| Author |
Message
|
| xmqymshr |
 Posted: Wed Jan 13, 2016 1:05 pm Post subject: mq client connection SSL enabled with .kdb |
 |
|
Novice
Joined: 13 Jan 2016
Posts: 14
|
I have a .net mq client trying to connect to mq server with ssl enabled. I have the certificate installed on the client machine. Below is the code i use to connect to MQ Server.I have created a keydatabase file using ikeyman added the private key and root and intermediate certificates to the .kdb file
prop.Add(MQC.HOST_NAME_PROPERTY, "xx.xx.xx.xxx");
prop.Add(MQC.CHANNEL_PROPERTY, "xxx");
prop.Add(MQC.PORT_PROPERTY, "xxx"));
prop.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
prop.Add(MQC.CONNECT_OPTIONS_PROPERTY, MQC.MQCNO_RECONNECT_Q_MGR);
prop.Add(MQC.SSL_CIPHER_SUITE_PROPERTY, "SSL_RSA_WITH_3DES_EDE_CBC_SHA");
prop.Add(MQC.SSL_CERT_STORE_PROPERTY, "xxx\\xxx\\");
prop.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_3DES_EDE_CBC_SHA");
qmanager = new MQQueueManager("xxx", props);
queue = qmanager.AccessQueue("xxx",
MQC.MQOO_INPUT_AS_Q_DEF + MQC.MQOO_FAIL_IF_QUIESCING);
when it tries to connect to the queue manager client throws an exception AMQ9665: SSL connection closed by remote end of channel ''. . Please help
thing i have did
1) created .kdb file using ikeyman
2)stashed the password
3) Import the certificate(.pfx with private key) under personal certificates and labled as 'ibmwebspheremqxxx(username)' (tried with ibmwebspheremq(queuemanagername) )
4) add root and intermediate certificates under signer certificates
I also tried windows cert store to get the certificate by using the below code
properties.Add(MQC.SSL_CERT_STORE_PROPERTY,"*USER");
or
properties.Add(MQC.SSL_CERT_STORE_PROPERTY,"*SYSTEM");
the client always throws a "SSL KEY REPOSITORY ERROR" AMQ9660: SSL key repository: password stash file absent or unusable.
MQ Client version 8.0
Note: No access to MQ server logs |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Jan 13, 2016 1:17 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Do not use both ciphersuite and cipherspec especially when they don't match (missing SSLFIPS_REQUIRED=true here)
BTW if using ciphersuite you should always use a combination of ciphersuite and SSLFIPS_REQUIRED.
Try it again. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| xmqymshr |
| Posted: Wed Jan 13, 2016 1:30 pm Post subject: |
|
|
Novice
Joined: 13 Jan 2016
Posts: 14
|
| Code: |
| properties.Add(MQC.SSL_FIPS_REQUIRED_PROPERTY,"true"); |
is this the right way?
if yes, i just usrd cipher suite and SSL_FIPS_REQUIRED_PROPERTY this time i got a MQRC_HOST_NOT_AVAILABLE exception
Can i use cipher suite in .net applications? |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jan 13, 2016 3:39 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
I'm making the assumption that you're using MQ V8.0 as lower versions do not support managed .net clients but why not use an mqclient.ini file (or whatever you wish to call it) and CCDT file, with which you can abstract connection, channel, and SSL information thereby avoiding the no-no of hard-coding such things?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| xmqymshr |
| Posted: Wed Jan 13, 2016 4:12 pm Post subject: |
|
|
Novice
Joined: 13 Jan 2016
Posts: 14
|
I am using MQ 8.0. What is CCDT File? should i get this from Server side?
How can i add settings to .ini file and how should i refer that from the code? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jan 13, 2016 5:28 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| xmqymshr wrote: |
I am using MQ 8.0. What is CCDT File? should i get this from Server side?
How can i add settings to .ini file and how should i refer that from the code? |
Client Channel Definition Table. The rest can be found in the infocenter
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| xmqymshr |
| Posted: Thu Jan 14, 2016 6:32 am Post subject: |
|
|
Novice
Joined: 13 Jan 2016
Posts: 14
|
| I have read the info center. CCDT should be defined on the Service side and then copied on to the client machine right? if that is the case then i cannot do that because i dont have the access to the server. I just got the MQ paramters with Cipher suite. Please help |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jan 14, 2016 6:40 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| xmqymshr wrote: |
| I have read the info center. CCDT should be defined on the Service side and then copied on to the client machine right? if that is the case then i cannot do that because i dont have the access to the server... |
Please re-read the relevant section of the Knowledge Centre in regard to the generation of a CCDT, especially the section of it entitled "...Client platforms at IBM MQ Version 8.0..."
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 14, 2016 6:40 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| xmqymshr wrote: |
| CCDT should be defined on the Service side and then copied on to the client machine right? |
Or built on a queue manager you do have access to.
Or built using the CCDT Support Pac.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Jan 14, 2016 7:02 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
I believe you can build them with just a MQ client these days.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| xmqymshr |
| Posted: Thu Jan 14, 2016 8:04 am Post subject: |
|
|
Novice
Joined: 13 Jan 2016
Posts: 14
|
| Can you please point me to any link which i can use as an example. i am not able to find any? |
|
| Back to top |
|
|
| xmqymshr |
| Posted: Thu Jan 14, 2016 8:51 am Post subject: |
|
|
Novice
Joined: 13 Jan 2016
Posts: 14
|
I got the cipher suite from the server which is
prop.Add(MQC.SSL_CIPHER_SUITE_PROPERTY, "SSL_RSA_WITH_3DES_EDE_CBC_SHA");
can i use the equivalent cipher spec that is "TSL_RSA_WITH_3DES_EDE_CBC_SHA" Please correct me if am wrong
so that i can ignore SSL_FIPS_REQUIRED_PROPERTY
when i use only cipher spec with keyrepository i keep getting the below exception
AMQ9661: Bad SSL data from peer on channel ''
does it mean i am sending wrong certificates? is the request actually going to the server?
[/code] |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jan 14, 2016 1:14 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Quote: |
| the client always throws a "SSL KEY REPOSITORY ERROR" AMQ9660: SSL key repository: password stash file absent or unusable. |
That may be because the userid running the client does not have the right permissions / group membership to access the stash file.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| xmqymshr |
| Posted: Thu Jan 14, 2016 2:00 pm Post subject: |
|
|
Novice
Joined: 13 Jan 2016
Posts: 14
|
| am sorry if my question is not right i get "SSL KEY REPOSITORY ERROR" AMQ9660: SSL key repository: password stash file absent or unusable. exception when i want to connect to windows cert store by using (*USER) or (*SYSTEM). when i use a .kdb i get a AMQ9661: Bad SSL data from peer on channel '' exception |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jan 14, 2016 9:53 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| xmqymshr wrote: |
| am sorry if my question is not right i get "SSL KEY REPOSITORY ERROR" AMQ9660: SSL key repository: password stash file absent or unusable. exception when i want to connect to windows cert store by using (*USER) or (*SYSTEM). when i use a .kdb i get a AMQ9661: Bad SSL data from peer on channel '' exception |
IIRC with MQ8 you can use the windows key store. Did you review the corresponding parts of the infocenter?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
