ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SSL connection fails b/w Sender receiver

Post new topic  Reply to topic Goto page 1, 2  Next
 SSL connection fails b/w Sender receiver « View previous topic :: View next topic » 
Author Message
saurabh25281
PostPosted: Tue Aug 23, 2016 4:12 pm    Post subject: SSL connection fails b/w Sender receiver Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Hi all,

I am facing the below error with my SSL configuration.
"An SSL certificate received from the remote system was not corrupt but failed validation checks on something other than its ASN fields and date. It is possible that the certificate Subject DN is more than 1024 characters long or contains unsupported duplicate attribute values. &P The channel is 'QM2.TEST'; in some cases its name cannot be determined and so is shown as '????'. The channel did not start. "

I am using Self-Signed CA certificate on 1 of my QMgr and self-signed certificate on the other.
I am using MQ v 7.5.0.1, I have tried using certificates of keysize 2048. i have validated the certificate using openssl and its ok. Both my QMr are on the same machine.
I am using the same SSL Cipher Spec on both sender/Reciever channel.
Do let me know, where I might be going wrong.

I have created the self signed CA certificate using the below command. Converted the certs in pkcs12 format and imported it to QMgr keydb using ikeyman.
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha512 -days 1024 -out rootCA.pem -subj "//CN=rootCA"
openssl genrsa -out qm2.key 2048
openssl req -new -key qm2.key -out qm2.csr -subj "//CN=QM2"
openssl x509 -req -in qm2.csr -extfile v3.ext -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out qm2.crt -days 500
(convert to PKCS12) openssl pkcs12 -export -in qm2.crt -inkey qm2.key -out keystore.p12 -password pass:password -name ibmwebspheremqqm2

I have created my self signed certificate using the below command
runmqakm -keydb -create -db key.kdb -pw password -stash
runmqakm -cert -create -db key.kdb -label ibmwebspheremqtest -stashed -size 2048 -sigalg SHA512WithRSA -dn CN=TEST
runmqakm -cert -extract -db key.kdb -label ibmwebspheremqtest -file TEST.arm -stashed

exchanged the public keys of both QMgr
runmqakm -cert -add -db key.kdb -label "ibmwebspheremqtest" -file TEST.arm -format ascii -stashed
exchanged using import function of ikeyman GUI tool.

Regards
Saurabh
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
smdavies99
PostPosted: Tue Aug 23, 2016 9:43 pm    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

I have created the self signed CA certificate using the below command. Converted the certs in pkcs12 format and imported it to QMgr keydb using ikeyman.
Code:

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha512 -days 1024 -out rootCA.pem -subj "//CN=rootCA"
openssl genrsa -out qm2.key 2048
openssl req -new -key qm2.key -out qm2.csr -subj "//CN=QM2"
openssl x509 -req -in qm2.csr -extfile v3.ext -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out qm2.crt -days 500
(convert to PKCS12)
 openssl pkcs12 -export -in qm2.crt -inkey qm2.key -out keystore.p12 -password pass:password -name ibmwebspheremqqm2

I have created my self signed certificate using the below command
Code:

runmqakm -keydb -create -db key.kdb -pw password -stash
runmqakm -cert -create -db key.kdb -label ibmwebspheremqtest -stashed -size 2048 -sigalg SHA512WithRSA -dn CN=TEST
runmqakm -cert -extract -db key.kdb -label ibmwebspheremqtest -file TEST.arm -stashed

exchanged the public keys of both QMgr
Code:

runmqakm -cert -add -db key.kdb -label "ibmwebspheremqtest" -file TEST.arm -format ascii -stashed


That is a lot easier to read and understand. Please use [C O D E] (without the spaces) tags.

I take it that you followed the instructions linked by Morag in this thread?
http://www.mqseries.net/phpBB2/viewtopic.php?t=72824
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Aug 23, 2016 10:59 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Few questions:-
  • Why mixing and matching OpenSSL and runmqakm?
  • Why exchanging queue manager keys if one queue manager is not self-signed?
  • Please supply full error message text, starting at error number AMQ9....
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
saurabh25281
PostPosted: Wed Aug 24, 2016 5:14 am    Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Hi Morag,

Code:
Why mixing and matching OpenSSL and runmqakm?

I wanted to emulate certificates provided by internal security team which will generate certificate for us and handover us the .key & .crt file. I did it using the openssl tool. For the self-signed certificates, we didn't need any external tool and can be done by using runmqakm.

Code:
Why exchanging queue manager keys if one queue manager is not self-signed?

I am using SS-CA certificate & SS certificate for my 2 QMgrs respectively. Do you want me not to exchange certificates for the SS-CA certificate?

Code:
Please supply full error message text, starting at error number AMQ9....


AMQ9654

8/24/2016 18:09:23 - Process(13316.1) User(SYSTEM) Program(runmqchl.exe) Host(BDC6-L-50230FH) Installation(Installation1) VRMF(7.5.0.1) QMgr(QM2)

An invalid SSL certificate was received from the remote system.

