ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityProblem with SSL - MQ V9

Post new topicReply to topic
Problem with SSL - MQ V9 View previous topic :: View next topic
Author Message
fernando2867
PostPosted: Tue May 07, 2019 4:31 pm Post subject: Problem with SSL - MQ V9 Reply with quote

Newbie

Joined: 04 Apr 2019
Posts: 5
Hi! My name is Fernando, and it is my second topic in the forum. I work with MQ for many years, but I don’t know SSL. So I’ve used the script below to implement SSL from a C# (MQ client V8 ) to a MQ Server V8, and it worked fine.
But I’ve tried the same script with MQ V9 (both client and server), and it is returning reason code 2059. Would you help me with this problem? I have a trace of this situation.

Thanks in advance and sorry about my poor English…..Fernando


Certificate creation:

Client machine:

runmqakm -keydb -create -db "client.kdb" -pw Citi2019 -type cms -expire 1825 -stash
runmqakm -cert -create -db "client.kdb" -pw Citi2019 -label ibmwebspheremqds26073 -dn "cn=ibmwebspheremqds26073, o=dev, c=br" -sigalg SHA256 -size 2048
runmqakm -cert -extract -db "client.kdb" -pw Citi2019 -label ibmwebspheremqds26073 -target ibmwebspheremqds26073.crt -format ascii

Server machine:

Folder: /var/mqm/qmgrs/BJ_QM_SIT/ssl/

runmqakm -keydb -create -db "key.kdb" -pw Citi2019 -type cms -expire 1825 -stash
runmqakm -cert -create -db "key.kdb" -pw Citi2019 -label ibmwebspheremqbj_qm_sit -dn "cn=ibmwebspheremqbj_qm_sit, o=dev, c=br" -sigalg SHA256 -size 2048
runmqakm -cert -extract -db "key.kdb" -pw Citi2019 -label ibmwebspheremqbj_qm_sit -target ibmwebspheremqbj_qm_sit.crt -format ascii

Importing server certificate to client machine:

runmqakm -cert -add -db "client.kdb" -pw Citi2019 -label ibmwebspheremqbj_qm_sit -file ibmwebspheremqbj_qm_sit.crt -format ascii

Importing client certificate to server:

runmqakm -cert -add -db "key.kdb" -pw Citi2019 -label ibmwebspheremqds26073 -file ibmwebspheremqds26073.crt -format ascii


Queue definition:

DEFINE QLOCAL (BJBLOCK.BR.LIL.RESPONSE)
SET AUTHREC PROFILE(BJBLOCK.BR.LIL.RESPONSE) OBJTYPE(QUEUE) PRINCIPAL('ds26073') AUTHADD(PUT,GET)
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('ds26073') AUTHADD(CONNECT)


Server connection channel definition:

DEFINE CHANNEL('FLAECOMM_QM.BJ_QM') CHLTYPE(SVRCONN) MCAUSER('ds26073') TRPTYPE(TCP)
SET CHLAUTH(FLAECOMM_QM.BJ_QM) TYPE(ADDRESSMAP) ADDRESS(*) MCAUSER('ds26073')
SET AUTHREC PROFILE('FLAECOMM_QM.BJ_QM') GROUP('mqm') OBJTYPE(CHANNEL) AUTHADD(CHG,DLT,DSP,CTRL,CTRLX)


Alter channel to use AES256 certificate:

ALTER CHANNEL('FLAECOMM_QM.BJ_QM') CHLTYPE(SVRCONN) SSLCIPH('TLS_RSA_WITH_AES_256_CBC_SHA256')


Authorize user:

setmqaut -m BJ_QM_SIT -t qmgr -p ds26073 +connect +inq


After the steps above, I’ve used the example below to access MQ server using C# (it works with “amqdnet.dll” in MQ version 8.0.0.6, but in version 9.0.0 and higher, it returns reason code 2059)

var properties = new Hashtable
{
{ MQC.TRANSPORT_PROPERTY, “TCP” },
{ MQC.HOST_NAME_PROPERTY, “localhost” },
{ MQC.PORT_PROPERTY, 1414 },
{ MQC.CHANNEL_PROPERTY, “FLAECOMM_QM.BJ_QM” }
};

properties.Add(MQC.SSL_CERT_STORE_PROPERTY, “C:\lixo\MQCitibank\Certificado\client”);
properties.Add(MQC.SSL_CIPHER_SUITE_PROPERTY, “SSL_RSA_WITH_AES_256_CBC_SHA256”);
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, “TLS_RSA_WITH_AES_256_CBC_SHA256”);
properties.Add(MQC.SSL_PEER_NAME_PROPERTY, “”);

try
{
var MQQueueManager = new MQQueueManager(queueManagerDTO.QueueManager, properties);
}
catch (Exception E)
{
MessageDialog.Show(E.Message);
}
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue May 07, 2019 4:50 pm Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
Did you research the meaning of MQRC 2059?

Did the app connect successfully on V9 before you enabled SSL?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
fernando2867
PostPosted: Tue May 07, 2019 4:53 pm Post subject: Reply with quote

Newbie

Joined: 04 Apr 2019
Posts: 5
bruce2359 wrote:
Did you research the meaning of MQRC 2059?

Did the app connect successfully on V9 before you enabled SSL?


Hi!! Yes, I know the meaning of 2059. And yes, without SSL app connection is successful. Thanks!!! Fernando
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue May 07, 2019 5:31 pm Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
I did a quick google search for MQ+ssl+2059

I found this: https://www.google.com/search?q=MQ%2Bssl%2B2059&rlz=1C1CHBD_enUS726US728&oq=MQ%2Bssl%2B2059&aqs=chrome..69i57j0.5303j0j8&sourceid=chrome&ie=UTF-8
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ SecurityProblem with SSL - MQ V9
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.