ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » 575010 no certificate chain issue

Post new topic  Reply to topic
 575010 no certificate chain issue « View previous topic :: View next topic » 
Author Message
ammx
PostPosted: Sun Oct 28, 2018 1:39 pm    Post subject: 575010 no certificate chain issue Reply with quote

Acolyte

Joined: 08 Sep 2017
Posts: 50

I am trying to establish connection between a JMS WAS and an MQ Qmgr, but i am getting the following error

AMQ9633: Bad SSL certificate for channel '????'.

EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
...
...
...

The details of the certificate which could not be validated are
'[Class=]..........[Issuer=]CN=xxx.xxx.xxx.xx.xx,OU=Root
Certificate,O=xx,C=xx[#=]4821f9005dae84

The certificate validation error was 575010.

I know the error code 575010 means that no certificate chain was built, so i started searching for the flawed certificate in the keystore of the app side server (WAS JMS) and I couldn't find any cert with the serial number 4821f9005dae84(decimal= 20303551659880068). I did find one with the same CN=xxx.xxx.xxx.xx.xx,OU=Root Certificate,O=xx,C=xx, but the serial number doesn't match.
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Oct 29, 2018 11:53 am    Post subject: Re: 575010 no certificate chain issue Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

ammx wrote:
I know the error code 575010 means that no certificate chain was built, so i started searching for the flawed certificate in the keystore of the app side server (WAS JMS) and I couldn't find any cert with the serial number 4821f9005dae84(decimal= 20303551659880068). I did find one with the same CN=xxx.xxx.xxx.xx.xx,OU=Root Certificate,O=xx,C=xx, but the serial number doesn't match.

Did you have a question? You appear to have answered your own query with your final statement. If it doesn't have the same serial number it is not the same certificate and so will not match.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
tczielke
PostPosted: Mon Oct 29, 2018 2:05 pm    Post subject: Reply with quote

Guardian

Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA

In case you are still having issues with validating the trust chain, this MQ manual doc helps explain how you can do some manual checks to help see if you have the valid signer certs in your keystore to trust a personal certificate that is sent to your queue manager -> https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/q009880_.htm
_________________
Working with MQ since 2010.


Last edited by tczielke on Wed Oct 31, 2018 2:30 pm; edited 1 time in total
Back to top
View user's profile Send private message
ammx
PostPosted: Tue Oct 30, 2018 9:42 am    Post subject: Reply with quote

Acolyte

Joined: 08 Sep 2017
Posts: 50

Hi @hughson, @tczielke, thanks for your reply

I checked once again in the keystores of the WAS side and I did find the flawed certificate with the matching serial number. That certificate is indeed chained, so what I did was to add all of the chained certs into the qmgr with:

runmqckm -cert -add -db key.kdb -label "xxxx" -file xxx.crt -format ascii

I verified the certs were added.

default
^
default_sha2
^
default_sha256
^
default_2048_sha2(this is the cert that appears on the error message, same SN)


Then i refreshed the security ssl, but the same error message is showing:

AMQ9633: Bad SSL certificate for channel '????'.

The details of the certificate which could not be validated are
'[Class=]..........[Issuer=]CN=xxx.xxx.xxx.xx.xx,OU=Root
Certificate,O=xx,C=xx[#=]4821f9005dae84

The certificate validation error was 575010.

checking the QMGR configuration with DISPLAY QMGR shows me that it is pointing to the right keystore, in the right path

SSLKEYR(/var/mqm/qmgrs/EMQ02OD1/ssl/key)

so i dont know what am i missing here

Thanks in advance for your help
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Oct 30, 2018 11:03 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

What's the label name of queue manager's certificate?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
ammx
PostPosted: Sat Nov 03, 2018 3:44 pm    Post subject: Reply with quote

Acolyte

Joined: 08 Sep 2017
Posts: 50

Hi

We found the cause of the problem, the issue was that the qmgr was retrieving the certificate from the wrong keystore, it was a very old one. Once I changed the configuration in the WebSphere client console and set the correct keystore the issue was resolved

Thanks so much for your help
Back to top
View user's profile Send private message
exerk
PostPosted: Sun Nov 04, 2018 5:48 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

This does not make sense:
ammx wrote:
...the issue was that the qmgr was retrieving the certificate from the wrong keystore, it was a very old one...

In relation to this:
ammx wrote:
...Once I changed the configuration in the WebSphere client console and set the correct keystore the issue was resolved...

Either your queue manager key store was incorrect, or the client key store was incorrect - the queue manager does not retrieve any certificates from the client's key store.

Unless of course, you are not using a common key store for both queue manager and client...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
ammx
PostPosted: Mon Nov 05, 2018 1:22 pm    Post subject: Reply with quote

Acolyte

Joined: 08 Sep 2017
Posts: 50

In the WebSphere Application Server console in

SSL certificate and key management > SSL configurations > CellDefaultSSL > Keystore and certificates

The keystore configured on the client side was not the correct one.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » 575010 no certificate chain issue
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.