| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ SERVER TO CLIENT ISSUE |
« View previous topic :: View next topic » |
| Author |
Message
|
| ashokt |
 Posted: Sun Sep 10, 2023 3:54 am Post subject: MQ SERVER TO CLIENT ISSUE |
 |
|
Novice
Joined: 09 Oct 2022
Posts: 18
|
Dear team,
I've configured SSL from server to client. when client establishes the connection Getting below Error. From QMGR logs
============================================
AMQ9665E: SSL connection closed by remote end of channel '????'.
EXPLANATION:
The SSL or TLS connection was closed by the remote host '10.111.X.XXX' during
the secure socket handshake. The channel is '????'; in some cases its name
cannot be determined and so is shown as '????'. The channel did not start.
ACTION:
Check the remote end of the channel for SSL and TLS errors. Fix them and
restart the channel.
=================================
From server side:
By using ikeymantool , we've configured like below steps:
->Created Kdb file
->Created Certificate request , format came automatically certreq.arm
->Then i sent this Certreq.arm file to banker , Who given two certificates names like DigiCA.crt , Plannet.abc.com.crt
->Then moved those certs to local system then i divided root, intermidate and personal certs (double click on certs ->view->copy to file->choose the location,file name as root ,inter,personal certs) .csr format.
->Then moved those certs to MQ/qmgr/ssl/path
->then i add the root and intermidate certs under signer certificate opion in ikeymantool,
->Then i've added the personal cert under the personal certificate opion in ikeymantool.
->Finally i've validated all certs by using validate option in ikeymantool and also verified list of files , which added in kdb by running cmd mode. everything gets validated sucessfully.
->Then i've extracted personal certificate by using the below command
runmqckm -cert -extract -db key.kdb -pw kdb password -label ibmwebspheremqqmaubdmztoplanix -target fillename.arm -format ascii
then we sent this extracted certificate to destinatin team they added and gave their public certificate so we've added my mq kdb file and validated ,it's gets success.
->we alter QMGR SSLkey layer SSLKEY('C:\ProgramData\IBM\MQ\qmgrs\qmaubdmztoplanix\QMGR\ssl\key)
'
->change the ssl cipher in channel level
-> choosed sslauth(required)|
->refresh security type(ssl)
->Then application team tried to connect us , but they are getting below error ,
client side error:
===========
The details of the certificate which could not be validated are
'[Class=]GSKVALMethod::X509[Issuer=]CN=DigiCert Global G2 TLS RSA SHA256 2020
CA1,O=DigiCert
Inc,C=US[#=]0317a0b6d089bb4cce8be5e90ceea8e9[Subject=]CN=xxxxxxxO=xxx
xxxxxx.(C),L=xxxxx,C=xx[Class=]GSKVALMethod::PKIX[Issuer=]CN=Digi'.
The certificate validation error was 575010.
ACTION:
Check which of the possible causes applies on your system. Correct the error,
and restart the channel.
This error might indicate that the remote end of the channel is configured to
send the wrong certificate. Check the certificate label configuration at the
remote end of the channel and ensure that the local key repository contains all
of the necessary CA certificates.
=============================
Note: from the client to sever we are using subnet between client and mq server for connection establishment
without SSL client and MQ server connection establishing sucessfully.
Can you please suggest on this .
Regards,
 |
|
| Back to top |
|
 |
| exerk |
| Posted: Sun Sep 10, 2023 7:10 am Post subject: Re: MQ SERVER TO CLIENT ISSUE |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| ashokt wrote: |
From server side:
By using ikeymantool , we've configured like below steps:
->Created Kdb file
->Created Certificate request , format came automatically certreq.arm
->Then i sent this Certreq.arm file to banker , Who given two certificates names like DigiCA.crt , Plannet.abc.com.crt
->Then moved those certs to local system then i divided root, intermidate and personal certs (double click on certs ->view->copy to file->choose the location,file name as root ,inter,personal certs) .csr format.
->Then moved those certs to MQ/qmgr/ssl/path
->then i add the root and intermidate certs under signer certificate opion in ikeymantool,
->Then i've added the personal cert under the personal certificate opion in ikeymantool.
->Finally i've validated all certs by using validate option in ikeymantool and also verified list of files , which added in kdb by running cmd mode. everything gets validated sucessfully. |
All good so far...
| ashokt wrote: |
->Then i've extracted personal certificate by using the below command
runmqckm -cert -extract -db key.kdb -pw kdb password -label ibmwebspheremqqmaubdmztoplanix -target fillename.arm -format ascii
then we sent this extracted certificate to destinatin team they added and gave their public certificate so we've added my mq kdb file and validated ,it's gets success. |
Why? Why do you think they need a copy of your personal certificate in their key store?
Each end of the connection will exchange copies of their personal certificates, and it is those that are validated (or not, if the full chain is missing) against the CA certificates - you do not need to exchange personal certificates and add them to your key store unless they are self-signed!
