Author |
Message
|
saurabh25281 |
Posted: Tue Aug 23, 2016 4:12 pm Post subject: SSL connection fails b/w Sender receiver |
|
|
Centurion
Joined: 05 Nov 2006 Posts: 108 Location: Bangalore
|
Hi all,
I am facing the below error with my SSL configuration.
"An SSL certificate received from the remote system was not corrupt but failed validation checks on something other than its ASN fields and date. It is possible that the certificate Subject DN is more than 1024 characters long or contains unsupported duplicate attribute values. &P The channel is 'QM2.TEST'; in some cases its name cannot be determined and so is shown as '????'. The channel did not start. "
I am using Self-Signed CA certificate on 1 of my QMgr and self-signed certificate on the other.
I am using MQ v 7.5.0.1, I have tried using certificates of keysize 2048. i have validated the certificate using openssl and its ok. Both my QMr are on the same machine.
I am using the same SSL Cipher Spec on both sender/Reciever channel.
Do let me know, where I might be going wrong.
I have created the self signed CA certificate using the below command. Converted the certs in pkcs12 format and imported it to QMgr keydb using ikeyman.
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha512 -days 1024 -out rootCA.pem -subj "//CN=rootCA"
openssl genrsa -out qm2.key 2048
openssl req -new -key qm2.key -out qm2.csr -subj "//CN=QM2"
openssl x509 -req -in qm2.csr -extfile v3.ext -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out qm2.crt -days 500
(convert to PKCS12) openssl pkcs12 -export -in qm2.crt -inkey qm2.key -out keystore.p12 -password pass:password -name ibmwebspheremqqm2
I have created my self signed certificate using the below command
runmqakm -keydb -create -db key.kdb -pw password -stash
runmqakm -cert -create -db key.kdb -label ibmwebspheremqtest -stashed -size 2048 -sigalg SHA512WithRSA -dn CN=TEST
runmqakm -cert -extract -db key.kdb -label ibmwebspheremqtest -file TEST.arm -stashed
exchanged the public keys of both QMgr
runmqakm -cert -add -db key.kdb -label "ibmwebspheremqtest" -file TEST.arm -format ascii -stashed
exchanged using import function of ikeyman GUI tool.
Regards
Saurabh |
|
Back to top |
|
 |
smdavies99 |
Posted: Tue Aug 23, 2016 9:43 pm Post subject: |
|
|
 Jedi Council
Joined: 10 Feb 2003 Posts: 6076 Location: Somewhere over the Rainbow this side of Never-never land.
|
I have created the self signed CA certificate using the below command. Converted the certs in pkcs12 format and imported it to QMgr keydb using ikeyman.
Code: |
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha512 -days 1024 -out rootCA.pem -subj "//CN=rootCA"
openssl genrsa -out qm2.key 2048
openssl req -new -key qm2.key -out qm2.csr -subj "//CN=QM2"
openssl x509 -req -in qm2.csr -extfile v3.ext -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out qm2.crt -days 500
(convert to PKCS12)
openssl pkcs12 -export -in qm2.crt -inkey qm2.key -out keystore.p12 -password pass:password -name ibmwebspheremqqm2
|
I have created my self signed certificate using the below command
Code: |
runmqakm -keydb -create -db key.kdb -pw password -stash
runmqakm -cert -create -db key.kdb -label ibmwebspheremqtest -stashed -size 2048 -sigalg SHA512WithRSA -dn CN=TEST
runmqakm -cert -extract -db key.kdb -label ibmwebspheremqtest -file TEST.arm -stashed
|
exchanged the public keys of both QMgr
Code: |
runmqakm -cert -add -db key.kdb -label "ibmwebspheremqtest" -file TEST.arm -format ascii -stashed
|
That is a lot easier to read and understand. Please use [C O D E] (without the spaces) tags.
I take it that you followed the instructions linked by Morag in this thread?
http://www.mqseries.net/phpBB2/viewtopic.php?t=72824 _________________ WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
Back to top |
|
 |
hughson |
Posted: Tue Aug 23, 2016 10:59 pm Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
Few questions:-- Why mixing and matching OpenSSL and runmqakm?
