| Author |
Message
|
| yasaboy |
 Posted: Tue Oct 21, 2014 1:56 am Post subject: SSL certificate validation error 575051 |
 |
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Hi,
I have changed my cipher Suite of the SSL configuration from SSL_RSA_WITH_RC4_128_MD5 to TLS_RSA_WITH_AES_128_CBC_SHA256. Anyway that change now prompts me an error as below.
| Code: |
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system
(c) it was found in a Certification Revocation List (CRL) on an LDAP server
(d) a CRL was specified but the CRL could not be found on the LDAP server
(e) an OCSP responder has indicated that it is revoked
The channel is 'SSL.CLIENTS'; in some cases its name cannot be determined and
so is shown as '????'. The remote host is '172.xx.xx.xx (172.xx.xx.xx)(12345)'.
The channel did not start.
[b]The details of the certificate which could not be validated are
'[Class=]GSKVALMethod::X509[Issuer=]O=IBM,C=US[#=]5445d49c[Subject=]O=IBM,C=USGSKNativeValidator::
[IssuerName=]O=IBM,C=US[Serial#=]5445d605[SubjectName=]O=IBM,C=US[Class=]GSKVALMethod::PKIX[Issuer=]O=IBM,C=US[#=]5445d605[Subject=]O=IBM,C=US'.
The certificate validation error was 575051[/b]. |
I have used following commands to enable SSL.
| Code: |
DEFINE LISTENER('LISTENER.SSL') TRPTYPE(TCP) PORT(12345) CONTROL(QMGR)
DEFINE QLOCAL(TEST.INQUEUE1) REPLACE +
PUT(ENABLED) GET(ENABLED)
DEFINE CHANNEL(SSL.CLIENTS) chltype(SVRCONN)
ALTER CHANNEL(SSL.CLIENTS) chltype(svrconn) sslciph(TLS_RSA_WITH_AES_128_CBC_SHA256) sslcauth(required)
DEFINE CHANNEL(SSL.CLIENTS) CHLTYPE(CLNTCONN) CONNAME('172.xx.xx.xx(12345)') REPLACE
ALTER chl(SSL.CLIENTS) chltype(CLNTCONN) sslciph(TLS_RSA_WITH_AES_128_CBC_SHA256) QMNAME(TESTQM.SSL) |
///Queue Manager
| Code: |
runmqckm -keydb -create -db key -pw password -type cms -stash
runmqckm -cert -create -db key.kdb -pw password -label ibmwebspheremqtestqm.ssl -dn "O=IBM, C=US" -size 2048 -x509version 3 -expire 356 -sig_alg SHA256WithRSA
runmqckm -cert -extract -db key.kdb -pw password -label ibmwebspheremqtestqm.ssll -target sslqm.arm -format ascii |
///Client
| Code: |
runmqckm -keydb -create -db clientkey -pw password -type cms -stash
runmqckm -cert -create -db clientkey.kdb -pw password -label ibmwebspheremqdevYY -dn "O=IBM, C=US" -size 2048 -x509version 3 -expire 356 -sig_alg SHA256WithRSA
runmqckm -cert -extract -db clientkey.kdb -pw password -label ibmwebspheremqdevYY -target devYY.arm -format ascii |
What should be the difference that I should make in order to make this enabled to above configurations ? |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Tue Oct 21, 2014 2:06 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Did you update the AMQCLCHL.TAB file that is on the client side?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| yasaboy |
| Posted: Tue Oct 21, 2014 2:12 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
@smdavies99,
yes I have scp'ed the AMQCLCHL.TAB file on the QManager side to the client after the channel is modified. |
|
| Back to top |
|
|
| yasaboy |
| Posted: Tue Oct 21, 2014 3:10 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
the return code 575051 says CA certificate is missing Critical Basic Constraints.
And the error log as above says
| Code: |
The details of the certificate which could not be validated are
'[Class=]GSKVALMethod::X509[Issuer=]O=IBM,C=US[#=]5446066f[Subject=]O=IBM,C=US[Class=]GSKVALMethod::X509[Issuer=]O=IBM,C=US[#=]5446066f[Subject=]O=IBM,C=USGSKNativeValidator::
[IssuerName=]O=IBM,C=US[Serial#=]54461b59[SubjectName=]O=IBM,C=US[Class=]GSKVALM'. |
I have added distinguished name as -dn "O=IBM, C=US" is there any error with this ?
