MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  .NET client in Docker: SSL authentication

    Posted Fri September 22, 2023 10:46 AM

    Hi all - new here

    I am developing a .NET Core 6 C# application to write a message to a queue. The app must connect to a queue manager using a client certificate for authentication. However, the application is deployed to a Docker (Linux) container. I have found little to no information about:

    • how and where to create the keystore in Linux. (I can use openssl to create the p12 keystore which contains the private key, certificate and CA certs, but where should I "install" this keystore? How should I configure the location (and password) of the keystore?)
    • how to set the "Certificate label" in the keystore. (Is the certificate's CN the label? Is the label crucial for connecting successfully, or can I simply omit it?)
    • what to include in the app to enable the use of the certificate (is setting MQEnvironment.SSLCipherSpec and .SSLKeyRepository sufficient to indicate SSL auth?)

    My prime/only source of information is IBM Documentation I have tried many things, but only get: "'MQRC_SSL_INITIALIZATION_ERROR', reason '2393'"

    I would really appreciate more information to give me better insight into what is required.

    Thanks in anticipation



    ------------------------------
    Stoffel van Aswegen
    ------------------------------


  • 2.  RE: .NET client in Docker: SSL authentication

    Posted Sun September 24, 2023 05:37 AM

    Hi Stoffel,

    I'll admit to not being a .NET expert. Experts in this area would probably know from the phrase ".NET Core 6 C# application" whether that means you are using the managed or non-managed .NET Client. So I'll answer the bits I can and hopefully either you know which you are using, or someone else will jump in a help out on that bit.

    If you are using the non-managed .NET Client, then essentially you just have the traditional C client underneath. In which case:

    • You don't need to "install' this keystore, simply refer to it. You already mentioned the field SSLKeyRepository. Make sure you supply the name and the extension so that MQ knows it is a PKCS#12 keystore. This feature was added in a recent release, and previously you could only use a KDB, and had to leave off the extension. Now with the choice of types (PKCS#12 or KDB) the extension is both tolerated and sometimes required. The password can also be supplied in SSLKeyRepositoryPassword. This can either be plain text or encrypted, and the runmqicred utility will sort out the encryption for you.
    • The certificate label should be supplied in the same way using the CertificateLabel field. You only need to supply the Certificate Label if you have invented your own label name rather than following the originally required MQ label name format, ibmwebspheremq<logged-on-user>. These days (since V8) you can use any label you want and just provide it along with the keystore name.
    • Yes, you need to provide the SSLCipherSpec.

    If you are using the managed .NET Client, then:

    Regardless of which you are using, the appropriate label for the certificate is, I believe, crucial. It is how the correct certificate is located in the keystore or certificate store in order to present it to the queue manager for validation as part of the SSL/TLS handshake.

    It might be helpful to show us a snippet of your code too, then we could have a better idea of what you're struggling with. Hopefully some of the above will help though.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------

    Original Message


  • 3.  RE: .NET client in Docker: SSL authentication

    Posted Mon September 25, 2023 01:03 AM

    Hi,
    on Linux, .NET keystore exists in a directory something similar to ".dotnet/corefx/cryptography/x509stores",but you cannot add a certificate manually to that path and any manual modification of this directory is not recommended.
    You need to use a .NET application to install the certificates into the keystore.The below blog might be useful
    Running MQ .NET Core application on Linux

    MQ .NET 6 applications are supported only in Managed mode.Setting the SSLCipherSpec  & Keyrepository/SSL_CERT_STORE_PROPERTY should be sufficient for the .NET applications to enable SSL connectivity.

    Thanks,
    Ram



    ------------------------------
    Ram Subba Rao Chalamalasetti
    ------------------------------

    Original Message


  • 4.  RE: .NET client in Docker: SSL authentication

    Posted Wed December 27, 2023 03:33 AM

    What should I put in CertificateLabel, if I'm using .net client in docker? I installed certyficate from x509Store but x509Certyficate2 does not support FirendllyName on linux. My mq client logs show " Accessing certificate - ibmwebspheremqroot" but my certificate dose not have FirendllyName because it is not supported on linux.



    ------------------------------
    Kammm
    ------------------------------

    Original Message


  • 5.  RE: .NET client in Docker: SSL authentication

    Posted Mon September 25, 2023 04:40 AM

    Maybe the github contains https://github.com/ibm-messaging what you need



    ------------------------------
    Matthias Jungbauer
    ------------------------------

    Original Message


  • 6.  RE: .NET client in Docker: SSL authentication

    Posted Wed December 27, 2023 03:35 AM

    Problem has been resolved? I have the same error



    ------------------------------
    Kammm
    ------------------------------

    Original Message