An SSL certificate received from the remote system was not corrupt but failed validation checks on something other than its ASN fields and date. It is possible that the certificate Subject DN is more than 1024 characters long or contains unsupported duplicate attribute values. &P The channel is 'QM2.TEST'; in some cases its name cannot be determined and so is shown as '????'. The channel did not start.

Ensure that the remote system has a valid SSL certificate. Restart the channel.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
hughson
PostPosted: Wed Aug 24, 2016 11:33 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

saurabh25281 wrote:
hughson wrote:
Please supply full error message text, starting at error number AMQ9....


AMQ9654

An invalid SSL certificate was received from the remote system.


Knowing the error number I can see that the description of this error message has been enhanced a little post V7.5.0.1. It now looks like:-

Knowledge Center wrote:
AMQ9654 Validation checks for the remote personal certificate failed. The channel did not start.
Severity 30 : Severe error
Explanation An SSL certificate received from the remote system was not corrupt but failed validation checks on something other than its ASN.1 fields and date. It is possible that the certificate chain could not be built for for one of the following reasons:
  • The certificate Subject DN is more than 1024 characters long.
  • The DN contains unsupported duplicate attribute values.
  • The DN is missing.
The channel is <insert_3>; in some cases its name cannot be determined and so is shown as '????'.
Response Ensure that the remote system has a valid personal certificate and restart the channel.


Looking back at your certificate commands again:-
saurabh25281 wrote:
openssl req -x509 -new -nodes -key rootCA.key -sha512 -days 1024 -out rootCA.pem -subj "//CN=rootCA"
openssl req -new -key qm2.key -out qm2.csr -subj "//CN=QM2"

I wonder why you have two slashes at the beginning of your subj? What does this achieve? Do your certificates actually have a DN when you view them? What happens if you don't do that?

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
saurabh25281
PostPosted: Wed Aug 24, 2016 12:22 pm    Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Hi Morag,

Quote:
I wonder why you have two slashes at the beginning of your subj? What does this achieve? Do your certificates actually have a DN when you view them? What happens if you don't do that?


Since I am using a git bash in Windows to generate my certificate I had to provide this extra character, otherwise I get the error "Subject does not start with '/'. problems making Certificate Request". Please find the link.http://stackoverflow.com/questions/31506158/running-openssl-from-a-bash-script-on-windows-subject-does-not-start-with

When I view the certificate it does look like a normal certificate with Subject CN=QM2 and Issuer CN=rootCA, and like I mentioned earlier when I test it with open SSL command i get a certiticate ok response.
Code:
openssl verify -verbose -CAfile rootCA.pem  qm2.crt


But on the Certification Path tab of the certificate, it says, "The issuer of this certificate could not be found."

I am attaching the ASCII of my certificate.
Code:
-----BEGIN CERTIFICATE-----
MIIC3TCCAcWgAwIBAgIJALJ+xP44E95iMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
BAMTBnJvb3RDQTAeFw0xNjA4MjMyMzM5MTJaFw0xODAxMDUyMzM5MTJaMA4xDDAK
BgNVBAMTA1FNMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALV+1oEy
I4+1ag69TXpV8Fa9r0CptO3BvROm/wQ+pPNmT8l1zs/321OjCvL/qP5E05wNUrmr
lFCrG9k0xmJTHMJ03IElLNxMGKctF3aWWP4mXsWiE8/EFFSeTrvS6MTsMK1FV4EJ
wJXBXN7Elg+Xu4OmRHMSu6yANP+02D6p9kbmBWBYG4oLipn41BjloHnHn4Sdl/9+
rkQB984Zid0IZtukn55c+YobMjATeDz/GDUrH96hqgHe6k41D8ki/uK+9auj9wnK
BlN6fR1ZvBZ6E9jtbWQV9WKn2rYI/njI8//lHA9NlOWAOA8jEY4Cyxu+bdR+RpdJ
3Y4ya6B7RxgN4TECAwEAAaM7MDkwHwYDVR0jBBgwFoAU7Dukj1VNgvou6P40OfjK
5KRpq80wCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwDQYJKoZIhvcNAQELBQADggEB
ABYd6aFZdxjaWn/QZSjgRIQdecIPUp7ys5esXTvnok88iuASxe8XE0T5UlG6i2EY
2UyR64c5mFpyWjCtCCrLrW370ic0Ri3TXlyHwKWw8B4fBZj30d4g3F/rtf+7JQTa
TCSfnyDxGhhzVIHz79XksT7gFZGQi7sRzaBQwSuslVHJd3wW/wKbh4YMBGfAX1lK
Oz7CjFoLX1wqHtcFuO3LWzkhebPrevPp2jfDgeCnrHJkcDmWpm/0KefetNYVXs9j
wykiPBNxeP4AYShzafKP9oJyRGRGckeGVgfYCP0wFdnavu8c1Qx0Gv+Fn8hmCQ3A
bZ6D2/Zy47UIlG+xy9Hg5T0=
-----END CERTIFICATE-----
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
hughson
PostPosted: Wed Aug 24, 2016 1:03 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

saurabh25281 wrote:
When I view the certificate it does look like a normal certificate with Subject CN=QM2 and Issuer CN=rootCA, .... but on the Certification Path tab of the certificate, it says, "The issuer of this certificate could not be found."

