| Author |
Message
|
| simon |
 Posted: Thu Aug 13, 2009 3:03 am Post subject: Problem with SSL config for .net MQ client to MQ v6 |
 |
|
Novice
Joined: 13 Aug 2009
Posts: 16
|
Hi,
I have a look thought your site searching for what i hope would be the solution to my problem. Alas no so thought iwould try my own topic.
I'm trying to connect to a REmote MQ V6 using a .net client v2.0 using SSL . I can get it all working with out the SSL but once i turn it one i keep getting errors about not providing the SSL for the channel i'm trying to get to. I have been provide with apperantly all the infomration that the team runing the MQ thinks i need (quemangername).kdb,(quemangername).sth and for some reason (channelname).jks this is a java file that the .net does not use. i'm using hte MQenviroment Class to connect with MQ. after some intial problems with peername and distuigused name i'm now stuck on an error.
AMQ9642. i assuming that i need to some how provide the details that are stored in the .jks file to the .net enviroment. but have no idea how and the bods that are running the server are not very helpfull as they just use java.
any ideas??? |
|
| Back to top |
|
 |
| jlamond |
| Posted: Thu Aug 13, 2009 3:59 am Post subject: |
|
|
Voyager
Joined: 28 May 2002
Posts: 94
Location: Paris
|
Hi,
First, did you insert your own certificate in your SSL Key Store ? Your own certificate require a label of "ibmwebspheremq<YourUserId>", Where <YourUserId> is your current session UserId or the UserId of the person starting your program.
Next, have your read that portion of the documentation :
Secure Sockets Layer (SSL) support
The following section does not apply to the fully-managed client.
WebSphere MQ classes for .NET client applications support Secure Sockets Layer (SSL) encryption. SSL provides communication encryption, authentication, and message integrity. It is typically used to secure communications between any two peers on the Internet or within an intranet.
Enabling SSL
SSL is supported only for client connections. To enable SSL, you must specify the CipherSpec to use when communicating with the queue manager, and this must match the CipherSpec set on the target channel.
To enable SSL, specify the CipherSpec using the SSLCipherSpec static member variable of MQEnvironment. The following example attaches to a SVRCONN channel named SECURE.SVRCONN.CHANNEL, which has been set up to require SSL with a CipherSpec of NULL_MD5:
MQEnvironment.Hostname = "your_hostname";
MQEnvironment.Channel = "SECURE.SVRCONN.CHANNEL";
MQEnvironment.SSLCipherSpec = "NULL_MD5"; MQEnvironment.SSLKeyRepository = @"C:\mqm\key";
MQQueueManager qmgr = new MQQueueManager("your_Q_manager");
The SSLCipherSpec property can also be set using the MQC.SSL_CIPHER_SPEC_PROPERTY in the hash table of connection properties.
To successfully connect using SSL, the client key store must be set up with Certificate Authority root certificates chain from which the certificate presented by the queue manager can be authenticated. Similarly, if SSLClientAuth on the SVRCONN channel has been set to MQSSL_CLIENT_AUTH_REQUIRED, the client key store must contain an identifying personal certificate that is trusted by the queue manager.
Also, .NET for MQSeries has a limited support of cipher spec. You should review this from the appendix A of the Using .NET manual.
Good luck,
Jean-Marc
_________________
Jean-Marc |
|
| Back to top |
|
|
| simon |
| Posted: Thu Aug 13, 2009 4:45 am Post subject: |
|
|
Novice
Joined: 13 Aug 2009
Posts: 16
|
you'll have to forgive me if some of the following question seem dumb but.. what fiels do i need t do this with. baically all i have been provide with from the MQ team is (quemanager).kdb/sth and channel.jks
and do i need to insert the ibmwebspheremq<YourUserId>", into the key store can i not just use files on the file system . if not who/how do i generate these files.
basically i'm not to how on SSL and dont really know what i'm doing bar what the MQ team have told me they did with there JKS file
| Quote: |
| To successfully connect using SSL, the client key store must be set up with Certificate Authority root certificates chain from which the certificate presented by the queue manager can be authenticated. Similarly, if SSLClientAuth on the SVRCONN channel has been set to MQSSL_CLIENT_AUTH_REQUIRED, the client key store must contain an identifying personal certificate that is trusted by the queue manager |
Last edited by simon on Thu Aug 13, 2009 5:33 am; edited 1 time in total |
|
| Back to top |
|
|
| jlamond |
| Posted: Thu Aug 13, 2009 5:32 am Post subject: |
|
|
Voyager
Joined: 28 May 2002
Posts: 94
Location: Paris
|
Indeed you need to add your private certificate as well as the complete chain of certificate authority certificate (CA certificate), from the other end of the connection (Queue Manager CA certificates). On the Queue Manager side, they will have to add your complete chain of CA certificates if they have been issued from a different CA.
