ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityProblems with SSL

Post new topicReply to topic
Problems with SSL View previous topic :: View next topic
Author Message
ttechsavvy
PostPosted: Wed Sep 09, 2020 6:04 am Post subject: Problems with SSL Reply with quote

Newbie

Joined: 09 Sep 2020
Posts: 2

Hello!

I started two months ago at a new job and one of my first "task" is to set up IBM MQ for other companies to send us messages. This is my first time that I've touched and configured IBM MQ.

I've set up MQ on one node for basic configuration (local queue, channel, listener) in test environment. Later on, when messages and connection to our partner is up, I'am planning to configure RDMQ.

The problem what I have is with certificates. Our parter sent us Root and Intermediate certs which I added to queue manager keystore. Added SSLCIPH to channels and refreshed security like the documentation says. Will add commands how I did it at the end of the post.

Now when partner pings our channel he gets this error:

Code:
AMQ9665: SSL connection closed by remote end of channel

EXPLANATION:
The SSL or TLS connection was closed by the remote host '******
(******)(***)' during the secure socket handshake. The channel is
'*********'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.


Does anybody have a clue what can be wrong our misconfigured?

Commands how I added certificates to qmgr keystore:

Code:

/runmqckm -cert -add -db ---.kdb -stashed -file root.cer -label "****"
/runmqckm -cert -add -db ---.kdb -stashed -file intermediate.cer -label "****"


As there are so much to learn and read about IBM MQ, I might have missed something..

Thanks
Back to top
View user's profile Send private message
Vitor
PostPosted: Wed Sep 09, 2020 10:01 am Post subject: Re: Problems with SSL Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26042
Location: Texas, USA

ttechsavvy wrote:
I might have missed something.


Where are the commands to set up a personal certificate for the queue manager that it can exchange with the remote queue manager?

How will the remote queue manager know to trust your one?
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
ttechsavvy
PostPosted: Thu Sep 10, 2020 10:19 pm Post subject: Reply with quote

Newbie

Joined: 09 Sep 2020
Posts: 2

Thanks for the reply!

I managed to get it working in my localhost "playground" with self-signed certificates. Created two keystores, two personal certificates and added the public part to valid keystore. Messages are coming through so everything seems fine with that.

But with the partner - I have to also set up personal certificate signed with CA and sent root and intermediate certs to partner?

Process connecting with partner, correct me if I am getting something wrong:

1. Create CSR request form keystore
Code:

runmqakm -certreq -create -db ---.kdb -stashed -label mylabel -san_dnsname dnsname -dn "CN=example, O=mycompany, L=Utah, C=US" -size 2048 -file cert.csr


2. Order and get certificates from CA with CSR
3. Receive CA certificate to keystore
Code:

runmqakm -cert -receive -db ---.kdb -stashed -file CA.crt


4. Add Root and Intermediate certs to keystore
Code:

runmqakm -cert -add -db ---.kdb -stashed -label "ROOT" -file ROOT.crt -format ascii
runmqakm -cert -add -db ---.kdb -stashed -label "INTERMEDIATE" -file INTERMEDIATE.crt -format ascii


5. Send these Intermediate and Root certificate to partner

6. Set up also a sender channel

7. Refresh security

Again, I am pretty new a this so my apologies.


Thanks
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Sep 11, 2020 5:16 am Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26042
Location: Texas, USA

ttechsavvy wrote:
But with the partner - I have to also set up personal certificate signed with CA and sent root and intermediate certs to partner?


Unless they happen to trust the same CA.

This is SSL rather than MQ. The only difference is that in HTTPS, a lot of the work is done out of sight of humans by the browser and the web server. You'll notice most modern web browsers put a little padlock on the URL address bar when they've worked this out, and throw a variety of warning pages ("This connection is not secure") if they can't verify the address of the web server or it's verified by a CA they don't trust.

ttechsavvy wrote:
Process connecting with partner, correct me if I am getting something wrong:

...



Try it. If it works, you're not getting something wrong. Experience is the best teacher.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Sep 11, 2020 8:48 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6191

Does the label on your certificate match that of the channel?

From the Knowledge Centre:
Quote:
The QMGR CERTLABL is still checked and validated, even if CHANNEL CERTLABL is being used. The channel program needs to access a certificate with the label name, ibmwebspheremq, appended with the name of the queue manager, all in lowercase. For example, with a queue manager named QM1, the default certificate label is ibmwebspheremqqm1.

This rule applies even when you are using the CERTLABL attribute on the channel to tell the queue manager to use a different certificate from ibmwebspheremq appended with the queue manager name all in lowercase.

My emphasis on that last part...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ SecurityProblems with SSL
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.