- Why exchanging queue manager keys if one queue manager is not self-signed?
- Please supply full error message text, starting at error number AMQ9....
Cheers
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
 |
saurabh25281 |
Posted: Wed Aug 24, 2016 5:14 am Post subject: |
|
|
Centurion
Joined: 05 Nov 2006 Posts: 108 Location: Bangalore
|
Hi Morag,
Code: |
Why mixing and matching OpenSSL and runmqakm? |
I wanted to emulate certificates provided by internal security team which will generate certificate for us and handover us the .key & .crt file. I did it using the openssl tool. For the self-signed certificates, we didn't need any external tool and can be done by using runmqakm.
Code: |
Why exchanging queue manager keys if one queue manager is not self-signed? |
I am using SS-CA certificate & SS certificate for my 2 QMgrs respectively. Do you want me not to exchange certificates for the SS-CA certificate?
Code: |
Please supply full error message text, starting at error number AMQ9.... |
AMQ9654
8/24/2016 18:09:23 - Process(13316.1) User(SYSTEM) Program(runmqchl.exe) Host(BDC6-L-50230FH) Installation(Installation1) VRMF(7.5.0.1) QMgr(QM2)
An invalid SSL certificate was received from the remote system.
An SSL certificate received from the remote system was not corrupt but failed validation checks on something other than its ASN fields and date. It is possible that the certificate Subject DN is more than 1024 characters long or contains unsupported duplicate attribute values. &P The channel is 'QM2.TEST'; in some cases its name cannot be determined and so is shown as '????'. The channel did not start.
Ensure that the remote system has a valid SSL certificate. Restart the channel. |
|
Back to top |
|
 |
hughson |
Posted: Wed Aug 24, 2016 11:33 am Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
saurabh25281 wrote: |
hughson wrote: |
Please supply full error message text, starting at error number AMQ9.... |
AMQ9654
An invalid SSL certificate was received from the remote system. |
Knowing the error number I can see that the description of this error message has been enhanced a little post V7.5.0.1. It now looks like:-
Knowledge Center wrote: |
AMQ9654 Validation checks for the remote personal certificate failed. The channel did not start.
Severity 30 : Severe error
Explanation An SSL certificate received from the remote system was not corrupt but failed validation checks on something other than its ASN.1 fields and date. It is possible that the certificate chain could not be built for for one of the following reasons:- The certificate Subject DN is more than 1024 characters long.
- The DN contains unsupported duplicate attribute values.
- The DN is missing.
The channel is <insert_3>; in some cases its name cannot be determined and so is shown as '????'.
Response Ensure that the remote system has a valid personal certificate and restart the channel. |
Looking back at your certificate commands again:-
saurabh25281 wrote: |
openssl req -x509 -new -nodes -key rootCA.key -sha512 -days 1024 -out rootCA.pem -subj "//CN=rootCA"
openssl req -new -key qm2.key -out qm2.csr -subj "//CN=QM2" |
I wonder why you have two slashes at the beginning of your subj? What does this achieve? Do your certificates actually have a DN when you view them? What happens if you don't do that?
Cheers
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
 |
saurabh25281 |
Posted: Wed Aug 24, 2016 12:22 pm Post subject: |
|
|
Centurion
Joined: 05 Nov 2006 Posts: 108 Location: Bangalore
|
Hi Morag,
Quote: |
I wonder why you have two slashes at the beginning of your subj? What does this achieve? Do your certificates actually have a DN when you view them? What happens if you don't do that? |
Since I am using a git bash in Windows to generate my certificate I had to provide this extra character, otherwise I get the error "Subject does not start with '/'. problems making Certificate Request". Please find the link.http://stackoverflow.com/questions/31506158/running-openssl-from-a-bash-script-on-windows-subject-does-not-start-with
When I view the certificate it does look like a normal certificate with Subject CN=QM2 and Issuer CN=rootCA, and like I mentioned earlier when I test it with open SSL command i get a certiticate ok response.
Code: |
openssl verify -verbose -CAfile rootCA.pem qm2.crt |
But on the Certification Path tab of the certificate, it says, "The issuer of this certificate could not be found."
I am attaching the ASCII of my certificate.
