| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Windows Client/Server SSL Configuration under IIS |
« View previous topic :: View next topic » |
| Author |
Message
|
| aramg |
 Posted: Tue Aug 24, 2004 3:07 pm Post subject: Windows Client/Server SSL Configuration under IIS |
 |
|
Newbie
Joined: 24 Aug 2004
Posts: 3
|
Hi,
I am new to MQSeries and am prototyping a bunch of 'simple' scenarios.
I have a Websphere MQ Server running on windows 2003, and an xp pro client.
I have established ssl communication from the client to the server (can successfully write messages) using the amqmdnet.dll
When I copy the same code to an aspx (web) page, the ssl authentication fails with MQRC_SSL_INITIALIZATION_ERROR.
SChannel logs:
The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request may succeed or fail, depending on the server's policy settings.
I am able to write from this same web client (page) over a non-ssl channel.
The client code FWIW is basically from the docs:
private void putMessNet1CustomSSL(string MessToPut) {
MQEnvironment.Hostname = "IPADDRESS";
MQEnvironment.Port =12004;
MQEnvironment.Channel = "CH_SSLAUTH";
MQEnvironment.SSLKeyRepository = @"C:\Work\MQCerts\key";
MQEnvironment.SSLCipherSpec = "RC4_MD5_US";
MQQueueManager qMgr = new MQQueueManager("QM_ARAMNOCLUSTSSL");
MQQueue postingQueue = qMgr.AccessQueue("Q_SSLAuth", MQC.MQOO_OUTPUT);
MQMessage message = new MQMessage();
message.Format = MQC.MQFMT_STRING;
MQPutMessageOptions options = new MQPutMessageOptions();
options.Options = MQC.MQPMO_NO_SYNCPOINT;
message.WriteString(MessToPut);
postingQueue.Put(message, options);
postingQueue.Close();
qMgr.Disconnect();
}
I have the Environment variable set for SSLKEYR
I speculate that when it is running under IIS somehow it is not able to use the keystore ... or find it or??
I have tried a few hackish variations trying to see where I am being caught up. I have since undone them, but those variations include:
Adding ASPNET to local administrators
Changing anonymous user on the site to my identity (local administrator)
I ran sysinternals filemon hoping for something there, but found nothing useful.
And other less useful tweaks.
It sounds as though others are managing to use this component from .net, and I would therefore assume that it usable from asp.net. I assume using COM+ would solve this issue, but I am hoping for some insight/alternatives from this group.
Any suggestions are appreciated.
Thanks,
-Aram |
|
| Back to top |
|
 |
| JasonE |
| Posted: Wed Aug 25, 2004 2:16 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
I think the problem is you havent (and cant, easily..) assign a certificate to the client side. Making the keystore available via mqsslkeyr is one thing, but on MQ 5.3 on Windows you need to do an assign stage to identify the certificate that will be used as the clients personal one.
You can do this with amqmcert, but the problem here is that is assigns the certificate for the userid which runs the amqmcert command (with options). Hence the only way to get an assigned certificate for IIS is to run the amqmcert command under the userid which you IIS ASP page - That's a challenge and a half.... |
|
| Back to top |
|
|
| aramg |
| Posted: Wed Aug 25, 2004 6:35 am Post subject: |
|
|
Newbie
Joined: 24 Aug 2004
Posts: 3
|
Interesting. Thank you for the analysis.
I had somehow managed to convince myself that the .sto file was self-contained and once configured could be referenced by the physical path (and used because it contains the private key. But It sounds like something specific to the identity has to match). So in this case COM+/Enterprise Services is the obvious candidate, as then you are already creating a custom identity to run the package, so logging in as that identity and setting up the .sto file would be a minimal additional configuration.
I think typically in Windows the LOCAL_MACHINE store would be used to share a certificate among identities, but I guess there is no equivalent in this case. |
|
| Back to top |
|
|
| JasonE |
| Posted: Wed Aug 25, 2004 6:51 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Yeah, thats not the way it works on MQ on windows - The manage certificates/amqmcert stuff copies them from the local machine or current user stores into MQ qmgr keystore files (same format as o/s ones as we use the o/s functions to do it).
On Unix, the assigning is virtual, and done by changing the friendly name of the certificate, but on Windows you have a registry key under current user which points to it (for the client assigning). This therefore gives you a unique assigned certificate per user, which is useful, but causes problems if you try to do it from services, asp etc |
|
| Back to top |
|
|
| aramg |
| Posted: Wed Aug 25, 2004 7:18 am Post subject: |
|
|
Newbie
Joined: 24 Aug 2004
Posts: 3
|
Thank you for your clear answers. They helped remove a lot of guesswork.
-Aram |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
