MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

MQ Explorer and certificate selection

  • 1.  MQ Explorer and certificate selection

    Posted Mon August 15, 2022 01:34 PM
    Hello,

    I'm trying to find out how MQ Explorer selects the certificate to present in the case of a channel with TSL enabled.
    I have not found a way to specify a CERLABEL in the MQ Explorer configuration.
    My hope was that a certificate with a label like "ibmwebspheremq<user>" would be chosen, but apparently this is not the case.

    If there is a valid certificate in the shop, MQ Explorer selects it and presents it to the Queue Manager, even if the label has no relation to the account used.
    As I plan to filter via a CHLAUTH based rule on the certificate fields, this bothers me a bit.

    Any idea how to specify a CERTLABEL in this case?
    Thanks

    ------------------------------
    Luc-Michel Demey
    DEMEY CONSULTING
    lmd@demey-consulting.fr
    #IBMChampion
    ------------------------------


  • 2.  RE: MQ Explorer and certificate selection

    Posted Tue August 16, 2022 12:39 AM

    The MQ Explorer is a written in Java, and so uses a JKS certificate store. It is not possible to CHOOSE a certificate to send from a JKS store. This is why there is no certificate label configuration in MQ Explorer, and equally also why it does not select a certificate with a label based on your user name.

    The Java SSL handshake code will select a certificate to send based on what the queue manager can validate - it learns which signers the queue manager has, and if it has a match, it will send the one that matches.

    If you have multiple personal certificates in you JKS and more than one of them could be validated as a result of the signers your queue manager has, then I believe it is undefined which certificate will be sent. If you want to ensure exactly one (or none) then only have one personal certificate in your JKS.

    I wish I could find a resource for you to read to explain this, but I have failed to find one. My memory is hazy, so if I have some of the exact technical details incorrect, I apologize in advance, but I hope that this at least gives you the gist of it.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------

    Original Message


  • 3.  RE: MQ Explorer and certificate selection

    Posted Tue August 16, 2022 12:19 PM
    Hello Morag,
    Thank you for this confirmation.
    I have read a lot of articles on the subject, old and new, including yours, and this was the conclusion I came to (although I didn't know the selection mechanism if several certificates are present)

    @FrancoisBrandelik :
    I also tried with a CCDT, which allows to specify a CERTLABEL. In this case, I have on the MQ Explorer side: "Unexpected error 2596 / AMQ4999", and on the Queue Manager side "AMQ9665E: SSL connection closed by remote end of channel '????'".

    I also realised that using a CCDT for MQ Explorer removes the possibility to specify a user and a password for the connection. This is a bit of a shame.

    Regards.

    ------------------------------
    Luc-Michel Demey
    DEMEY CONSULTING
    lmd@demey-consulting.fr
    #IBMChampion
    ------------------------------

    Original Message


  • 4.  RE: MQ Explorer and certificate selection

    Posted Tue August 16, 2022 12:49 PM
    Hi Luc-Michel,

    I thought you had noticed with the CCDT the possibility of using the mqccred client side security exit that provides username and password (you can force it).

    Thanks

    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


  • 5.  RE: MQ Explorer and certificate selection

    Posted Tue August 16, 2022 04:08 AM
    Luc-Michel,

    What you are looking for is a CCDT. You should be able to specify a cert label there. This should then be the label of the client.
    Hope it helps.

    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


  • 6.  RE: MQ Explorer and certificate selection

    Posted Wed August 17, 2022 12:47 PM
    I have done a fair bit of IBM MQ Java TLS programming, read through most of the JSSE reference document, and I have never come across a way to specify in Java the label to read for the privateKeyEntry from the JKS. If someone does know a way to do this, please share. Assuming there is no way to programmatically  access a specific privateKeyEntry from a JKS by label name, what I have observed is that it is random which privateKeyEntry is chosen when there are multiple ones in the JKS. More disturbingly, I have even seen JSSE choose expired privateKeyEntry certs (when valid ones where also available), and send them to the remote end. The recommendation I give our IBM MQ Java programmers is only have one privateKeyEntry in the JKS.

    ------------------------------
    Tim Zielke
    ------------------------------

    Original Message


  • 7.  RE: MQ Explorer and certificate selection

    Posted Wed August 17, 2022 01:01 PM
    The Java API allows you to choose a cert according to its label. It is just that normally it doesn't specifiy any lablel in the current Java only implementation. However if you look at ACE which is also using a jks keystore, you do specify the label for outgoing connections...This is why I believe if you use the CCDT and specify the label it should work.

    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


  • 8.  RE: MQ Explorer and certificate selection

    Posted Thu August 18, 2022 03:39 AM
    The private key in the client is selected from those in the keystore.
    1. The logic selects those which have a matching Certificate Authority,   (basically the server sends down "I can only validate certificates signed by the following certificate authorities)
    2. Checks the supported type eg DSA or RSA
    3. Then the keys are filters on signature algorithms sent from the server , for example if the server only supports TLS 1.3, then only private keys with TLS 1.3 will be selected.  If your private key has been generated with TLS1.2 cipher specs - then no certificate will be found.
    Debugging TLS - an easier way gives examples of the data in a flow.

    Given those filters - one is picked and sent to the server

    On a java program I think you can specify X509Certificate x509 = (X509Certificate) keyStore.getCertificate(alias); name and pass in the name you want.  It still has to pass the filters above.
    Colin



    Original Message


  • 9.  RE: MQ Explorer and certificate selection

    Posted Thu August 18, 2022 10:15 AM
    When I look at the Java KeyStore class, I now see how you can programmatically create an empty KeyStore instance, and then read in a specific privateKeyEntry by label from another KeyStore into your empty instance. So that explains how you can programmatically reference just one privateKeyEntry for TLS by label, by building an in-memory KeyStore with just the certs that you want from another JKS located on disk, and then setting that in-memory KeyStore to your KeyManagerFactory. I will try that out, when I have time.

    ------------------------------
    Tim Zielke
    ------------------------------

    Original Message


  • 10.  RE: MQ Explorer and certificate selection

    Posted Thu August 18, 2022 03:42 PM
    Validated that this does work. Very cool, and thanks for sharing!

    ------------------------------
    Tim Zielke
    ------------------------------

    Original Message


Related Content