| Author |
Message
|
| ammx |
 Posted: Sun Oct 28, 2018 1:39 pm Post subject: 575010 no certificate chain issue |
 |
|
Acolyte
Joined: 08 Sep 2017
Posts: 50
|
I am trying to establish connection between a JMS WAS and an MQ Qmgr, but i am getting the following error
AMQ9633: Bad SSL certificate for channel '????'.
EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
...
...
...
The details of the certificate which could not be validated are
'[Class=]..........[Issuer=]CN=xxx.xxx.xxx.xx.xx,OU=Root
Certificate,O=xx,C=xx[#=]4821f9005dae84
The certificate validation error was 575010.
I know the error code 575010 means that no certificate chain was built, so i started searching for the flawed certificate in the keystore of the app side server (WAS JMS) and I couldn't find any cert with the serial number 4821f9005dae84(decimal= 20303551659880068). I did find one with the same CN=xxx.xxx.xxx.xx.xx,OU=Root Certificate,O=xx,C=xx, but the serial number doesn't match. |
|
| Back to top |
|
 |
| hughson |
| Posted: Mon Oct 29, 2018 11:53 am Post subject: Re: 575010 no certificate chain issue |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| ammx wrote: |
| I know the error code 575010 means that no certificate chain was built, so i started searching for the flawed certificate in the keystore of the app side server (WAS JMS) and I couldn't find any cert with the serial number 4821f9005dae84(decimal= 20303551659880068). I did find one with the same CN=xxx.xxx.xxx.xx.xx,OU=Root Certificate,O=xx,C=xx, but the serial number doesn't match. |
Did you have a question? You appear to have answered your own query with your final statement. If it doesn't have the same serial number it is not the same certificate and so will not match.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| tczielke |
| Posted: Mon Oct 29, 2018 2:05 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
In case you are still having issues with validating the trust chain, this MQ manual doc helps explain how you can do some manual checks to help see if you have the valid signer certs in your keystore to trust a personal certificate that is sent to your queue manager -> https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/q009880_.htm
_________________
Working with MQ since 2010.
Last edited by tczielke on Wed Oct 31, 2018 2:30 pm; edited 1 time in total |
|
| Back to top |
|
|
| ammx |
| Posted: Tue Oct 30, 2018 9:42 am Post subject: |
|
|
Acolyte
Joined: 08 Sep 2017
Posts: 50
|
Hi @hughson, @tczielke, thanks for your reply
I checked once again in the keystores of the WAS side and I did find the flawed certificate with the matching serial number. That certificate is indeed chained, so what I did was to add all of the chained certs into the qmgr with:
runmqckm -cert -add -db key.kdb -label "xxxx" -file xxx.crt -format ascii
I verified the certs were added.
default
^
default_sha2
^
default_sha256
^
default_2048_sha2(this is the cert that appears on the error message, same SN)
Then i refreshed the security ssl, but the same error message is showing:
AMQ9633: Bad SSL certificate for channel '????'.
The details of the certificate which could not be validated are
'[Class=]..........[Issuer=]CN=xxx.xxx.xxx.xx.xx,OU=Root
Certificate,O=xx,C=xx[#=]4821f9005dae84
The certificate validation error was 575010.
checking the QMGR configuration with DISPLAY QMGR shows me that it is pointing to the right keystore, in the right path
SSLKEYR(/var/mqm/qmgrs/EMQ02OD1/ssl/key)
so i dont know what am i missing here
Thanks in advance for your help |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Oct 30, 2018 11:03 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
What's the label name of queue manager's certificate?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ammx |
| Posted: Sat Nov 03, 2018 3:44 pm Post subject: |
|
|
Acolyte
Joined: 08 Sep 2017
Posts: 50
|
Hi
We found the cause of the problem, the issue was that the qmgr was retrieving the certificate from the wrong keystore, it was a very old one. Once I changed the configuration in the WebSphere client console and set the correct keystore the issue was resolved
Thanks so much for your help |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Nov 04, 2018 5:48 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
This does not make sense:
| ammx wrote: |
| ...the issue was that the qmgr was retrieving the certificate from the wrong keystore, it was a very old one... |
In relation to this:
| ammx wrote: |
| ...Once I changed the configuration in the WebSphere client console and set the correct keystore the issue was resolved... |
Either your queue manager key store was incorrect, or the client key store was incorrect - the queue manager does not retrieve any certificates from the client's key store.
Unless of course, you are not using a common key store for both queue manager and client... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ammx |
| Posted: Mon Nov 05, 2018 1:22 pm Post subject: |
|
|
Acolyte
Joined: 08 Sep 2017
Posts: 50
|
In the WebSphere Application Server console in
SSL certificate and key management > SSL configurations > CellDefaultSSL > Keystore and certificates
The keystore configured on the client side was not the correct one. |
|
| Back to top |
|
|
|
|
