| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Server Cert Validation: Azure Function App and IBM MQ Client |
« View previous topic :: View next topic » |
| Author |
Message
|
| panickp |
 Posted: Thu Jul 18, 2024 3:52 pm Post subject: Server Cert Validation: Azure Function App and IBM MQ Client |
 |
|
Newbie
Joined: 18 Jul 2024
Posts: 3
|
Good day all. I am using a function app (dotnet 8.0) to connect to On Prem IBM MQ using MQ Client (9.4). Tried connecting with SSL off and it works. However, with SSL on; Server certificate validation is failing.
Now, I don't want the client to validate server certificate, as the server certs are on prem. I did follow IBM's links to set Certificate Validation policy to NONE (through Environment, Hashtable and mqconfig.ini)
mQProperties.Add(MQC.CERTIFICATE_VALIDATION_POLICY, MQC.MQ_CERT_VAL_POLICY_NONE); // Do not validate server certificate
MQEnvironment.CertificateValPolicy = MQC.MQ_CERT_VAL_POLICY_NONE; // Do not validate server certificate - Environment
But this doesn't seem to have any effect from the logs.
Did search around for any similar issues but couldn't find any.
From MQ Trace, the error I'm getting is
SSL Server Certificate validation failed - RemoteCertificateNameMismatch, RemoteCertificateChainErrors
000001C8 05:40:21.971753 8720.12 ------------} MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK
000001C9 05:40:22.011661 8720.12 System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SslStream.contact admin[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
at System.Net.Security.SslStream.AuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions)
at IBM.WMQ.Nmqi.MQEncryptedSocket.MakeSecuredConnection()
000001CA 05:40:22.020019 8720.12 New MQException CompCode: 2 Reason: 2393
000001C2 05:40:21.581016 8720.12 ------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
000001C3 05:40:21.586546 8720.12 Client callback has been invoked to find client certificate
000001C4 05:40:21.591104 8720.12 Use the first certificate that is from an acceptable issuer.
000001C5 05:40:21.596326 8720.12 ------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
000001C6 05:40:21.953206 8720.12 ------------{ MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors)
Any insights here on what could be wrong. Why am I unable to turn off the server cert validation?
Thanks in advance. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Jul 20, 2024 10:39 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Think hard: What's the point of a certificate if you don't validate it's signer chain? Why are you even using a cert in that case?
Now I would understand not checking the OCSP revocation servers. But that is something different entirely.
Hope it helps 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| panickp |
| Posted: Sun Jul 21, 2024 4:01 pm Post subject: |
|
|
Newbie
Joined: 18 Jul 2024
Posts: 3
|
Thanks mate. Actually it was more a limitation of the Azure ASP that we were unable to add the server certificate to trust store. Worked when we used ASE instead - after loading the CA certificate to the target Local Machine Cert store.
Now, this move to ASE impacts a lot of things for us - pipelines, private endpoints, cost, etc. Also, this is a corporate Azure connecting to its On Prem MQ server, and while the Function App's cert is validated by IBM MQ, validating MQ's cert is an overkill for us.
This is also the first time that we are connecting to the On Prem MQ from Azure. Other systems that connect are on prem.
Hence wanted to try out this option - of using ASP and bypassing server certificate validation - which in theory should have worked, but unfortunately, does not seem to. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jul 22, 2024 1:01 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Seems to me, you missed the point in the setup.
The logs protest that the client (ASP) is not doing the server cert validation.
This means you need to set the environment variable at the client level (ASP) and not the server level. Is there' a reason you're not able to add the signer cert chain?
It looks like for cert validation policy, there is only 2 choices
The default being set to Any...
This is what the help for the field had to say:
The Certificate validation policy setting specifies which SSL/TLS certificate
validation policy is used to validate digital certificates received from
remote partner systems. If set to 'RFC5280', only the RFC 5280 compliant
certificate validation policy is used. If set to 'Any', the certificate chain is
accepted if any of the certificate validation policies supported by the
secure sockets library considers the certificate chain valid.
It looks like your Secure Sockets Library is requiring you to validate the signer chain.
I suppose you were able to install the ASP cert signer chain on the on Prem MQ server...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| panickp |
| Posted: Mon Jul 22, 2024 3:12 pm Post subject: |
|
|
Newbie
Joined: 18 Jul 2024
Posts: 3
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 24, 2024 6:03 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Have you tried getting a cert signed by a CA that's in your list of trusted root CA's? Might be able to still use ASP if your MQ cert is signed by a trusted root in your list... []
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