EXAMPLE (GoDaddy for your CA, VeriSign for their CA)
Your key store contains:
GoDaddy Root CA Cert
GoDaddy Intermediate CA Cert
GoDaddy Personal Cert
VeriSign Root CA Cert
VeriSign Intermediate CA Cert
Their key store contains:
VeriSign Root CA Cert
VeriSign Intermediate CA Cert
VeriSign Personal Cert
GoDaddy Root CA Cert
GoDaddy Intermediate CA Cert
| ashokt wrote: |
->we alter QMGR SSLkey layer SSLKEY('C:\ProgramData\IBM\MQ\qmgrs\qmaubdmztoplanix\QMGR\ssl\key)
'
->change the ssl cipher in channel level
-> choosed sslauth(required)|
->refresh security type(ssl)
->Then application team tried to connect us , but they are getting below error ,
client side error:
===========
The details of the certificate which could not be validated are
'[Class=]GSKVALMethod::X509[Issuer=]CN=DigiCert Global G2 TLS RSA SHA256 2020
CA1,O=DigiCert
Inc,C=US[#=]0317a0b6d089bb4cce8be5e90ceea8e9[Subject=]CN=xxxxxxxO=xxx
xxxxxx.(C),L=xxxxx,C=xx[Class=]GSKVALMethod::PKIX[Issuer=]CN=Digi'.
The certificate validation error was 575010.
ACTION:
Check which of the possible causes applies on your system. Correct the error, and restart the channel.
This error might indicate that the remote end of the channel is configured to
send the wrong certificate. Check the certificate label configuration at the
remote end of the channel and ensure that the local key repository contains all of the necessary CA certificates.
|
Someone is probably lacking the full chain within their key store...
Hint: Check the issuer of the certificate which could not be validated, then check in which key store it is missing, but the answer is right there in front of you...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ashokt |
| Posted: Tue Sep 12, 2023 8:59 pm Post subject: |
|
|
Novice
Joined: 09 Oct 2022
Posts: 18
|
Hi exerk ,
Thank you very much for your update , we were working on what you suggested. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Sep 12, 2023 10:36 pm Post subject: Re: MQ SERVER TO CLIENT ISSUE |
|
|
Padawan
Joined: 09 May 2013
Posts: 1916
Location: Bay of Plenty, New Zealand
|
| exerk wrote: |
| ashokt wrote: |
client side error:
===========
The details of the certificate which could not be validated are
'[Class=]GSKVALMethod::X509[Issuer=]CN=DigiCert Global G2 TLS RSA SHA256 2020
CA1,O=DigiCert
Inc,C=US[#=]0317a0b6d089bb4cce8be5e90ceea8e9[Subject=]CN=xxxxxxxO=xxx
xxxxxx.(C),L=xxxxx,C=xx[Class=]GSKVALMethod::PKIX[Issuer=]CN=Digi'.
The certificate validation error was 575010. |
Someone is probably lacking the full chain within their key store... |
Indeed so @exerk - certificate validation error 575010 means "No certificate chain was built". See table 2 on IBM Docs page Transport Layer Security (TLS) return codes
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| ashokt |
| Posted: Tue Sep 12, 2023 11:01 pm Post subject: Re: MQ SERVER TO CLIENT ISSUE |
|
|
Novice
Joined: 09 Oct 2022
Posts: 18
|
| hughson wrote: |
| exerk wrote: |
| ashokt wrote: |
client side error:
===========
The details of the certificate which could not be validated are
'[Class=]GSKVALMethod::X509[Issuer=]CN=DigiCert Global G2 TLS RSA SHA256 2020
CA1,O=DigiCert
Inc,C=US[#=]0317a0b6d089bb4cce8be5e90ceea8e9[Subject=]CN=xxxxxxxO=xxx
xxxxxx.(C),L=xxxxx,C=xx[Class=]GSKVALMethod::PKIX[Issuer=]CN=Digi'.
The certificate validation error was 575010. |
Someone is probably lacking the full chain within their key store... |
Indeed so @exerk - certificate validation error 575010 means "No certificate chain was built". See table 2 on IBM Docs page Transport Layer Security (TLS) return codes
Cheers,
Morag |
Hi @ hughson , thanks for the table2 , kinldy let us know what kind of action needs to be taken to avoid the above code ? , do we needs to do any further action from server side? or needs to changes from client side? |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Wed Sep 13, 2023 3:13 pm Post subject: |
|
|
Jedi
Joined: 25 Mar 2003
Posts: 2495
Location: Melbourne, Australia
|
Hi Askhok, Rather than reaching out to random people on Internet, it would be worth investing your time into gaining a proper understanding of SSL/TLS requirements and implementation on MQ channels. Everything will then be clear to you, and you won't waste time trying various things, hoping that they will work. It will also allow you to investigate and resolve issues when they occur.
Learn about X509 / PKI, learn about TLS cipher specs, learn about MQ cert keystore management (CMS and JKS), learn about CA certificate signing processes. This knowledge will stand you in good stead for the future.
