| Author |
Message
|
| dextermbmq |
 Posted: Tue Jun 16, 2020 12:15 pm Post subject: Channel lacking a certificate issue |
 |
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
IBM MQ v9.1.0.1
Client is Java based application running on Oracle JRE hence using -Dcom.ibm.mq.cfg.useIBMCipherMappings=false with TLS Cipher TLS_RSA_WITH_AES_128_CBC_SHA256
Hi All,
Currently a Java based application is connecting to MQ over One Way SSL.
CHANNEL(OCS_ESB_SVRCONN) CHLTYPE(SVRCONN)
MCAUSER(<appuserid>)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(OPTIONAL)
I am changing the One way ssl mode to mutual auth by updating the channel definition as :
CHANNEL(OCS_ESB_SVRCONN) CHLTYPE(SVRCONN)
MCAUSER(<appuserid>)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(REQUIRED)
The client certificate is copied from into Queue Manager repository. However attempt to start the channel gives
AT QUEUE MANAGER AMQ9637E: Channel is lacking a certificate.
AT APPLICATION AMQ9503: Channel negotiation failed
From the below link this means ,Missing client personal certificate i.e. Client is either not sendong certificate or its not copied into QMgr repository (however in my case its copied)
https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.tro.doc/q123400_.htm
When i put the debug mode to check the Java a[pplication initiation logs I see below log entry before MQ errors start to come up- which for some reason says " no suitable certificate found "
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
update handshake state: certificate[11]
upcoming handshake states: client_key_exchange[16]
I see a post which points to similar issue
https://www.ibm.com/support/pages/apar/IT10837
The Oracle JVM did not create a default internal key manager
object for TLS socket connections, meaning that the client's
signed personal certificates were not available for client
authentication during the handshake, causing the connection
attempt to fail.
But my MQ v is 9.1.0.1 and this error seems to have fixed already on 8.5.0.5.
Could someone please help me or guide me to right direction. I have not slept for last 48 hrs due to this issue
 |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Jun 16, 2020 12:19 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
wouldn't you need the signer certificate at the queue manager end to make up the keychain?
Java.
Bah.
Java.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Tue Jun 16, 2020 12:38 pm Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
| Yes. MQ keyrepository is already configured with a CA signed cert. The MQ public cert is also copied on the client's truststore( that was how the one way authentication was working. Java Client was validating the MQ public cert from its truststore) However issue is when SSLCAUTH is set to REQUIRED and Queue Manager has to check the Application cert |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Jun 16, 2020 1:17 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Your question does not tell us what you did in at the client to change it to send a certificate? Could you tell us what steps you took to change things at the client please?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Tue Jun 16, 2020 4:42 pm Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Thanks Morag I got your point and almost fixed the issue. Doing final checks and configs. So, I was integrating Kafka with MQ via the MQ Kafka connector where in we have the option of setting keystore / truststore files and passwords at the distributedworker properties file for Kafka specific connectivity. I was of the view that the communication for MQ would also be using the same properties file for keystore and truststore however looks like that is not the case. I had specifically set the keystore and truststore as below :
export EXTRA_ARGS="-Dcom.ibm.mq.cfg.useIBMCipherMappings=false -Djavax.net.ssl.keyStore='key.jks' -Djavax.net.ssl.keyStorePassword='<xxx>' -Djavax.net.debug=all -Djavax.net.ssl.trustStore=truststore.jks -Djavax.net.ssl.trustStorePassword=<xxxx>"
and everything worked like a charm  |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Jun 16, 2020 8:27 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
|
| Back to top |
|
|
|
|
