| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| RC 2538 C# (amqmdnet.dll V9.0.0) and SSL - works with dll V8 |
View previous topic :: View next topic |
| Author |
Message
|
| fernando2867 |
 Posted: Tue May 21, 2019 3:06 pm Post subject: RC 2538 C# (amqmdnet.dll V9.0.0) and SSL - works with dll V8 |
 |
|
Newbie
Joined: 04 Apr 2019
Posts: 5
|
Hi list!!
I have a customer here in Brazil with this problem:
He’s connecting to a MQ Server V9.0, using C# with amqmdnet.dll and SSL (client and server). When he uses amqmdnet.dll V8.0.0.6, it works fine. But if he uses amqmdnet.dll V9.0.0 and up, reason code 2538 occurs.
2538 (09EA) (RC2538): MQRC_HOST_NOT_AVAILABLE
Here is the C# code he is using:
var properties = new Hashtable
{
{ MQC.TRANSPORT_PROPERTY, “TCP” },
{ MQC.HOST_NAME_PROPERTY, “localhost” },
{ MQC.PORT_PROPERTY, 1414 },
{ MQC.CHANNEL_PROPERTY, “FLAECOMM_QM.BJ_QM” }
};
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, “C:\lixo\MQCitibank\Certificado\client”);
properties.Add(MQC.SSL_CIPHER_SUITE_PROPERTY, “SSL_RSA_WITH_AES_256_CBC_SHA256”);
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, “TLS_RSA_WITH_AES_256_CBC_SHA256”);
properties.Add(MQC.SSL_PEER_NAME_PROPERTY, “”);
try
{
var MQQueueManager = new MQQueueManager(queueManagerDTO.QueueManager, properties);
}
catch (Exception E)
{
MessageDialog.Show(E.Message);
}
Below I will list the steps he used to configure SSL:
Certificate creation:
Client machine:
runmqakm -keydb -create -db "client.kdb" -pw Citi2019 -type cms -expire 1825 -stash
runmqakm -cert -create -db "client.kdb" -pw Citi2019 -label ibmwebspheremqds26073 -dn "cn=ibmwebspheremqds26073, o=dev, c=br" -sigalg SHA256 -size 2048
runmqakm -cert -extract -db "client.kdb" -pw Citi2019 -label ibmwebspheremqds26073 -target ibmwebspheremqds26073.crt -format ascii
Server machine:
runmqakm -keydb -create -db "key.kdb" -pw Citi2019 -type cms -expire 1825 -stash
runmqakm -cert -create -db "key.kdb" -pw Citi2019 -label ibmwebspheremqbj_qm_sit -dn "cn=ibmwebspheremqbj_qm_sit, o=dev, c=br" -sigalg SHA256 -size 2048
runmqakm -cert -extract -db "key.kdb" -pw Citi2019 -label ibmwebspheremqbj_qm_sit -target ibmwebspheremqbj_qm_sit.crt -format ascii
Importing server certificate to client machine:
runmqakm -cert -add -db "client.kdb" -pw Citi2019 -label ibmwebspheremqbj_qm_sit -file ibmwebspheremqbj_qm_sit.crt -format ascii
Importing client certificate to server:
runmqakm -cert -add -db "key.kdb" -pw Citi2019 -label ibmwebspheremqds26073 -file ibmwebspheremqds26073.crt -format ascii
Queue definition:
DEFINE QLOCAL (BJBLOCK.BR.LIL.RESPONSE)
SET AUTHREC PROFILE(BJBLOCK.BR.LIL.RESPONSE) OBJTYPE(QUEUE) PRINCIPAL('ds26073') AUTHADD(PUT,GET)
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('ds26073') AUTHADD(CONNECT)
Server connection channel definition:
DEFINE CHANNEL('FLAECOMM_QM.BJ_QM') CHLTYPE(SVRCONN) MCAUSER('ds26073') TRPTYPE(TCP)
SET CHLAUTH(FLAECOMM_QM.BJ_QM) TYPE(ADDRESSMAP) ADDRESS(*) MCAUSER('ds26073')
SET AUTHREC PROFILE('FLAECOMM_QM.BJ_QM') GROUP('mqm') OBJTYPE(CHANNEL) AUTHADD(CHG,DLT,DSP,CTRL,CTRLX)
Alter channel to use AES256 certificate:
ALTER CHANNEL('FLAECOMM_QM.BJ_QM') CHLTYPE(SVRCONN) SSLCIPH('TLS_RSA_WITH_AES_256_CBC_SHA256')
Authorize user:
setmqaut -m BJ_QM_SIT -t qmgr -p ds26073 +connect +inq
Like I said, if he uses amqmdnet.dll V8, it works ok, but with amqmdnet.dll V9.0.0 and up, MQCONN returns reason code 2538.
AMQERR01.LOG shows message AMQ9637: Channel is lacking a certificate.
MQ trace shows:
0000025D 16:09:30.274342 4300.1 -----------} MQEncryptedSocket.MakeSecuredConnection() rc=OK
0000025E 16:09:30.275342 4300.1 System.Security.Authentication.AuthenticationException: remote certificate is invalid, according to the validation procedure.
em IBM.WMQ.Nmqi.MQEncryptedSocket.MakeSecuredConnection()
em IBM.WMQ.Nmqi.MQEncryptedSocket..ctor(NmqiEnvironment env, MQTCPConnection conn, Socket socket, MQChannelDefinition mqcd, MQSSLConfigOptions sslConfigOptions)
em IBM.WMQ.MQTCPConnection.ConnectSocket(String localAddr, String connectionName, Int32 options)
0000025F 16:09:30.275342 4300.1 New MQException CompCode: 2 Reason: 2538
This link: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q120700_.htm
says that is necessary import client certificates into Windows certificate store (I think this is new from V9):
Configure the client side.
a. Import the client certificates into the Windows certificate store (under the User/Computer account).
IBM MQ .NET accesses client certificates from the Windows certificate store, therefore you must import your certificates into the Windows certificate store to establish a secure socket connection to IBM MQ . For more information about how to access the Windows keystore and import the client side certificates, see Import or export certificates and private keys.
I don’t have skills on SSL and .net. The reason it works with amqmdnet.dll V8, and do not work with amqmdnet.dll V9 is because of this note about importing client certificates into Windows certificate store?
Any help to solve this problem will be appreciated!!! King regards from Brazil……Fernando
 |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed May 22, 2019 5:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Fernando,
In the connection properties I am missing the one that defines the connection mode as MQC.TRANSPORT_MQSERIES_CLIENT. This is from memory. Check out the samples and I am sure you will find the correct constants to use.
One example is given with
| Code: |
| properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED) |
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
