MQ

 View Only
Expand all | Collapse all

MQ TLS verification tool

  • 1.  MQ TLS verification tool

    Posted Mon July 26, 2021 03:58 PM
    Hello,
    I'm looking for a simple tool that would validate MQ connection via TLS enabled channels.
    Every time we renew a cert in Qmgr (A) , we need to validate if a client is able to successfully establish a connection.

    When I renew a cert in server qmgr (A) ,
    I create a CSR ,copy the arm file and upload in CA website. 
    CA signs the CSR and send me a zip file containing (Intermediate , Root and ServerCertificate) . we receive them in qmgr (A) kdb.

    In order to validate I picked MQ explorer as one of the client - C1 - but having few questions to get an understanding on this 

    Created a kdb(jks) in my local PC (C1) where my MQ explorer runs. 
    What are the certs that my local kdb needs to establish a connection with remote qmgr(A) (TLS enabled channel - SSLCAUTH(Required)) ?

    please share your ideas or any documentation that would help me get clarity on this topic.

    Thanks,
    Vignesh




    ------------------------------
    Vignesh
    ------------------------------


  • 2.  RE: MQ TLS verification tool

    Posted Mon July 26, 2021 04:10 PM
    Vignesh,

    The client needs to have the CA certs, that signed the remote server's ssl certificate, so it can accept the certificate.  Similarly, the remote server must have the CA certs that signed the client ssl certificate.  If either of those are not signed by a certificate authority (i.e. a self-signed certificate), then the public portion of the self signed cert needs to be supplied to the other side and added as a certificate authority to the appropriate keyring.

    ------------------------------
    Peter
    ------------------------------



  • 3.  RE: MQ TLS verification tool

    Posted Tue July 27, 2021 05:27 PM
    Hi Peter,
    Thank you for the note!

    Server qmgr(A) kdb has CA certs (Root , Intermediate , ServerCertificate)
    Client (C1) kdb has only (Root cert from CA- it is he same that qmgr(A) kdb has)

    However when i run my code , i'm getting MQRC_SSL_Initialization_Error and on the qmgr(A) error log i see "AMQ9637E: During handshake, the remote partner sent no certificate."


    ------------------------------
    Vignesh
    ------------------------------



  • 4.  RE: MQ TLS verification tool

    IBM Champion
    Posted Tue July 27, 2021 06:12 PM
    Your Client (C1) kdb doesn't appear to have a certificate identifying the client in it? If your SVRCONN is defined to use SSLCAUTH(REQUIRED) then the queue manager will bounce the connect with that error message.

    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 5.  RE: MQ TLS verification tool

    Posted Wed July 28, 2021 12:34 PM
    Thank you! Yes, I don't have a personal certificate in my client(C1) kdb.

    My client is anonymous and don't have a CA ,whereas my server qmgr (A) has CA. 
    In this case does a self signed cert of client in the kdb alone is suffice in client side along with root?


    ------------------------------
    Vignesh
    ------------------------------



  • 6.  RE: MQ TLS verification tool

    IBM Champion
    Posted Wed July 28, 2021 11:59 PM

    If the client is intended to be anonymous, then the SVRCONN that it is connecting to must be defined to use SSLCAUTH(OPTIONAL).

    If the SVRCONN that the client is connecting to is mandated to use SSLCAUTH(REQUIRED) then your client cannot be anonymous and you will need a certificate identifying the client, the CA of which will need to be in the queue manager KDB.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 7.  RE: MQ TLS verification tool

    Posted Wed July 28, 2021 11:03 AM
    Hi Vignesh,

    Getting "AMQ9637E: During handshake, the remote partner sent no certificate." means, as Morag says, that the SVRCONN has SSLCAUTH(REQUIRED).

    Your key database must contain a personal certificate that the client must send to the queue manager. That certificate must have a label with the format "ibmwebspheremq<userid>". This is what I see when I list my key database certificates:

    runmqakm -cert -list -db clientkey.kdb -stashed

    Certificates found

    * default, - personal, ! trusted, # secret key

    ! qm2cert

    - ibmwebspheremqemir



    ------------------------------
    Emir Garza
    ------------------------------



  • 8.  RE: MQ TLS verification tool

    Posted Mon July 26, 2021 09:13 PM
    You only need the root CA on the client side to trust the MQ queue manager certificate, since the MQ queue manager will send its personal certificate + the entire trust chain to the client in the TLS handshake.

    You may also find this blog post helpful that talks about how to use openssl s_client to validate queue manager certificates.

    https://community.ibm.com/community/user/integration/blogs/tim-zielke1/2020/04/24/using-openssl-s-client-with-ibm-mq

    ------------------------------
    Tim Zielke
    ------------------------------



  • 9.  RE: MQ TLS verification tool

    Posted Tue July 27, 2021 05:31 PM
    Edited by Vignesh Tue July 27, 2021 05:31 PM
    Hi Tim,
    Thank you for the note!
    openssl was useful to list the certs - however i'm not able to see the validity section. 

    Also i tried adding root CA cert alone to client kdb.. However when i run my code , i'm getting MQRC_SSL_Initialization_Error and on the qmgr(A) error log i see "AMQ9637E: During handshake, the remote partner sent no certificate."

    ------------------------------
    Vignesh
    ------------------------------



  • 10.  RE: MQ TLS verification tool

    IBM Champion
    Posted Wed July 28, 2021 04:11 AM
    I agree with Morag - it feels like you don't have the clients private certificate in the clients db  and it feels like you have client authentication required on your QM channel. So, the QM channel is trying to authenticate your client but it has no certificate to send to the QM.

    ------------------------------
    John Hawkins
    Integration Consultant
    ------------------------------



  • 11.  RE: MQ TLS verification tool

    IBM Champion
    Posted Thu August 12, 2021 10:18 AM
    Use the sample program - amqssslc
    https://www.ibm.com/docs/en/ibm-mq/9.2?topic=program-running-tls-sample



    ------------------------------
    om prakash
    WI
    ------------------------------



  • 12.  RE: MQ TLS verification tool

    Posted Wed August 18, 2021 12:16 AM
    Thank you all for your inputs !!

    I was able to run amqssslc program to validate TLS connection to qmgr.

    As you guys said, for an anonymous client we can only do one-way authentication SSLCAUTH(OPTIONAL) .

    For SSLCAUTH(REQUIRED) , we had to pass the client personal cert to qmgr kdb and qmgr CA root cert to client kdb.

    Thanks you all! 


    ------------------------------
    Vignesh
    ------------------------------



  • 13.  RE: MQ TLS verification tool

    IBM Champion
    Posted Wed August 18, 2021 12:35 AM

    I'm glad to hear that you got it working.

    I just wanted to add that using a self-signed certificate to identify the client and then copying that client personal cert to the queue manager KDB is a practice that is not going to scale well. You'll have a lot of copying of certificates around to do if you have a lot of clients. If each client had a certificate signed by the same CA, then only that CA certificate would be needed in the queue manager KDB and you wouldn't have to import more certificates when you add more clients.

    Just something to think about.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------