  |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Oct 21, 2014 4:55 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Try at a minimum to have following entries in your DN:
- CN or common name, usually the qmgr name or userid (client)
- O or organization, usually the company name
- OU or organizational unit. (Multiples allowed, need to be in the same order in the SSLPEER as on the certificate
- ST state
- C country
- L or LOCATION (optional)
- POSTALCODE (optional)
and please REMEMBER the DN is supposed to be UNIQUE across your enterprise. I don't believe your earlier attempt satisfies that requirement.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Oct 21, 2014 7:11 am Post subject: Re: SSL certificate validation error 575051 |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| yasaboy wrote: |
///Client
| Code: |
runmqckm -keydb -create -db clientkey -pw password -type cms -stash
runmqckm -cert -create -db clientkey.kdb -pw password -label ibmwebspheremqdevYY -dn "O=IBM, C=US" -size 2048 -x509version 3 -expire 356 -sig_alg SHA256WithRSA
runmqckm -cert -extract -db clientkey.kdb -pw password -label ibmwebspheremqdevYY -target devYY.arm -format ascii |
What should be the difference that I should make in order to make this enabled to above configurations ? |
Are you saying you have a mixed case user ID with this label? ibmwebspheremqdevYY
The label has to be all lowercase for distributed. MQ V8 has provisions for labels of your choosing. |
|
| Back to top |
|
|
| yasaboy |
| Posted: Tue Oct 21, 2014 8:30 pm Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
| fjb_saper wrote: |
Try at a minimum to have following entries in your DN:
- CN or common name, usually the qmgr name or userid (client)
- O or organization, usually the company name
- OU or organizational unit. (Multiples allowed, need to be in the same order in the SSLPEER as on the certificate
- ST state
- C country
- L or LOCATION (optional)
- POSTALCODE (optional)
and please REMEMBER the DN is supposed to be UNIQUE across your enterprise. I don't believe your earlier attempt satisfies that requirement.
Have fun |
Thanks for your explanation. I changes the rules according to it. But still the error is the same. Now I am pretty much sure its not due to -DN.
I tried
/// Client
| Code: |
runmqckm -keydb -create -db clientkey -pw password -type cms -stash
runmqckm -cert -create -db clientkey.kdb -pw password -label ibmwebspheremqdevyy -dn "CN=TEST.SSL OU=Test O=IBM, C=US" -size 2048 -x509version 3 -expire 356 -sig_alg SHA256WithRSA
runmqckm -cert -extract -db clientkey.kdb -pw password -label ibmwebspheremqdevyy -target newcdev35.arm -format ascii |
///QMgr
| Code: |
runmqckm -keydb -create -db key -pw password -type cms -stash
runmqckm -cert -create -db key.kdb -pw password -label ibmwebspheremqtest.ssl -dn "CN=TEST.SSL OU=Test O=IBM, C=US" -size 2048 -x509version 3 -expire 356 -sig_alg SHA256WithRSA
runmqckm -cert -extract -db key.kdb -pw password -label ibmwebspheremqtest.ssl -target sslqm.arm -format ascii |
Now the error is as
| Code: |
AMQ9633: Bad SSL certificate for channel 'SSL.CLIENTS'.
EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system
(c) it was found in a Certification Revocation List (CRL) on an LDAP server
(d) a CRL was specified but the CRL could not be found on the LDAP server
(e) an OCSP responder has indicated that it is revoked
The channel is 'SSL.CLIENTS'; in some cases its name cannot be determined and
so is shown as '????'. The remote host is '172.xx.xx.xx (172.xx.xx.xx)(12345)'.
The channel did not start.
The details of the certificate which could not be validated are '????'.
The certificate validation error was 575010. |
@JosephGramig
No it is ibmwebspheremqdevyy everything in lowercase. Same rules work for
cipher suite - TRIPLE_DES_SHA_US
key size - 1024
signature algorithm - SHA1WithRSA
What I have changed is
cipher suite - TLS_RSA_WITH_AES_128_CBC_SHA256
key size - 2048
signature algorithm - SHA256WithRSA
Really struggling with this for now  |
|
| Back to top |
|
|
| yasaboy |
| Posted: Tue Oct 21, 2014 9:08 pm Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Display channel Details,
| Code: |
dis chl(SSL.CLIENTS)
1 : dis chl(SSL.CLIENTS)
AMQ8414: Display Channel details.
CHANNEL(SSL.CLIENTS) CHLTYPE(SVRCONN)
ALTDATE(2014-10-22) ALTTIME(08.53.39)
COMPHDR(NONE) COMPMSG(NONE)
DESCR( ) DISCINT(0)
HBINT(300) KAINT(AUTO)
MAXINST(999999999) MAXINSTC(999999999)
MAXMSGL(4194304) MCAUSER( )
MONCHL(QMGR) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SHARECNV(10)
SSLCAUTH(REQUIRED)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
SSLPEER( ) TRPTYPE(TCP)
AMQ8414: Display Channel details.
CHANNEL(SSL.CLIENTS) CHLTYPE(CLNTCONN)
AFFINITY(PREFERRED) ALTDATE(2014-10-22)
ALTTIME(08.54.02) CLNTWGHT(0)
COMPHDR(NONE) COMPMSG(NONE)
CONNAME(172.xx.xx.xx(12345)) DEFRECON(NO)
DESCR( ) HBINT(300)
KAINT(AUTO) LOCLADDR( )
MAXMSGL(4194304) MODENAME( )
PASSWORD( ) QMNAME(TEST.SSL)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
SSLPEER( ) TPNAME( )
TRPTYPE(TCP) USERID( ) |
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 22, 2014 4:19 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| fjb_saper wrote: |
Which part of the DN needs to be unique did you not understand?
You cannot have 2 certificates (i.e. qmgr and client) have the same DN
Also in your command you need to separate the fields with comma and no space
| Code: |
| -dn "CN=userid,O=company,OU=MQ,OU=department,L=ORD,ST=IL,C=US" |
|
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