This goes back to my other question earlier.
saurabh25281 wrote:
hughson wrote:
Why exchanging queue manager keys if one queue manager is not self-signed?

I am using SS-CA certificate & SS certificate for my 2 QMgrs respectively. Do you want me not to exchange certificates for the SS-CA certificate?

One queue manager is using a self-signed certificate, so to validate it, the partner must have a copy of that certificate. The other queue manager is using a CA-signed certificate, and yet I didn't see anything in your description that suggested you sent the partner queue manager the CA certificate for validation, it seems you only sent the queue manager certificate? This will be why you see "The issuer of this certificate could not be found" and may be the reason for your AMQ9654 error.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Wed Aug 24, 2016 11:16 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

It looks to me like you are building the wrong SSL certificate type.
X509 has multiple types of certs and yours is of type subject?
It should be of a DN type i.e. instead of having a subject (X500??) show a distinguished name or DN.

If you want to, create a cert request and give your corporate security the request for signing. Don't ask them to produce a cert ... they are obviously producing the wrong kind.

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
saurabh25281
PostPosted: Thu Aug 25, 2016 3:53 am    Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Quote:
The other queue manager is using a CA-signed certificate, and yet I didn't see anything in your description that suggested you sent the partner queue manager the CA certificate for validation, it seems you only sent the queue manager certificate?

I tried adding the root certificate on the other queue manager instead of the QMgr certificate, but got the same response.

Quote:
This will be why you see "The issuer of this certificate could not be found" and may be the reason for your AMQ9654 error

I see this message when I open the certificate on my windows machine, not in the MQ error logs.
I am suspicious that my Qmgr certificate is not chained properly. The certification Path does not indicate the certificate as
Quote:
expected
rootCA
--QM2

actual
QM2
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
saurabh25281
PostPosted: Thu Aug 25, 2016 4:01 am    Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 107
Location: Bangalore

Quote:
It should be of a DN type i.e. instead of having a subject (X500??) show a distinguished name or DN.

How do I check if I have the wrong type of certificate? Not sure what you meant by having a subject X500, but my certificate has Subject value as QM2 which is my QmgrName.

Quote:
If you want to, create a cert request and give your corporate security the request for signing. Don't ask them to produce a cert ... they are obviously producing the wrong kind.

This certificate is being created by me and hence I may be doing it the wrong way. Please correct me if I am signing it using the wrong commands that I provided earlier using openssl.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
mqjeff
PostPosted: Thu Aug 25, 2016 4:11 am    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

it vaguely sounds like you are creating a self-signed certificate instead of creating a certificate request and getting it signed by the root CA.
_________________
chmod -R ugo-wx /
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Aug 25, 2016 3:03 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

Not familiar enough in openssl but the fact that he is specifying -subj might be a clue. I would have thought that you'd specify a full Distinguished Name (DN) and not just a subject. Would that not lead to an X509 containing an X500 type entity??

Make sure you create an X509 v3 with full Distinguished Name (
CN=xxx,O=xxx,OU=xxx,L=city,ST=State,C=Country,POSTALCODE=zip)

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Thu Aug 25, 2016 6:44 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

fjb_saper wrote:
Not familiar enough in openssl but the fact that he is specifying -subj might be a clue. I would have thought that you'd specify a full Distinguished Name (DN) and not just a subject. Would that not lead to an X509 containing an X500 type entity??

Make sure you create an X509 v3 with full Distinguished Name (
CN=xxx,O=xxx,OU=xxx,L=city,ST=State,C=Country,POSTALCODE=zip)

Have fun

The Subject's Distinguished Name (as opposed to the Issuer's Distinguished Name) is perfectly able to be simply "CN=QM1". It is not required to provide every field.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Thu Aug 25, 2016 11:00 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

hughson wrote:
fjb_saper wrote:
Not familiar enough in openssl but the fact that he is specifying -subj might be a clue. I would have thought that you'd specify a full Distinguished Name (DN) and not just a subject. Would that not lead to an X509 containing an X500 type entity??

Make sure you create an X509 v3 with full Distinguished Name (
CN=xxx,O=xxx,OU=xxx,L=city,ST=State,C=Country,POSTALCODE=zip)

Have fun

The Subject's Distinguished Name (as opposed to the Issuer's Distinguished Name) is perfectly able to be simply "CN=QM1". It is not required to provide every field.


Thanks Morag. As always an excellent source of knowledge. Don't know if you're like me, but there is little trust in a cert (especially) self signed where the only info in the DN is the CN.

Mind you, I'm not saying that it isn't legitimate, but a lot less to put into SSLPEER....
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Fri Aug 26, 2016 4:09 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

fjb_saper wrote:
Don't know if you're like me, but there is little trust in a cert (especially) self signed where the only info in the DN is the CN.



fjb_saper wrote:
Mind you, I'm not saying that it isn't legitimate.

Indeed, I don't think it's the OP's problem in this case, is all.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Security » SSL connection fails b/w Sender receiver
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.