ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Channel lacking a certificate issue

Post new topic  Reply to topic
 Channel lacking a certificate issue « View previous topic :: View next topic » 
Author Message
dextermbmq
PostPosted: Tue Jun 16, 2020 12:15 pm    Post subject: Channel lacking a certificate issue Reply with quote

Voyager

Joined: 26 Jul 2014
Posts: 77

IBM MQ v9.1.0.1
Client is Java based application running on Oracle JRE hence using -Dcom.ibm.mq.cfg.useIBMCipherMappings=false with TLS Cipher TLS_RSA_WITH_AES_128_CBC_SHA256


Hi All,

Currently a Java based application is connecting to MQ over One Way SSL.

CHANNEL(OCS_ESB_SVRCONN) CHLTYPE(SVRCONN)
MCAUSER(<appuserid>)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(OPTIONAL)

I am changing the One way ssl mode to mutual auth by updating the channel definition as :

CHANNEL(OCS_ESB_SVRCONN) CHLTYPE(SVRCONN)
MCAUSER(<appuserid>)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256) SSLCAUTH(REQUIRED)

The client certificate is copied from into Queue Manager repository. However attempt to start the channel gives

AT QUEUE MANAGER AMQ9637E: Channel is lacking a certificate.
AT APPLICATION AMQ9503: Channel negotiation failed

From the below link this means ,Missing client personal certificate i.e. Client is either not sendong certificate or its not copied into QMgr repository (however in my case its copied)

https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.tro.doc/q123400_.htm

When i put the debug mode to check the Java a[pplication initiation logs I see below log entry before MQ errors start to come up- which for some reason says " no suitable certificate found "


*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
update handshake state: certificate[11]
upcoming handshake states: client_key_exchange[16]


I see a post which points to similar issue
https://www.ibm.com/support/pages/apar/IT10837

The Oracle JVM did not create a default internal key manager
object for TLS socket connections, meaning that the client's
signed personal certificates were not available for client
authentication during the handshake, causing the connection
attempt to fail.

But my MQ v is 9.1.0.1 and this error seems to have fixed already on 8.5.0.5.

Could someone please help me or guide me to right direction. I have not slept for last 48 hrs due to this issue

Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Jun 16, 2020 12:19 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

wouldn't you need the signer certificate at the queue manager end to make up the keychain?

Java.

Bah.

Java.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
dextermbmq
PostPosted: Tue Jun 16, 2020 12:38 pm    Post subject: Reply with quote

Voyager

Joined: 26 Jul 2014
Posts: 77

Yes. MQ keyrepository is already configured with a CA signed cert. The MQ public cert is also copied on the client's truststore( that was how the one way authentication was working. Java Client was validating the MQ public cert from its truststore) However issue is when SSLCAUTH is set to REQUIRED and Queue Manager has to check the Application cert
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Jun 16, 2020 1:17 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Your question does not tell us what you did in at the client to change it to send a certificate? Could you tell us what steps you took to change things at the client please?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
dextermbmq
PostPosted: Tue Jun 16, 2020 4:42 pm    Post subject: Reply with quote

Voyager

Joined: 26 Jul 2014
Posts: 77

Thanks Morag I got your point and almost fixed the issue. Doing final checks and configs. So, I was integrating Kafka with MQ via the MQ Kafka connector where in we have the option of setting keystore / truststore files and passwords at the distributedworker properties file for Kafka specific connectivity. I was of the view that the communication for MQ would also be using the same properties file for keystore and truststore however looks like that is not the case. I had specifically set the keystore and truststore as below :


export EXTRA_ARGS="-Dcom.ibm.mq.cfg.useIBMCipherMappings=false -Djavax.net.ssl.keyStore='key.jks' -Djavax.net.ssl.keyStorePassword='<xxx>' -Djavax.net.debug=all -Djavax.net.ssl.trustStore=truststore.jks -Djavax.net.ssl.trustStorePassword=<xxxx>"

and everything worked like a charm
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Jun 16, 2020 8:27 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Great stuff
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Channel lacking a certificate issue
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.