| Author |
Message
|
| MQ_AGENT |
 Posted: Fri Feb 05, 2016 12:59 pm Post subject: MQRC 2393 and channel lacking certificate |
 |
|
Newbie
Joined: 05 Feb 2016
Posts: 7
|
Hey guys..
I am attempting to setup SSL on my local machine as a POC. I am missing something which is causing the Subjected error . I have tried to go through various articles over web but could not find the missing link. Please have my scenario as below :
NOTE : I am using iKEYMAN for Key related tasks.
FOR SERVER SIDE SSL:
STEP 1 - Created a CMS type keydb named "MYServer.kdb" from iKeyMan. Have given password and stashed it.The path of KeyDB is D:\SSL\Server.
STEP 2 -Created a NEW SELF SIGNED CERTIFICATE with label name as "ibmwebspheremq<qmgrname>". Have populated the DN details as well.
STEP 3- Exported this certificate as certi.arm/certi.der file.
FOR CLIENT SIDE SSL :
STEP 4- Created a Client Keydb named "MYClient.kdb" from iKeyMan. have given the password and stashed it. The path of keyDB is D:\SSL\Client
STEP 5- Now Under the SIGNER CERTIFICATE Drop down menu option , i imported the "certi.arm" file under label name "ibmwebspheremq<user-id>"
STEP 6 - Set ENV VARIABLES : MQCHLLIB , MQCHLTAB and MQSSLKEYR.
MQSSLKEYR has been set to "D:\SSL\Client\MYClient"
also alterer qmgr as alter qmgr SSLKEYR('D:\SSL\Server\MYServer')
The channels are created correctly. For SVRCONN the def is as follows :
Define channel(TEST.SVR) CHLTYPE(SVRCONN) MCAUSER('MUSR_MQADMIN') SSLCIPH(DES_SHA_EXPORT)
Once I try to check it through amqsptc , I am getting :
Sample AMQSPUT0 start
MQCONN ended with reason code 2393
and the QMGR logs show subjected error . What am I missing here ? Any help is appreciated
Thanks amigos in advance |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Feb 06, 2016 5:57 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You're missing the fact that you are using a default CLNTCONN channel with amqsputc and that there is no SSL parameter declared on that.
Use RFHUtilc instead and specify the SSL cipherspec... or use a CCDT file.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| MQ_AGENT |
| Posted: Sat Feb 06, 2016 8:20 am Post subject: |
|
|
Newbie
Joined: 05 Feb 2016
Posts: 7
|
Hello fjb_saper,
I had created the TEST.SVRCONN channel as well(I should have added that info as well in the post). The channel definition is :
Define channel(TEST.SVR) CHLTYPE(CLNTCONN) CONNAME(<valid value>) QMNAME(<QMGR NAME>) SSLCIPH(DES_SHA_EXPORT)
Also, I was trying to be creative when I could not figure out what's the issue and guess what..I did something which worked..
Under my STEP 5 for configuring SSL for CLient :
STEP 5- Now Under the SIGNER CERTIFICATE Drop down menu option , i imported the "certi.arm" file under label name "ibmwebspheremq<user-id>"
I was importing the certificate from SIGNER CERTIFICATE Dropdown menu and then clicking ADD button to import the certi.arm file.
NOW INSTEAD OF IMPORTING ARM FILE THROUGH THE SIGNER CERTIFICATE FROP DOWN I USED PERSONAL CERTIFICATE DROP DOWN MENU AND IMPORTED THE COMPLETE KEYDB OF SERVER (MYServer.kdb)
IT GAVE A LIST OF CERTIFICATES INCLUDING THE ONE WITH LABEL "ibmwebspheremq<qmgr-name>". I selected this record, changed the label to ibmwebspheremq<user-id> and imported
The configuration worked.
NOW AGAIN I AM NOT SURE WHAT IS IT THAT I WAS DOING WRONG WHILE IMPORTING THE ARM FILE BEFORE.
 |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Feb 06, 2016 7:43 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Looks like you're violating SSL 101: each participant to the SSL exchange needs to have it's own certificate.
So you need to have:
- On the qmgr
- qmgr cert with label ibmwebspheremq<qmgrname> (private and public)
- the cert chain for the qmgr's cert
- the cert chain for the client's cert
- On the client
- client cert with label ibmwebspheremq<userid> (private and public)
- the cert chain for the client's cert
- the cert chain for the qmgr's cert
Hope that clarifies things...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| MQ_AGENT |
| Posted: Sun Feb 07, 2016 10:22 am Post subject: |
|
|
Newbie
Joined: 05 Feb 2016
Posts: 7
|
Hello fjb_saper,
With wchich label should I add the certificate of SERVER in CLIENT DB. as ibmwebspheremq<userid> label would be now used to carry client's own ceretificate. Aso some more info please.
On the qmgr
----------------
qmgr cert with label ibmwebspheremq<qmgrname> (private and public)
the cert chain for the qmgr's cert
What is the exact difference between 1 and 2.When I create the certificate under NEW PERSONAL CERTIFICATE DROPDOWNMENU , i believe it would be stored as a certificate chain which will be certificate chain of qmgr.
the cert chain for the client's cert
I am only using one way authentication - only client will be validating the server certificate so why is it necessary to add the chain for client certificate ? If its mandatory how can i achieve that.
On the client
---------------
client cert with label ibmwebspheremq<userid> (private and public)
the cert chain for the client's cert
again what's the difference b/w first 2 points.
the cert chain for the qmgr's cert : under which label shall i add ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Feb 07, 2016 5:31 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| MQ_AGENT wrote: |
On the qmgr
----------------
qmgr cert with label ibmwebspheremq<qmgrname> (private and public)
the cert chain for the qmgr's cert
What is the exact difference between 1 and 2.When I create the certificate under NEW PERSONAL CERTIFICATE DROPDOWNMENU , i believe it would be stored as a certificate chain which will be certificate chain of qmgr.
|
The big difference you will see there is between a self signed cert and a CA signed cert.
For the self signed cert the signer cert is the public part of the X509.
For a CA signed cert the public part of the X509 will show an issued by information. This will point to the cert, next up in the cert chain... until you hit the root CA cert.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
