ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » qmgr not recognizing certificate from client

Post new topic  Reply to topic
 qmgr not recognizing certificate from client « View previous topic :: View next topic » 
Author Message
ammx
PostPosted: Wed Oct 24, 2018 3:43 pm    Post subject: qmgr not recognizing certificate from client Reply with quote

Acolyte

Joined: 08 Sep 2017
Posts: 50

I have an application that needs to connect to a qmgr via client chl. For that, a kdb was created and IBM CA root and intermediate certificates were added to the qmgr. However, the issuer of the personal is not IBMCA..

I extracted the pub key from their kdb(application side) and added it to the keystore of the qmgr:

/usr/mqm/bin/runmqakm -cert -extract -db xxx.kdb -stashed -label xxxxxx -target key.arm

then refreshed, made a test, and i am getting the following error:

From Appl side:

Process(29376.1) User(dstadmin) Program(amqssslc)
Host(xxxxxx) Installation(Installation1)
VRMF(8.0.0.6) QMgr(.)

AMQ9642: No SSL or TLS certificate for channel 'GLP.ATS.AEDMQH3A'.

EXPLANATION:
The channel 'GLP.ATS.AEDMQH3A' did not supply a certificate to use during SSL
or TLS handshaking, but a certificate is required by the remote queue manager.

The remote host is 'xxxx (x.xx.xxx.xx)(1414)'.

The channel did not start.
ACTION:
Ensure that the key repository of the local queue manager or MQ client contains
a certificate which is associated with the queue manager or client. If you have
configured a certificate label, check that the certificate exists.

Alternatively, if appropriate, change the remote channel definition so that its
SSLCAUTH attribute is set to OPTIONAL and it has no SSLPEER value set.



From QMGR side

12:21:49: 10/24/18 13:52:42 - Process(19267840.52540396) User(mqm) Program(amqrmppa)
Host(xxxxxx) Installation(Installation1)
VRMF(8.0.0.6) QMgr(AEDMQH3A)

AMQ9999: Channel 'GLP.ATS.AEDMQH3A' to host 'xxxxxxx (x.xxx.xxx.xx)' ended
abnormally.

EXPLANATION:
The channel program running under process ID 19267840 for channel
'GLP.ATS.AEDMQH3A' ended abnormally. The host name is 'xxxx
(x.xxx.xxx.xx)'; in some cases the host name cannot be determined and so is
shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.

what could be causing this??
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Oct 24, 2018 11:02 pm    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

1. Your queue manager key store requires the client's personal certificate issuer's CA certificates;

2. Their client key store requires the queue manager's personal certificate issuer's CA certificates.

The full certificate chain has to be present at each end.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Oct 25, 2018 2:43 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

You need a key for the queue manager and set that key alias at the channel level. Your error says that this is a two way SSL and you are not supplying a certificate...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
ammx
PostPosted: Thu Oct 25, 2018 5:35 am    Post subject: Reply with quote

Acolyte

Joined: 08 Sep 2017
Posts: 50

@exerk

so the qmgr side can have the root and intermediate certificate from IBM CA and the personal cert from another signer?? or all of them should be of one signer only?
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Oct 25, 2018 5:58 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

ammx wrote:
@exerk

so the qmgr side can have the root and intermediate certificate from IBM CA and the personal cert from another signer?? or all of them should be of one signer only?

Example:

Company A and Company B use MQ to send data to each other

1. Company A uses MyCA as its SSL certificate provider;
2. Company B uses IBM CA as its SSL certificate provider;

Company A requires MyCA root and intermediate certificates, the personal certificate issued to their queue manager by MyCA AND the IBM CA root and intermediate certificates.

Company B requires IBM CA root and intermediate certificates, the personal certificate issued to their queue manager by IBM CA AND the MyCA root and intermediate certificates.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
ammx
PostPosted: Thu Oct 25, 2018 9:55 am    Post subject: Reply with quote

Acolyte

Joined: 08 Sep 2017
Posts: 50

Thanks @exerk

these steps have been made

1.- IBM CA root and intermediate certs were exported from the MQ Server to the application server, they were imported into a java keystore

$GWA_JAVAHOME_NP9/jre/lib/security/cacerts/

the next step number 2 was not performed by me, it was done by the application team.

They created a self signed certificate in the application server side(that server doesn't have a qmgr) and then imported it to the qmgr keystore of the MQ Server.

I am not sure if this last step is correct or not because that is a self signed cert and don't know if they are handled the same way as the CA signed certs. There are no root and intermediate certs in the app side:

The are the commands they followed to import the self signed

for keystore in app side
/usr/mqm/bin/runmqakm -cert -extract -db xxxxxx.kdb -stashed -label xxxxxxxxx -target key.arm

for keystore in qmgr side
runmqakm -cert -add -db key.kdb -stashed -label "xxxxxxxx" -file key.arm -format ascii
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Oct 26, 2018 3:09 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

A self-signed certificate is effectively a personal certificate and CA certificate rolled into one - and in other than a small test environment, is not recommended for use - so yes, what they did is correct.

Once the IBM CA personal and application self-signed certificates were received/added to the queue manager key store, did you refresh security for the queue manager? (It's not explicitly clear from your original post).

Does the queue manager SSLKEYR attribute reflect the path and name (in stem format) of the *.kdb file?

Does the queue manager personal certificate label match the CERTLABL attribute of the queue manager and SVRCONN channel?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
hughson
PostPosted: Fri Oct 26, 2018 5:24 pm    Post subject: Re: qmgr not recognizing certificate from client Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

ammx wrote:
From Appl side:

AMQ9642: No SSL or TLS certificate for channel 'GLP.ATS.AEDMQH3A'.

EXPLANATION:
The channel 'GLP.ATS.AEDMQH3A' did not supply a certificate to use during SSL or TLS handshaking, but a certificate is required by the remote queue manager.

The remote host is 'xxxx (x.xx.xxx.xx)(1414)'.

The channel did not start.
ACTION:
Ensure that the key repository of the local queue manager or MQ client contains a certificate which is associated with the queue manager or client. If you have configured a certificate label, check that the certificate exists.

Alternatively, if appropriate, change the remote channel definition so that its SSLCAUTH attribute is set to OPTIONAL and it has no SSLPEER value set.


The application (or client) end of your channel GLP.ATS.AEDMQH3A is reporting that the other (the queue manager end) requires it to send a certificate. There are two ways to fix this.
  1. Ensure your client certificate is picked up by the client. Usually it is labeled 'ibmwebspheremq<client-logged-on-user-id> but you can use the certificate label environment variable MQCERTLABL to set a different label instead. Your later post suggests perhaps a Java client, in which case it should just pick up the only certificate in the key store used. You don't mention how the client end is configured, and the issue is at the client end.
  2. ALTER the SVRCONN definition to accept anonymous clients by using SSLCAUTH(OPTIONAL) - I assume you don't want to do that though?

by the way, for future reference, when you see this message in a queue manager error log, do exactly as it says and look backwards in the error log for the previous error message to see the cause of the abnormal termination of the channel. It would be helpful to paste that one into any questions you ask on forums such as this.
ammx wrote:
From QMGR side

AMQ9999: Channel 'GLP.ATS.AEDMQH3A' to host 'xxxxxxx (x.xxx.xxx.xx)' ended
abnormally.

EXPLANATION:
The channel program running under process ID 19267840 for channel
'GLP.ATS.AEDMQH3A' ended abnormally. The host name is 'xxxx
(x.xxx.xxx.xx)'; in some cases the host name cannot be determined and so is
shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure.
Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.


Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » qmgr not recognizing certificate from client
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.