Hello,
I'm trying to setup a TLS connection from MQInput and MQOutput nodes on my ACE 11 developer edition for educational purposes.
I have an MQ 9.1.5.0 running on a separate VM. The ACE 11 VM also has a local queue manager, mainly for the nodes that have dependencies.
The remote queue manager has a channel setup that basically works with TLS (using another application then ACE). When setting SSLCHLAUTH to OPTIONAL, the mq nodes on ACE do connect. The error I get when trying to connect from ACE to MQ with TLS is RC 2393 which means MQRC_SSL_INITIALIZATION_ERROR. This usually indicates that the application trying to access the keystore can't for some reason. The Application in this case being ACE 11.
The Knowledge Center is rather confusing on this subject and I cannot find any examples on the web.
My starting point was this page : Viewing and setting keystore and truststore runtime properties at integration node level
Most confusing is this KC document where some of the examples don't work: mqsireportdbparms command
The first example :
mqsireportdbparms integrationNodeName -n *
When executed with my integrationNodeName fails with:
[mqbrkrs@tace01 ~]$ mqsireportdbparms GublerITNode -n *
BIP8119W: Lists the credentials of resources that are associated with an integration node.
Syntax (1):...
So my approach has been:
setting the Node MQConnection values.
"SSL peer name" is the remote queue manager.
Setting the IntegrationNode (broker) properties:
[mqbrkrs@tace01 ~]$ mqsireportproperties GublerITNode -o BrokerRegistry -r
BIP8842I: Reporting the persisted properties for the running integration node 'GublerITNode' which may be different from the properties currently in use.
BrokerRegistry
allowSNI=''
allowSSLv3=''
brokerCRLFileList=''
brokerEnableCRLDP=''
brokerKerberosConfigFile=''
brokerKerberosKeytabFile=''
brokerKeystoreFile='/home/mqbrkrs/key.jks'
brokerKeystorePass='brokerKeyStore::password'
brokerKeystoreType='JKS'
brokerTruststoreFile='/home/mqbrkrs/key.jks'
brokerTruststorePass='brokerTrustStore::password'
brokerTruststoreType='JKS'
httpConnectorPortRange=''
httpsConnectorPortRange=''
mqCCDT=''
mqKeyRepository='/home/mqbrkrs/key'
reenableCertificateAlgorithms=''
reenableTransportAlgorithms=''
BIP8071I: Successful command completion.
Setting the IntegrationServer (Execution Group) properties:
[mqbrkrs@tace01 ~]$ mqsireportproperties GublerITNode -o ComIbmJVMManager -a -e EGTest02
....
keystoreFile='/home/mqbrkrs/key.jks'
keystorePass='brokerKeystore::password'
keystoreType='JKS'
truststoreFile='/home/mqbrkrs/key.jks'
truststorePass='brokerTruststore::password'
truststoreType='JKS'
active
allowSNI=''
allowSSLv3=''
keystoreFile='/home/mqbrkrs/key.jks'
keystorePass='brokerKeystore::password'
keystoreType='JKS'
resourceStatsReportingOn='true'
serverRestartRequired='false'
truststoreFile='/home/mqbrkrs/key.jks'
truststorePass='brokerTruststore::password'
truststoreType='JKS'
...
BIP8071I: Successful command completion.
setting the dbparams:
mqsireportdbparms GublerITNode -n brokerTrustStore::password -u mqbrkrs -p xxx
mqsireportdbparms GublerITNode -n brokerKeyStore::password -u mqbrkrs -p xxx
restarting the IntegrationNode and starting the flow.
It results in :
AMQ9642E: No SSL or TLS certificate for channel 'TMQHUBHA1.APP1'.
EXPLANATION:
The channel 'TMQHUBHA1.APP1' did not supply a certificate to use during SSL or
TLS handshaking, but a certificate is required by the remote queue manager.
What am I missing ? is there any step by step guide available ?
Kind Regards,
Gerhard
------------------------------
Gerhard Gubler
Software Engineer
------------------------------