ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » CSQX688E - no SSL CA certificate for channel

Post new topic  Reply to topic
 CSQX688E - no SSL CA certificate for channel « View previous topic :: View next topic » 
Author Message
zpat
PostPosted: Tue Sep 27, 2022 12:47 am    Post subject: CSQX688E - no SSL CA certificate for channel Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

z/OS MQ 9.2

CSQX688E !XXXX CSQXRCTL no SSL CA certificate for channel xxxxxx, connection nn.nn.nn.nn

The above comes out when I try to start a TLS secured sender channel xxxxxx to a third party.

Does this mean we (the sender end) need to add the CA of the third party or vice-versa?

Thanks. It would be helpful for the error message (or event message) to actually mention the CA name that it was looking for, but I guess IBM don't like to make it too easy

The event mentions reason 2371 - MQRQ_SSL_HANDSHAKE ERROR

TLS RC 435.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Sep 28, 2022 12:45 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

If the receiver channel presents a certificate, you need to have the root CA of it's signer chain in the truststore. Usually we put the full signer chain in the truststore.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Wed Sep 28, 2022 12:47 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Looking at the full details for IBM MQ error message CSQX688E it says:-

IBM Docs wrote:
CSQX688E
csect-name No SSL CA certificate for channel channel-name, connection conn-id

Severity
4
Explanation
The SSL key repository does not contain a certificate for the certificate authority (CA). The channel is channel-name; in some cases its name cannot be determined and so is shown as '????'. The remote connection is conn-id.

System action
The channel is not started.

System programmer response
Obtain a certificate for the certificate authority (CA) and add it to the key repository.

For more information, refer to System SSL RC 435.

The message explanation also contains a link to the description of the SSL Return code that MQ received that resulted in it writing this error message. The details of that reason code say:-

IBM Docs wrote:
435 Certification authority is unknown.

Explanation
The key database does not contain a certificate for the certification authority.

User response
Obtain the certificate for the certification authority and add it to the key database. When using a SAF key ring, the CA certificate must be TRUSTed.

If using RACF key rings, certificates that are marked as not trusted in the RACF database are not retrieved from the key ring. Ensure that the certificates needed to build the certificate's trust chain are available.

If using RACF key rings and the DIGTCERT and DIGTRING classes are RACLIST'ed, issue the SETROPTS RACLIST (DIGTCERT, DIGTRING) REFRESH command to refresh the profiles to ensure that the latest changes are available.

If generic profiling checking was enabled for the DIGTCERT class when the certificate was created or added and its issuer's distinguished name contains any generic characters (*, & and %), a generic certificate profile was created. This generic profile processing may cause the certificate not to be read from the key ring. This certificate will need to be removed and added back after turning off generic profile checking for DIGTCERT class. The SEARCH CLASS(DIGTCERT) command can be used to determine if the certificate's profile is generic. A (G) indicates generic.


Unfortunately the return code is all MQ is given which is why it can't say more about the missing CA than that. If you are receiving this error message then it is your end that must add the CA certificate in order to be able to validate the certificate from the partner. However, having said that, the partner will need to have the CA in order to be able to validate your queue manager's certificate too.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
zpat
PostPosted: Wed Sep 28, 2022 10:50 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

OK thanks, so we need to find out what CA the other end is using.

I suspect it's their internal CA - probably they need to switch to an external one such as DigiCert.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » CSQX688E - no SSL CA certificate for channel
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.