Your MQSeries team should know about these thing.
There is a utility program (gsk7capicmd, or gsk7ikm), for managing certificate store contain that is shipped with MQSeries. Documentation is in the MQSeries Administration Guide.
You only the .kdb and .sth files and hopefully the password of the .kdb file has been stash into the .sth file! You don't need java stuff.
You may use the environment variable MQSSLKEYR to set up the path and .kdb file. Don't forget to NOT add the .kdb part.
EX: SET MQSSLKEYR=D:\MYSSLSTORE\MYQMGR.kdb for Windows or
export MQSSLKEYR=/MYSSLSTORE/MYQMGR.kdb
The .kdb filename is up to you.
You should have a quick look at WebSphere MQSystem Administration Guide Version 6.0 chapter 18. This may help you to look at the SSL key store file.
Also, you should ask your MQteam to ALTER SSLAUTH attribute from REQUIRED to OPTIONAL on the SVRCONN channel definition that you use and make an extract test. They must leave SSLCIPH with the current setting and be shure to exactly add the corresponding SSLCIPH value to your MQChannelDefinition.SSLCipherSpec and / or MQEnvironment.SSLCipherSpec
Good luck,
Jean-Marc
_________________
Jean-Marc |
|
| Back to top |
|
|
| simon |
| Posted: Thu Aug 13, 2009 5:50 am Post subject: |
|
|
Novice
Joined: 13 Aug 2009
Posts: 16
|
By the sounds of it i dont have half the stuff i need to beable to make this even remotely work.. ahhhhhh and the remote MQ has not been set upcorrectly etiher as all that been done on there is setting the ssl path, scphierspecc, distingused name and the mca user id..
no metion anywhere of the CA certificates.
i have used the key man tool to look at the cetficates and paly around with them but like i say i have only got the 3 files. just so that i know what file types should i be asking them for or is that all mentioned in the doc's.
| jlamond wrote: |
Indeed you need to add your private certificate as well
as the complete chain of certificate authority certificate (CA certificate), from the other end of the connection (Queue Manager CA certificates). On the Queue Manager side, they will have to add your complete chain of CA certificates if they have been issued from a different CA.
Your MQSeries team should know about these thing.
There is a utility program (gsk7capicmd, or gsk7ikm), for managing certificate store contain that is shipped with MQSeries. Documentation is in the MQSeries Administration Guide.
You only the .kdb and .sth files and hopefully the password of the .kdb file has been stash into the .sth file! You don't need java stuff.
You may use the environment variable MQSSLKEYR to set up the path and .kdb file. Don't forget to NOT add the .kdb part.
EX: SET MQSSLKEYR=D:\MYSSLSTORE\MYQMGR.kdb for Windows or
export MQSSLKEYR=/MYSSLSTORE/MYQMGR.kdb
The .kdb filename is up to you.
You should have a quick look at WebSphere MQSystem Administration Guide Version 6.0 chapter 18. This may help you to look at the SSL key store file.
Also, you should ask your MQteam to ALTER SSLAUTH attribute from REQUIRED to OPTIONAL on the SVRCONN channel definition that you use and make an extract test. They must leave SSLCIPH with the current setting and be shure to exactly add the corresponding SSLCIPH value to your MQChannelDefinition.SSLCipherSpec and / or MQEnvironment.SSLCipherSpec
Good luck,
Jean-Marc |
|
|
| Back to top |
|
|
| jlamond |
| Posted: Thu Aug 13, 2009 6:00 am Post subject: |
|
|
Voyager
Joined: 28 May 2002
Posts: 94
Location: Paris
|
So you do have certificates in your local certificate store (file ending with .kdb).
Did you use the graphical interface ? If so, your should have notice 3 sections. One if for Certificate Authority certificates, the next one if for Private certificates (this is where your private one should be store), and the last one if for certificate request (not relevant for what you try to do).
Can you cut and paste, and send me the label of each certificate you found in the CA portion as well as the Private section.
Can you also provide me with the SSLCPIH value that they gave you ?
Jean-Marc
_________________
Jean-Marc |
|
| Back to top |
|
|
| simon |
| Posted: Thu Aug 13, 2009 6:18 am Post subject: |
|
|
Novice
Joined: 13 Aug 2009
Posts: 16
|
The local ertificate store? do you mean the one you access from internet explore or some where else.. as IE wont import the .kdb file.
the version of MQ i have installed if a very light weight version with very little bar the dll's installed.
so i need to install a private cerfivcate is that for every user that will be using this or just the user thats specified in the MCA user Filed on the remote server that i the use the same id in the MQenviroment.userid on the client..
(quemanagername).kdb all in lower case same for the sth file
in the keyman tool i get personal , signer and personal certificate request.
in teh persnonnel certifcates of the *.kdb file i get one entry
ibmwebspheremq(quemangername) all in lower case
| jlamond wrote: |
So you do have certificates in your local certificate store (file ending with .kdb).
