| Author |
Message
|
| ninjaprogrammer |
 Posted: Tue Mar 01, 2011 6:45 am Post subject: SSL and .Net Problems |
 |
|
Novice
Joined: 01 Mar 2011
Posts: 10
|
Afternoon
I'm having a connection problem when i'm tryin to set up a connection to a MQ V6 QueueManager and a .net client using IBM.XMS namespace.
i'msetting up the connection like this
XMSFactoryFactory ff = XMSFactoryFactory.GetInstance(XMSC.CT_WMQ);
IConnectionFactory cf = ff.CreateCnnectionFactry();
cf.SetStringProperty(XMSC.WMQ_QUEUE_MANAGER,"QM1");
cf.SetIntProperty(XMSC.WMQ_CONNECTION_MODE,XMSC.WMQ_CM_CLIENT_UNMANAGED);
cf.SetIntProperty(XMSC.WMQ_PORT,11433);
cf.SetStringProperty(XMSC.WMQ_CHANNEL,"LIVE.SVRCONN");
cf.SetStringProperty(XMSC.WMQ_HOSTNAME,"LiveSERVER");
cf.SetStringProperty(XMSC.WMQ_SSL_CIPHER_SPEC,"NULL_SHA");
cf.SetStringProperty(XMSC.WMQ_SSL_KEY_REPOSITORY,"C:\\keys\QM1")
cf.SetStringProperty(XMSC.WMQ_SSL_PEER_NAME,"QM1");
IConnection ic = cf.CreateConnection();
When i call the cf.CreateConnection i get an error 2393 as a execption in .net and a AMQ9646 in teh erro log onthe client server...
But i dont unertand why this is cause a prolem as this is a rework of existing code tha ti have working in te old vesion 6 of the code.
Any ideas
Am i missing something. |
|
| Back to top |
|
 |
| ninjaprogrammer |
| Posted: Tue Mar 01, 2011 8:32 am Post subject: |
|
|
Novice
Joined: 01 Mar 2011
Posts: 10
|
| dont know if this will be a light bulb moment for anyone but from what i can see this is being caused by my app being unable to cntact the LDAP CRL to check if the certificate is valid. However this can be done. Does anyone know how to disable the checking of the CRL? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Mar 01, 2011 9:01 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9400
Location: US: west coast, almost. Otherwise, enroute.
|
You want to use SSL, but ignore certificate revocations?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Mar 01, 2011 11:21 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Which version of WMQ are you using for the client side? This question is pertinent because the latest version of WMQ is OCSP aware (Google OCSP if you don't know what it means). I ask because you state, "... this is a rework of existing code that I have working in the old version 6 of the code...".
I find this a bit worrying:
| Code: |
| f.SetStringProperty(XMSC.WMQ_SSL_KEY_REPOSITORY,"C:\\keys\QM1") |
Because that implies that your client is on the same server as the queue manager, and the client certificate is in the same key store as the that of the queue manager certificate - potentially fatal should the service ever move, and hardly decoupling the client from the server.
Another question, is this a typo: IConnectionFactory cf = ff.CreateCnnectionFactry(); ? I've only ever set up an unmanaged DotNet client using a CCDT, so the answer to the question will be adding to my knowledge base 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Mar 01, 2011 11:23 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bruce2359 wrote: |
| You want to use SSL, but ignore certificate revocations? |
Not necessarily an issue if an 'internal' CA is used?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ninjaprogrammer |
| Posted: Wed Mar 02, 2011 12:37 am Post subject: |
|
|
Novice
Joined: 01 Mar 2011
Posts: 10
|
Sorry was typing from one machine to another its using the correct sertificate as it was one i used in the old program that i wrote using the older amqmdnet.dll
[quote="exerk"]Which version of WMQ are you using for the client side? This question is pertinent because the latest version of WMQ is OCSP aware (Google OCSP if you don't know what it means). I ask because you state, "... [i]this is a rework of existing code that I have working in the old version 6 of the code[/i]...".