Recently I needed to set up a new MQ TLS channel infrastructure, and it worked perfectly first time, because I understood everything that I was doing.
_________________
Glenn |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Sep 13, 2023 3:38 pm Post subject: Re: MQ SERVER TO CLIENT ISSUE |
|
|
Padawan
Joined: 09 May 2013
Posts: 1916
Location: Bay of Plenty, New Zealand
|
| ashokt wrote: |
| hughson wrote: |
| exerk wrote: |
| ashokt wrote: |
client side error:
===========
The details of the certificate which could not be validated are
'[Class=]GSKVALMethod::X509[Issuer=]CN=DigiCert Global G2 TLS RSA SHA256 2020
CA1,O=DigiCert
Inc,C=US[#=]0317a0b6d089bb4cce8be5e90ceea8e9[Subject=]CN=xxxxxxxO=xxx
xxxxxx.(C),L=xxxxx,C=xx[Class=]GSKVALMethod::PKIX[Issuer=]CN=Digi'.
The certificate validation error was 575010. |
Someone is probably lacking the full chain within their key store... |
Indeed so @exerk - certificate validation error 575010 means "No certificate chain was built". See table 2 on IBM Docs page Transport Layer Security (TLS) return codes
Cheers,
Morag |
Hi @ hughson , thanks for the table2 , kinldy let us know what kind of action needs to be taken to avoid the above code ? , do we needs to do any further action from server side? or needs to changes from client side? |
| ashokt wrote: |
Hi exerk ,
Thank you very much for your update , we were working on what you suggested. |
I thought you were already following what @exerk told you? Don't exchange the personal certificates since they are not self-signed. How are you getting on with that?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| ashokt |
| Posted: Thu Sep 14, 2023 12:08 am Post subject: Re: MQ SERVER TO CLIENT ISSUE |
|
|
Novice
Joined: 09 Oct 2022
Posts: 18
|
EXAMPLE (GoDaddy for your CA, VeriSign for their CA)
Your key store contains:
GoDaddy Root CA Cert
GoDaddy Intermediate CA Cert
GoDaddy Personal Cert
VeriSign Root CA Cert
VeriSign Intermediate CA Cert
Their key store contains:
VeriSign Root CA Cert
VeriSign Intermediate CA Cert
VeriSign Personal Cert
GoDaddy Root CA Cert
GoDaddy Intermediate CA Cert
Dear @exerk ,
We've tried this , channel was running fine as expected . thank for the advise and support |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Sep 14, 2023 5:47 am Post subject: Re: MQ SERVER TO CLIENT ISSUE |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| ashokt wrote: |
EXAMPLE (GoDaddy for your CA, VeriSign for their CA)
Your key store contains:
GoDaddy Root CA Cert
GoDaddy Intermediate CA Cert
GoDaddy Personal Cert
VeriSign Root CA Cert
VeriSign Intermediate CA Cert
Their key store contains:
VeriSign Root CA Cert
VeriSign Intermediate CA Cert
VeriSign Personal Cert
GoDaddy Root CA Cert
GoDaddy Intermediate CA Cert
Dear @exerk ,
We've tried this , channel was running fine as expected . thank for the advise and support |
Just to close the loop, and for the education of others that may encounter the same problem, in which key store was the chain missing?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ashokt |
| Posted: Wed Sep 27, 2023 9:05 pm Post subject: Re: MQ SERVER TO CLIENT ISSUE |
|
|
Novice
Joined: 09 Oct 2022
Posts: 18
|
| exerk wrote: |
| ashokt wrote: |
EXAMPLE (GoDaddy for your CA, VeriSign for their CA)
Your key store contains:
GoDaddy Root CA Cert
GoDaddy Intermediate CA Cert
GoDaddy Personal Cert
VeriSign Root CA Cert
VeriSign Intermediate CA Cert
Their key store contains:
VeriSign Root CA Cert
VeriSign Intermediate CA Cert
VeriSign Personal Cert
GoDaddy Root CA Cert
GoDaddy Intermediate CA Cert
Dear @exerk ,
We've tried this , channel was running fine as expected . thank for the advise and support |
Just to close the loop, and for the education of others that may encounter the same problem, in which key store was the chain missing? |
From the cliet side , chain missing. They get corrected and connected our MQ server |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Sep 28, 2023 5:21 am Post subject: Re: MQ SERVER TO CLIENT ISSUE |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| ashokt wrote: |
| ...From the client side , chain missing. They get corrected and connected our MQ server |
And the answer was right there for you from the beginning, in the client side error logs and queue manager logs, but I think lack of experience made interpreting them problematical.
Things to focus on, should something like this happen again:
1. AMQ9665E: SSL connection closed by remote end of channel '????'. in the queue manager log clearly shows which end of the connection is ending the connection, and in this case it was the client end.
2. The details of the certificate which could not be validated are... in the client log shows the exact error, i.e., that a link in the chain is missing, and what that link is.
A good learning experience for you, and will make you a far better MQ Admin because of it.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
