| Author |
Message
|
| Faby.tp |
 Posted: Tue May 10, 2011 3:06 am Post subject: Unable to connect to MQ Channel when SSL Key is enable |
 |
|
Novice
Joined: 05 May 2011
Posts: 13
|
I am unable get MQ Channel connectivity when SSL key is enabled at MQ server end. But application is working fine when SSL key is disabled at MQ Server end. Version of MQ Server is 6 and MQ Client is WMQ v 7.0.1.4
Application is written in C#.
Code part is given below:
| Code: |
XMSFactoryFactory factoryFactory = XMSFactoryFactory.GetInstance(XMSC.CT_WMQ);
IConnectionFactory cf = factoryFactory.CreateConnectionFactory();
cf.SetStringProperty(XMSC.WMQ_HOST_NAME,WMQHostname);
cf.SetIntProperty(XMSC.WMQ_PORT, WMQPort);
cf.SetStringProperty(XMSC.WMQ_CHANNEL, WMQChannel);
cf.SetIntProperty(XM
SC.WMQ_CONNECTION_MODE,XMSC.WMQ_CM_CLIENT);
cf.SetStringProperty(XMSC.WMQ_QUEUE_MANAGER, QueueManager);
cf.SetIntProperty(XMSC.WMQ_BROKER_VERSION,0);
cf.SetStringProperty(XMSC.WMQ_BROKER_PUBQ, null);
if (!SSL_Enabled)
{
cf.SetStringProperty(XMSC.WPM_PROVIDER_ENDPOINTS,"localhost:7276:BootstrapBasicMessaging" );
cf.SetStringProperty(XMSC.WPM_TARGET_TRANSPORT_CHAIN, "InboundBasicMessaging");
}
else
{
cf.SetStringProperty(XMSC.WPM_PROVIDER_ENDPOINTS,"localhost:7286:BootstrapSecureMessaging");
cf.SetStringProperty(XMSC.WPM_TARGET_TRANSPORT_CHAIN,"InboundSecureMessaging");
cf.SetStringProperty(XMSC.WPM_SSL_KEY_REPOSITORY, "C:\\SSLKEY\\key.kdb");
cf.SetStringProperty(XMSC.WPM_SSL_KEYRING_STASH_FILE, "C:\\SSLKEY\\key.sth");
cf.SetStringProperty(XMSC.WPM_SSL_CIPHER_SUITE, "SSL_RSA_WITH_3DES_EDE_CBC_SHA");
cf.SetStringProperty(XMSC.WPM_SSL_KEYRING_PW, Password);
}
IConnection connection = cf.CreateConnection(null, null); |
//Here, WMQHostname, WMQPort, WMQChannel, QueueManager, SSL_Enabled, Password are the variables used.
I get the error code 2059 when SSL Key is enabled.
Is there any issue with my code? Please guide me... |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue May 10, 2011 3:43 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Does the client certificate label match the required construction, i.e. ibmwebspheremqmyclient, where myclient is the name of the user under which the application is running? Is that the correct key store type bearing in mind that XMS is a non-Java implementation of the Java Message Service? Hopefully someone will be along soon that can put us both right.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Faby.tp |
| Posted: Tue May 10, 2011 4:32 am Post subject: |
|
|
Novice
Joined: 05 May 2011
Posts: 13
|
Yes. Key store file is correct. We received four files.
1. .crl (Certificate revocation list),
2. .kdb (used for XMSC.WPM_SSL_KEY_REPOSITORY)
3. .rdb (Not used)
4. .sth (used for XMSC.WPM_SSL_KEYRING_STASH_FILE)
We received these files after informing the useid under the application is running. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue May 10, 2011 4:47 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Take a client side trace. |
|
| Back to top |
|
|
| Faby.tp |
| Posted: Tue May 10, 2011 4:50 am Post subject: |
|
|
Novice
Joined: 05 May 2011
Posts: 13
|
| What do you meant by client side trace? |
|
| Back to top |
|
|
| exerk |
| Posted: Tue May 10, 2011 4:52 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
The manual (Info Centre) will explain. Also, what is the answer to my question in regard to the client certificate label?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mvic |
| Posted: Tue May 10, 2011 5:01 am Post subject: Re: Unable to connect to MQ Channel when SSL Key is enable |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
I think you shouldn't be using constants that begin WPM_*. I'd expect you to need to use constants beginning WMQ_* as indeed you've done elsewhere in your sample.
