • 19
  • 38
  • Thanks for the information Josh , Much appreciated , I renamed my Certificates and this is working as expected. Was pulling my hair out over this one – PowPowPowell Jul 04 '18 at 07:51