ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityRC 2538 C# (amqmdnet.dll V9.0.0) and SSL - works with dll V8

Post new topicReply to topic
RC 2538 C# (amqmdnet.dll V9.0.0) and SSL - works with dll V8 View previous topic :: View next topic
Author Message
fernando2867
PostPosted: Tue May 21, 2019 3:06 pm Post subject: RC 2538 C# (amqmdnet.dll V9.0.0) and SSL - works with dll V8 Reply with quote

Newbie

Joined: 04 Apr 2019
Posts: 5

Hi list!!

I have a customer here in Brazil with this problem:

Hes connecting to a MQ Server V9.0, using C# with amqmdnet.dll and SSL (client and server). When he uses amqmdnet.dll V8.0.0.6, it works fine. But if he uses amqmdnet.dll V9.0.0 and up, reason code 2538 occurs.

2538 (09EA) (RC2538): MQRC_HOST_NOT_AVAILABLE

Here is the C# code he is using:

var properties = new Hashtable
{
{ MQC.TRANSPORT_PROPERTY, TCP },
{ MQC.HOST_NAME_PROPERTY, localhost },
{ MQC.PORT_PROPERTY, 1414 },
{ MQC.CHANNEL_PROPERTY, FLAECOMM_QM.BJ_QM }
};

properties.Add(MQC.SSL_CERT_STORE_PROPERTY, C:\lixo\MQCitibank\Certificado\client);
properties.Add(MQC.SSL_CIPHER_SUITE_PROPERTY, SSL_RSA_WITH_AES_256_CBC_SHA256);
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, TLS_RSA_WITH_AES_256_CBC_SHA256);
properties.Add(MQC.SSL_PEER_NAME_PROPERTY, );

try
{
var MQQueueManager = new MQQueueManager(queueManagerDTO.QueueManager, properties);
}
catch (Exception E)
{
MessageDialog.Show(E.Message);
}



Below I will list the steps he used to configure SSL:

Certificate creation:

Client machine:

runmqakm -keydb -create -db "client.kdb" -pw Citi2019 -type cms -expire 1825 -stash
runmqakm -cert -create -db "client.kdb" -pw Citi2019 -label ibmwebspheremqds26073 -dn "cn=ibmwebspheremqds26073, o=dev, c=br" -sigalg SHA256 -size 2048
runmqakm -cert -extract -db "client.kdb" -pw Citi2019 -label ibmwebspheremqds26073 -target ibmwebspheremqds26073.crt -format ascii

Server machine:

runmqakm -keydb -create -db "key.kdb" -pw Citi2019 -type cms -expire 1825 -stash
runmqakm -cert -create -db "key.kdb" -pw Citi2019 -label ibmwebspheremqbj_qm_sit -dn "cn=ibmwebspheremqbj_qm_sit, o=dev, c=br" -sigalg SHA256 -size 2048
runmqakm -cert -extract -db "key.kdb" -pw Citi2019 -label ibmwebspheremqbj_qm_sit -target ibmwebspheremqbj_qm_sit.crt -format ascii

Importing server certificate to client machine:

runmqakm -cert -add -db "client.kdb" -pw Citi2019 -label ibmwebspheremqbj_qm_sit -file ibmwebspheremqbj_qm_sit.crt -format ascii

Importing client certificate to server:

runmqakm -cert -add -db "key.kdb" -pw Citi2019 -label ibmwebspheremqds26073 -file ibmwebspheremqds26073.crt -format ascii


Queue definition:

DEFINE QLOCAL (BJBLOCK.BR.LIL.RESPONSE)
SET AUTHREC PROFILE(BJBLOCK.BR.LIL.RESPONSE) OBJTYPE(QUEUE) PRINCIPAL('ds26073') AUTHADD(PUT,GET)
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('ds26073') AUTHADD(CONNECT)


Server connection channel definition:

DEFINE CHANNEL('FLAECOMM_QM.BJ_QM') CHLTYPE(SVRCONN) MCAUSER('ds26073') TRPTYPE(TCP)
SET CHLAUTH(FLAECOMM_QM.BJ_QM) TYPE(ADDRESSMAP) ADDRESS(*) MCAUSER('ds26073')
SET AUTHREC PROFILE('FLAECOMM_QM.BJ_QM') GROUP('mqm') OBJTYPE(CHANNEL) AUTHADD(CHG,DLT,DSP,CTRL,CTRLX)


Alter channel to use AES256 certificate:

ALTER CHANNEL('FLAECOMM_QM.BJ_QM') CHLTYPE(SVRCONN) SSLCIPH('TLS_RSA_WITH_AES_256_CBC_SHA256')


Authorize user:

setmqaut -m BJ_QM_SIT -t qmgr -p ds26073 +connect +inq

Like I said, if he uses amqmdnet.dll V8, it works ok, but with amqmdnet.dll V9.0.0 and up, MQCONN returns reason code 2538.

AMQERR01.LOG shows message AMQ9637: Channel is lacking a certificate.


MQ trace shows:

0000025D 16:09:30.274342 4300.1 -----------} MQEncryptedSocket.MakeSecuredConnection() rc=OK
0000025E 16:09:30.275342 4300.1 System.Security.Authentication.AuthenticationException: remote certificate is invalid, according to the validation procedure.
em IBM.WMQ.Nmqi.MQEncryptedSocket.MakeSecuredConnection()
em IBM.WMQ.Nmqi.MQEncryptedSocket..ctor(NmqiEnvironment env, MQTCPConnection conn, Socket socket, MQChannelDefinition mqcd, MQSSLConfigOptions sslConfigOptions)
em IBM.WMQ.MQTCPConnection.ConnectSocket(String localAddr, String connectionName, Int32 options)
0000025F 16:09:30.275342 4300.1 New MQException CompCode: 2 Reason: 2538


This link: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q120700_.htm

says that is necessary import client certificates into Windows certificate store (I think this is new from V9):

Configure the client side.
a. Import the client certificates into the Windows certificate store (under the User/Computer account).
IBM MQ .NET accesses client certificates from the Windows certificate store, therefore you must import your certificates into the Windows certificate store to establish a secure socket connection to IBM MQ . For more information about how to access the Windows keystore and import the client side certificates, see Import or export certificates and private keys.


I dont have skills on SSL and .net. The reason it works with amqmdnet.dll V8, and do not work with amqmdnet.dll V9 is because of this note about importing client certificates into Windows certificate store?

Any help to solve this problem will be appreciated!!! King regards from BrazilFernando


Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed May 22, 2019 5:52 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20072
Location: LI,NY

Fernando,
In the connection properties I am missing the one that defines the connection mode as MQC.TRANSPORT_MQSERIES_CLIENT. This is from memory. Check out the samples and I am sure you will find the correct constants to use.

One example is given with
Code:
properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED)


Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ SecurityRC 2538 C# (amqmdnet.dll V9.0.0) and SSL - works with dll V8
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.