Code: |
-----BEGIN CERTIFICATE-----
MIIC3TCCAcWgAwIBAgIJALJ+xP44E95iMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
BAMTBnJvb3RDQTAeFw0xNjA4MjMyMzM5MTJaFw0xODAxMDUyMzM5MTJaMA4xDDAK
BgNVBAMTA1FNMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALV+1oEy
I4+1ag69TXpV8Fa9r0CptO3BvROm/wQ+pPNmT8l1zs/321OjCvL/qP5E05wNUrmr
lFCrG9k0xmJTHMJ03IElLNxMGKctF3aWWP4mXsWiE8/EFFSeTrvS6MTsMK1FV4EJ
wJXBXN7Elg+Xu4OmRHMSu6yANP+02D6p9kbmBWBYG4oLipn41BjloHnHn4Sdl/9+
rkQB984Zid0IZtukn55c+YobMjATeDz/GDUrH96hqgHe6k41D8ki/uK+9auj9wnK
BlN6fR1ZvBZ6E9jtbWQV9WKn2rYI/njI8//lHA9NlOWAOA8jEY4Cyxu+bdR+RpdJ
3Y4ya6B7RxgN4TECAwEAAaM7MDkwHwYDVR0jBBgwFoAU7Dukj1VNgvou6P40OfjK
5KRpq80wCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwDQYJKoZIhvcNAQELBQADggEB
ABYd6aFZdxjaWn/QZSjgRIQdecIPUp7ys5esXTvnok88iuASxe8XE0T5UlG6i2EY
2UyR64c5mFpyWjCtCCrLrW370ic0Ri3TXlyHwKWw8B4fBZj30d4g3F/rtf+7JQTa
TCSfnyDxGhhzVIHz79XksT7gFZGQi7sRzaBQwSuslVHJd3wW/wKbh4YMBGfAX1lK
Oz7CjFoLX1wqHtcFuO3LWzkhebPrevPp2jfDgeCnrHJkcDmWpm/0KefetNYVXs9j
wykiPBNxeP4AYShzafKP9oJyRGRGckeGVgfYCP0wFdnavu8c1Qx0Gv+Fn8hmCQ3A
bZ6D2/Zy47UIlG+xy9Hg5T0=
-----END CERTIFICATE-----
|
|
|
Back to top |
|
 |
hughson |
Posted: Wed Aug 24, 2016 1:03 pm Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
saurabh25281 wrote: |
When I view the certificate it does look like a normal certificate with Subject CN=QM2 and Issuer CN=rootCA, .... but on the Certification Path tab of the certificate, it says, "The issuer of this certificate could not be found." |
This goes back to my other question earlier.
saurabh25281 wrote: |
hughson wrote: |
Why exchanging queue manager keys if one queue manager is not self-signed? |
I am using SS-CA certificate & SS certificate for my 2 QMgrs respectively. Do you want me not to exchange certificates for the SS-CA certificate? |
One queue manager is using a self-signed certificate, so to validate it, the partner must have a copy of that certificate. The other queue manager is using a CA-signed certificate, and yet I didn't see anything in your description that suggested you sent the partner queue manager the CA certificate for validation, it seems you only sent the queue manager certificate? This will be why you see "The issuer of this certificate could not be found" and may be the reason for your AMQ9654 error.
Cheers
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
 |
fjb_saper |
Posted: Wed Aug 24, 2016 11:16 pm Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
It looks to me like you are building the wrong SSL certificate type.
X509 has multiple types of certs and yours is of type subject?
It should be of a DN type i.e. instead of having a subject (X500??) show a distinguished name or DN.
If you want to, create a cert request and give your corporate security the request for signing. Don't ask them to produce a cert ... they are obviously producing the wrong kind.
Have fun  _________________ MQ & Broker admin |
|
Back to top |
|
 |
saurabh25281 |
Posted: Thu Aug 25, 2016 3:53 am Post subject: |
|
|
Centurion
Joined: 05 Nov 2006 Posts: 108 Location: Bangalore
|
Quote: |
The other queue manager is using a CA-signed certificate, and yet I didn't see anything in your description that suggested you sent the partner queue manager the CA certificate for validation, it seems you only sent the queue manager certificate? |
I tried adding the root certificate on the other queue manager instead of the QMgr certificate, but got the same response.