Did you use the graphical interface ? If so, your should have notice 3 sections. One if for Certificate Authority certificates, the next one if for Private certificates (this is where your private one should be store), and the last one if for certificate request (not relevant for what you try to do).
Can you cut and paste, and send me the label of each certificate you found in the CA portion as well as the Private section.
Can you also provide me with the SSLCPIH value that they gave you ?
Jean-Marc |
|
|
| Back to top |
|
|
| jlamond |
| Posted: Thu Aug 13, 2009 6:36 am Post subject: |
|
|
Voyager
Joined: 28 May 2002
Posts: 94
Location: Paris
|
Good start!
First SIGNER mean CA Certificates and personnal mean all personnal certificates (the one you use).
So now I don't know why your MQteam has provide you with a certificate with a label of your Queue Manager. This is the correct way only when the certificate is place in the keystore associated with the Queue Manager. This is NOT YOUR CASE. In your case, SSL MQ Code is looking for a certificate with a label of "ibmwebspheremq<youruserid>.
Now this can be fixed by exporting in pkcs12 format and then deleting the certificate, and finaly reimporting it but with a new label. This can be done with ikeyman.
The userid must be the one associated with your running process. For example if your program will be started as a Microsoft Windows services, you will have to provide a userid to the service and make shure that you have a certificate with a label of ibmwebspheremq<windowsservicesuserid>. Is this sound more clear to you?
Certificate store, keystore, ssl keystoere all mean your (queuemanager).kdb file.
ikeyman can be use to import / export signers and personnals certificates and also to create certificate request.
MCAUSER as nothing to do with the certificate. It simply mean that anyone using your program will run at The QM Level with the MCAUSER authority.
The SSL handshaking will never work until you change the certificate label.
Hope this will help you a bit.
Jean-Marc
_________________
Jean-Marc |
|
| Back to top |
|
|
| jlamond |
| Posted: Thu Aug 13, 2009 6:46 am Post subject: |
|
|
Voyager
Joined: 28 May 2002
Posts: 94
Location: Paris
|
I forgot to tell you that looking at the MQSeries errors subdirectory is a great source of dianostic. Look at the AMQERR01.LOG file.
_________________
Jean-Marc |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Aug 13, 2009 6:47 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| jlamond wrote: |
| ...So now I don't know why your MQteam has provide you with a certificate with a label of your Queue Manager... |
Because it may be self-signed.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| simon |
| Posted: Thu Aug 13, 2009 6:49 am Post subject: |
|
|
Novice
Joined: 13 Aug 2009
Posts: 16
|
| it sounds clear but also more worrying does this mean that if i say have 10 different win's services connecting to the same MQ SSL channel i would need to generate the key with thoses userid in it... as this is dev i will then need to get this whole proceess re done wheni go to production where i can controll the names of the user that are running the services.... |
|
| Back to top |
|
|
| jlamond |
| Posted: Thu Aug 13, 2009 6:50 am Post subject: |
|
|
Voyager
Joined: 28 May 2002
Posts: 94
Location: Paris
|
Self signed certificate has nothing to do with label! It simply do not require the presence of signers certificate.
WebSphere MQ Serveur need certificate with label of the form :
ibmwebspheremq<QMName> for distributed platform
IbmWebSphereMQ<QMName> for zOS
ibmwebspheremq<Userid> for Cleint connection.
Jean-Marc
_________________
Jean-Marc |
|
| Back to top |
|
|
| jlamond |
| Posted: Thu Aug 13, 2009 6:54 am Post subject: |
|
|
Voyager
Joined: 28 May 2002
Posts: 94
Location: Paris
|
|
| Back to top |
|
|
| simon |
| Posted: Thu Aug 13, 2009 6:55 am Post subject: |
|
|
Novice
Joined: 13 Aug 2009
Posts: 16
|
| jlamond wrote: |
| I forgot to tell you that looking at the MQSeries errors subdirectory is a great source of dianostic. Look at the AMQERR01.LOG file. |
on the windows client that i'm using i get the AMQ9642 error number in the log file. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Aug 13, 2009 7:00 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| jlamond wrote: |
Self signed certificate has nothing to do with label! It simply do not require the presence of signers certificate.
WebSphere MQ Serveur need certificate with label of the form :
ibmwebspheremq<QMName> for distributed platform
IbmWebSphereMQ<QMName> for zOS
ibmwebspheremq<Userid> for Cleint connection.
Jean-Marc |
Yes true, but when you use iKeyman to create a self-signed certificate, and you give it a label name of ibmwebspheremqmyqmgr (for example), when you use iKeyman to import it into another key store, it uses that label name as the default 'title' of the certificate - hence my statement that it may be self-signed.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