I downloaded the documentation for IA9H (in PDF in a zip file, not searchable via Google, unfortunately) and it looks like the properties you really need are those named XMSC_WMQ_SSL_*.
HOWEVER, when I go to look at the description of XMSC_WMQ_SSL_KEY_REPOSITORY it also says:
"For .NET only: managed connections to WMQ (WMQ_CM_CLIENT) will not support SSL connections, but these might be supported by using an unmanaged connection (WMQ_CM_CLIENT_UNMANAGED). Refer to the WebSphere MQ Using .NET manual for accurate information." |
|
| Back to top |
|
|
| Faby.tp |
| Posted: Tue May 10, 2011 5:03 am Post subject: |
|
|
Novice
Joined: 05 May 2011
Posts: 13
|
Yes. The client certificate label should matchs because we got 4 files after informing the userid under the application is running.
Is there any method to find myclient related to these files from our end?
If there is, please let me know so that we can check it. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue May 10, 2011 5:17 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Faby.tp wrote: |
Yes. The client certificate label should matchs because we got 4 files after informing the userid under the application is running.
Is there any method to find myclient related to these files from our end?
If there is, please let me know so that we can check it. |
There is a world of difference between key stores file names and the label of a client certificate within a key store, e.g. WMQCLIENTKEYS.kdb may contain a number of client certificates: ibmwebspheremqabcd1234, ibmwebspheremqdbuser01 etc. It may be that the key stores bear the same name as the label and you have obfuscated the names for security/confidentiality purposes, but that is not clear from your posts. Interrogate the key store to determine the client certificate label name, check the part after webspheremq matches the user under which the client runs.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Faby.tp |
| Posted: Tue May 10, 2011 5:25 am Post subject: |
|
|
Novice
Joined: 05 May 2011
Posts: 13
|
I have changed Connection mode from XMSC.WMQ_CM_CLIENT to XMSC.WMQ_CM_CLIENT_UNMANAGED
Now the error code changed to 2393 ie. MQRC_SSL_INITIALIZATION_ERROR
Now what correction I have to do? |
|
| Back to top |
|
|
| exerk |
| Posted: Tue May 10, 2011 5:27 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Faby.tp wrote: |
I have changed Connection mode from XMSC.WMQ_CM_CLIENT to XMSC.WMQ_CM_CLIENT_UNMANAGED
Now the error code changed to 2393 ie. MQRC_SSL_INITIALIZATION_ERROR
Now what correction I have to do? |
You could start by answering my questions 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Faby.tp |
| Posted: Tue May 10, 2011 5:51 am Post subject: |
|
|
Novice
Joined: 05 May 2011
Posts: 13
|
| Can you please explain how to do "Interrogate the key store" |
|
| Back to top |
|
|
| exerk |
| Posted: Tue May 10, 2011 5:59 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Faby.tp wrote: |
| Can you please explain how to do "Interrogate the key store" |
Using either command-line (IBM GSKit commands) or use the 'IBM Key Management' GUI as you are on Windows. If you do not know how to use either of these please read the manual as I am not going to read it for you. Use either method to find the client certificate within the key store file (hint if using the GUI: it's not going to be in the certificate requests or CA certificates tabs) and view its label.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mvic |
| Posted: Tue May 10, 2011 6:12 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| Faby.tp wrote: |
I have changed Connection mode from XMSC.WMQ_CM_CLIENT to XMSC.WMQ_CM_CLIENT_UNMANAGED
Now the error code changed to 2393 ie. MQRC_SSL_INITIALIZATION_ERROR
Now what correction I have to do? |
I would make sure all WPM_ constants are removed, for a start.
Then, search the MQ information center for 2393, and spend up to a day looking at all the possibilities.
Hint: XMS has to call into MQ. So, check the authoritative information in the MQ information center. For example I think the name you give for ssl key repository should be without the .kdb extension: eg. http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/topic/com.ibm.mq.csqzak.doc/fr15210_.htm
exerk: I think Faby.tp was responding to my suggestions, not yours, in one of the posts above. |
|
| Back to top |
|
|
|
|