Quote: |
This will be why you see "The issuer of this certificate could not be found" and may be the reason for your AMQ9654 error |
I see this message when I open the certificate on my windows machine, not in the MQ error logs.
I am suspicious that my Qmgr certificate is not chained properly. The certification Path does not indicate the certificate as
Quote: |
expected
rootCA
--QM2
actual
QM2
|
|
|
Back to top |
|
 |
saurabh25281 |
Posted: Thu Aug 25, 2016 4:01 am Post subject: |
|
|
Centurion
Joined: 05 Nov 2006 Posts: 108 Location: Bangalore
|
Quote: |
It should be of a DN type i.e. instead of having a subject (X500??) show a distinguished name or DN. |
How do I check if I have the wrong type of certificate? Not sure what you meant by having a subject X500, but my certificate has Subject value as QM2 which is my QmgrName.
Quote: |
If you want to, create a cert request and give your corporate security the request for signing. Don't ask them to produce a cert ... they are obviously producing the wrong kind. |
This certificate is being created by me and hence I may be doing it the wrong way. Please correct me if I am signing it using the wrong commands that I provided earlier using openssl. |
|
Back to top |
|
 |
mqjeff |
Posted: Thu Aug 25, 2016 4:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
it vaguely sounds like you are creating a self-signed certificate instead of creating a certificate request and getting it signed by the root CA. _________________ chmod -R ugo-wx / |
|
Back to top |
|
 |
fjb_saper |
Posted: Thu Aug 25, 2016 3:03 pm Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
Not familiar enough in openssl but the fact that he is specifying -subj might be a clue. I would have thought that you'd specify a full Distinguished Name (DN) and not just a subject. Would that not lead to an X509 containing an X500 type entity??
Make sure you create an X509 v3 with full Distinguished Name (
CN=xxx,O=xxx,OU=xxx,L=city,ST=State,C=Country,POSTALCODE=zip)
Have fun  _________________ MQ & Broker admin |
|
Back to top |
|
 |
hughson |
Posted: Thu Aug 25, 2016 6:44 pm Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
fjb_saper wrote: |
Not familiar enough in openssl but the fact that he is specifying -subj might be a clue. I would have thought that you'd specify a full Distinguished Name (DN) and not just a subject. Would that not lead to an X509 containing an X500 type entity??
Make sure you create an X509 v3 with full Distinguished Name (
CN=xxx,O=xxx,OU=xxx,L=city,ST=State,C=Country,POSTALCODE=zip)
Have fun  |
The Subject's Distinguished Name (as opposed to the Issuer's Distinguished Name) is perfectly able to be simply "CN=QM1". It is not required to provide every field. _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
 |
fjb_saper |
Posted: Thu Aug 25, 2016 11:00 pm Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
hughson wrote: |
fjb_saper wrote: |
Not familiar enough in openssl but the fact that he is specifying -subj might be a clue. I would have thought that you'd specify a full Distinguished Name (DN) and not just a subject. Would that not lead to an X509 containing an X500 type entity??
Make sure you create an X509 v3 with full Distinguished Name (
CN=xxx,O=xxx,OU=xxx,L=city,ST=State,C=Country,POSTALCODE=zip)
Have fun  |
The Subject's Distinguished Name (as opposed to the Issuer's Distinguished Name) is perfectly able to be simply "CN=QM1". It is not required to provide every field. |
Thanks Morag. As always an excellent source of knowledge. Don't know if you're like me, but there is little trust in a cert (especially) self signed where the only info in the DN is the CN.
Mind you, I'm not saying that it isn't legitimate, but a lot less to put into SSLPEER.... _________________ MQ & Broker admin |
|
Back to top |
|
 |
hughson |
Posted: Fri Aug 26, 2016 4:09 am Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
fjb_saper wrote: |
Don't know if you're like me, but there is little trust in a cert (especially) self signed where the only info in the DN is the CN. |
fjb_saper wrote: |
Mind you, I'm not saying that it isn't legitimate. |
Indeed, I don't think it's the OP's problem in this case, is all.
Cheers
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
 |
|