ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ Supportself signed certificates not making connection

Post new topicReply to topic
self signed certificates not making connection View previous topic :: View next topic
Author Message
ammx
PostPosted: Sun May 31, 2020 1:39 pm Post subject: self signed certificates not making connection Reply with quote

Apprentice

Joined: 08 Sep 2017
Posts: 47

Hi! I am trying to make a SSL connection between an MQ server and my machine MQ(both 9.0 version). For both of them I am using self-signed certificates this way

my machine:
QMGRA(sender)
certificate(CN=localhost.....)
SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256)

remote server:
QMGRB(receiver)
certificate(CN=hostname.xxx.xx)
SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256)
SSLCAUTH(REQUIRED)

The path to the keystores is set correctly in each qmgr and the qmgr CERTLABL name too.

Since this is a one-way message communication(from QMGRA to QMGRB) and the receiver requires a certificate from the other side to valide, I extracted the public key from the QMGRA keystore and placed it in QMGRB keystore, after this I refreshed the security ssl of each qmgr but i keep getting the following error message in the QMGRB logs

AMQ9637: Channel is lacking a certificate.

EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is '????' (if '????' it is unknown at this stage in the SSL processing).

The remote host is '????'.

certificates are in place i don't know what am I missing

Thanks in advance
Back to top
View user's profile Send private message
bruce2359
PostPosted: Sun May 31, 2020 2:05 pm Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8768
Location: US: west coast, almost. Otherwise, enroute.

What documented instructions are you following? Are you using the ikeyman utility?
_________________
My life flows on in endless song;
How can I keep from singing?
Back to top
View user's profile Send private message
hughson
PostPosted: Sun May 31, 2020 3:11 pm Post subject: Re: self signed certificates not making connection Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1485
Location: Bay of Plenty, New Zealand

ammx wrote:
Since this is a one-way message communication(from QMGRA to QMGRB) ...


It may be one-way message communication, but if both queue managers have a certificate, then both queue managers will present a certificate to the other side and both queue managers will need to be able to validate the other's certificate.

If you want only one-way certificate presentation and validation, only have a certificate at QMGRB - as you rightly said, the RCVR channel must have a certificate. If you go that route you will need to set SSLCAUTH(OPTIONAL) on the RCVR channel too.

Alternatively, exchange both certificates.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
ammx
PostPosted: Tue Jun 02, 2020 10:50 am Post subject: Reply with quote

Apprentice

Joined: 08 Sep 2017
Posts: 47

Hi, thanks for your replies.

As you said I emptied the qmgr from the sender side QM_A and only left the certificate in the receiver side, QM_V. I also changed the SSLCAUTH to OPTIONAL on the RCVR and refreshed, but none of these worked. I keep getting the error message in QM_V logs:

AMQ9637: Channel is lacking a certificate.

EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is '????' (if '????' it is unknown at this stage in the SSL processing).

after I checked the logs I made one last attempt to fix this by removing the cipher from the SSLCIPH in the sender, but this only caused the error logs in the sender side to change to:

AMQ9641: Remote CipherSpec error for channel 'QM_A.QM_V' to host 'xxxxxxx'

Could it be possible that the main reason for this is that the certificates are self-signed?? maybe if i changed them to CA signed that will fix it.

Regards
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue Jun 02, 2020 11:47 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8768
Location: US: west coast, almost. Otherwise, enroute.

I asked you what step-by-step procedure are you following to implement certs?
_________________
My life flows on in endless song;
How can I keep from singing?
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Jun 02, 2020 2:42 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1485
Location: Bay of Plenty, New Zealand

ammx wrote:
Could it be possible that the main reason for this is that the certificates are self-signed?? maybe if i changed them to CA signed that will fix it.

No.

It is more likely that you haven't got your certificates labelled correctly. Changing to CA signed and using the same process for labelling as you are currently doing will yield the same results. Let's fix what you have first and then you can move to CA signed certificates later.

You haven't shown us any details about the labels of your certificates. Please can you show us that now.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
ammx
PostPosted: Wed Jun 03, 2020 5:50 am Post subject: Reply with quote

Apprentice

Joined: 08 Sep 2017
Posts: 47

@bruce2359, @hughson

These are the following commands I followed to create the certificates

My machine(sender side):

runmqckm -cert -create -db key.kdb -stashed -label qma_cert -dn "CN=localhost,O=EPM,C=US,OU=QM_A" -x509version 3 -expire 365 -sig_alg SHA256WithRSA

Server(receiver side):

runmqckm -cert -create -db key.kdb -stashed -label qmv_cert -dn "CN=host12345.xxxx.xxxx.xxxx.xxx, O=EPM, C=US, OU=QM_V" -x509version 3 -expire 365 -sig_alg SHA256WithRSA

after these i added the cipher in the SSLCIPH in both sides and restarted the channels

Regards
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed Jun 03, 2020 6:24 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8768
Location: US: west coast, almost. Otherwise, enroute.

One last try here: what step-by-step procedure are you following? Are you looking at some IBM-supplied step-by-step documentation? If so, what exactly?
_________________
My life flows on in endless song;
How can I keep from singing?
Back to top
View user's profile Send private message
ammx
PostPosted: Wed Jun 03, 2020 8:08 am Post subject: Reply with quote

Apprentice

Joined: 08 Sep 2017
Posts: 47

no i am not following any step-by-step procedure guideline, I just searched the commands.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed Jun 03, 2020 11:19 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8768
Location: US: west coast, almost. Otherwise, enroute.

ammx wrote:
no i am not following any step-by-step procedure guideline, I just searched the commands.

Its a bit more complicated than issuing some commands.

May I suggest googling "+mq step by step ssl certificate installation".
_________________
My life flows on in endless song;
How can I keep from singing?
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Jun 03, 2020 5:06 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1485
Location: Bay of Plenty, New Zealand

ammx wrote:
My machine(sender side):

runmqckm -cert -create -db key.kdb -stashed -label qma_cert -dn "CN=localhost,O=EPM,C=US,OU=QM_A" -x509version 3 -expire 365 -sig_alg SHA256WithRSA

Server(receiver side):

runmqckm -cert -create -db key.kdb -stashed -label qmv_cert -dn "CN=host12345.xxxx.xxxx.xxxx.xxx, O=EPM, C=US, OU=QM_V" -x509version 3 -expire 365 -sig_alg SHA256WithRSA

after these i added the cipher in the SSLCIPH in both sides and restarted the channels

You don't mention anywhere whether you set the Certificate Label on each queue manger to reference these certificate labels (since you are using non-standard label names). Have you done the following commands?

Code:
ALTER QMGR CERTLABL('qma_cert')


Code:
ALTER QMGR CERTLABL('qmv_cert')


Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Thu Jun 04, 2020 5:32 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20382
Location: LI,NY

And once you've done that, be aware that you're set up for 2 way SSL, which means that each truststore needs to have at a minimum each other's signer cert (public cert of a selfsigned cert)
Enjoy [/list]
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
ammx
PostPosted: Tue Jun 16, 2020 11:24 am Post subject: Reply with quote

Apprentice

Joined: 08 Sep 2017
Posts: 47

The problem was solved by configuring the SSL into another server, instead of my personal machine.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ Supportself signed certificates not making connection
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.