I find this a bit worrying:
[code]f.SetStringProperty(XMSC.WMQ_SSL_KEY_REPOSITORY,"C:\\keys\QM1")[/code]
Because that implies that your client is on the same server as the queue manager, and the client certificate is in the same key store as the that of the queue manager certificate - potentially fatal should the service ever move, and hardly decoupling the client from the server.
Another question, is this a typo: IConnectionFactory cf = ff.[b]CreateCnnectionFactry[/b](); ? I've only ever set up an unmanaged DotNet client using a CCDT, so the answer to the question will be adding to my knowledge base :D[/quote]
Now we are being ask to use the latest version of the client tools V7
but t still create a SSL connection to a V6 Queue Manager. |
|
| Back to top |
|
|
| ninjaprogrammer |
| Posted: Wed Mar 02, 2011 12:41 am Post subject: |
|
|
Novice
Joined: 01 Mar 2011
Posts: 10
|
[quote="bruce2359"]You want to use SSL, but ignore certificate revocations?[/quote]
How do you set it to do that is what im really after.
As when i was using the Version 6 Dll it all worked ok , now its not as in version7 its trying to do the CRL which isnt really a option |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 02, 2011 1:13 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Well, you answered the question of what version you were using on the client side, but not one of the others so I'll ask again: is the client certificate also held in the queue manager key store (f.SetStringProperty(XMSC.WMQ_SSL_KEY_REPOSITORY,"C:\\keys\QM1") or is that just how you've named the client key store?
And to reiterate, if you have recompiled your application against the WMQ V7.0 libraries, and your certificates (both client and queue manager) contains OCSP extensions, and the client cannot find a path to an OCSP server, you will get a failure because the default setting for OCSP in WMQ V7.0 is REQUIRED.
Also, you might wish to investigate the use of a CCDT as you are using an unmanaged client and therefore abstract a large part of the hard-coded information.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ninjaprogrammer |
| Posted: Wed Mar 02, 2011 1:29 am Post subject: |
|
|
Novice
Joined: 01 Mar 2011
Posts: 10
|
| exerk wrote: |
| Well, you answered the question of what version you were using on the client side, but not one of the others so I'll ask again: is the client certificate also held in the queue manager key store (f.SetStringProperty(XMSC.WMQ_SSL_KEY_REPOSITORY,"C:\\keys\QM1") or is that just how you've named the client key store? |
Just the way i named it for the type up on this
| exerk wrote: |
And to reiterate, if you have recompiled your application against the WMQ V7.0 libraries, and your certificates (both client and queue manager) contains OCSP extensions, and the client cannot find a path to an OCSP server, you will get a failure because the default setting for OCSP in WMQ V7.0 is REQUIRED.
|
the certifiactes where generated on a V6 QueuManager by a 3rd party . how can i check if they have these OCSP extensions?
i used the example in the client tools install, to recode a test app to use them but still function that same as the old app.
Is there no way to turn this of
| exerk wrote: |
Also, you might wish to investigate the use of a CCDT as you are using an unmanaged client and therefore abstract a large part of the hard-coded information. |
Where would i find an example of this. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Mar 02, 2011 1:35 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Examine the certificates using the GSKit (IBM Key Management) and look inside them. As regards the use of a CCDT, it's in the Info Centre, in the same place I looked. Make sure your client side is at FixPack 7.0.1.4.
EDIT: And of course the client-side error logs will tell you whether or not you are actually hitting an OCSP problem...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ninjaprogrammer |
| Posted: Wed Mar 02, 2011 6:52 am Post subject: |
|
|
Novice
Joined: 01 Mar 2011
Posts: 10
|
The only error im getting in the client side logs is
AMQ9464 Channel SUPPORT.SVRCONN could not connct to any LDAP CRL servers. |
|
| Back to top |
|
|
|
|
