MQ

 View Only

  • 1.  Connecting 2 queue managers with SSL: AMQ9645E: Certificate label not found for channel 'REMOTE'

    Posted 9 days ago
    Hi,

    So im creating 2 queue managers QM1 and QM2 with IBM MQ Operator.
    Both QQMs use different certificate authority. I want to connect via SSL using channel REMOTE, so i guess i will need to define the channel to use
    a specific CA for each queue manager, so i will use certlabels.

    - QM1 wuth Certificate authority qm1-ca.crt and qm1.crt and qm1.key
    - QM2 with Certificate authority qm2-ca.crt and qm2.crt and qm2.key

    MQ OPerator Specs for QM1:
    pki:
    keys:
    - name: default
    secret:
    secretName: qm1-pki
    items:
    - qm1.key
    - qm1.crt
    - qm1-ca.crt
    - name: ibmwebsphermqqm2
    secret:
    secretName: qm2-pki
    items:
    - qm2.key
    - qm2.crt
    - qm2-ca.crt
    trust:
    - name: default
    secret:
    secretName: ca-bundle
    items:
    - ca-bundle.crt

    MQ OPerator Specs for QM2:
    pki:
    keys:
    - name: default
    secret:
    secretName: qm2-pki
    items:
    - qm2.key
    - qm2.crt
    - qm2-ca.crt
    - name: ibmwebsphermqqm1
    secret:
    secretName: qm1-pki
    items:
    - qm1.key
    - qm1.crt
    - qm1-ca.crt
    trust:
    - name: default
    secret:
    secretName: ca-bundle
    items:
    - ca-bundle.crt

    Now, im trying to create a ssl connection between QM1 and QM2 using SSL with the channel REMOTE

    on QM1:
    DISPLAY CHANNEL(REMOTE)
    CHANNEL(REMOTE) CHLTYPE(SDR)
    CERTLABL(ibmwebspheremqremote) COMPHDR(NONE)
    COMPMSG(NONE) CONNAME(server-qm2(1414))
    SHORTTMR(60) SSLCIPH(ANY_TLS12_OR_HIGHER)
    XMITQ(TESTQM)
    Status:
    The channel is in status Inizializating but i can see  MQ explorer that is picking the certificate from CERTLABEL:
    SERIALNUMBER=00:C3:F2:14:3E:32:FC:98:72,CN=test qm1
    CN=qm1 test self signed CA

    on QM2 (reciever)
    DISPLAY CHANNEL(REMOTE)
    CHANNEL(REMOTE) CHLTYPE(RCVR)
    BATCHSZ(50) CERTLABL(ibmwebspheremqremote)
    SSLCAUTH(REQUIRED) SSLCIPH(ANY_TLS12_OR_HIGHER)
    in this case i see logs in the queue Manager:
    Certificate label 'ibmwebspheremqremote' not found for channel 'REMOTE'. [CommentInsert1(REMOTE), CommentInsert2(ibmwebspheremqmqtest)]
    2025-02-16T20:41:31.401Z AMQ9645E: Certificate label 'ibmwebspheremqremote not found for channel 'REMOTE'. [CommentInsert1(REMOTE), CommentInsert2(ibmwebspheremqremote]
    2025-02-16T20:41:31.401Z AMQ9999E: Channel 'REMOTE' to host '100.64.0.5' ended abnormally. [CommentInsert1(REMOTE), CommentInsert2(1059), CommentInsert3(100.64.0.5)]

    If i connect to the mq pod i can see:

    sh-5.1$ runmqakm -cert -list -db key.kdb -stashed
    Certificates found
    * default, - personal, ! trusted, # secret key
    ! "CN=qm1 test self signed CA"
    ! "CN=qm2 test self signed CA"
    ! "CN=CA Root"
    - default
    The queue manager is using default as a CERT Label.

    So im a bit confused. why i dont see the certlabel ibmmqwebsphereremote created? 
    I have been reading docs, and seems a bit tricky to find the correct name for the label, is it incorrect the naming?

    i have tried to use ibmmqwebsphermq(username) and set MCUSER in the channel, but i got same issue.
    i have tried using the 
    i will appreciate some guidance.
    thanks


    ------------------------------
    Andres Colodrero
    ------------------------------


  • 2.  RE: Connecting 2 queue managers with SSL: AMQ9645E: Certificate label not found for channel 'REMOTE'

    Posted 9 days ago

    Hi Andres,

    When you make a channel definition which refers to a certificate label as you have done:-

    DISPLAY CHANNEL(REMOTE)
    CHANNEL(REMOTE) CHLTYPE(SDR)
    CERTLABL(ibmwebspheremqremote) COMPHDR(NONE)
    COMPMSG(NONE) CONNAME(server-qm2(1414))
    SHORTTMR(60) SSLCIPH(ANY_TLS12_OR_HIGHER)
    XMITQ(TESTQM)

    The certificate you refer to needs to exist in the key database file that the queue manager is using. You have shown us the contents of your key database file is thus:-

    runmqakm -cert -list -db key.kdb -stashed
    Certificates found
    default, - personal, ! trusted, # secret key
    ! "CN=qm1 test self signed CA"
    ! "CN=qm2 test self signed CA"
    ! "CN=CA Root"
    default

    which does not appear to contain a certificate with a label of "ibmmqwebsphereremote" so that is why you are getting the error message saying:-

    AMQ9645E: Certificate label 'ibmwebspheremqremote not found for channel 'REMOTE'.

    You say "why i dont see the certlabel ibmmqwebsphereremote created?"

    Are you expecting the queue manager to create this label for you? It will not - you must create it and put it in the key database file for the queue manager to find.

    You say "it seems a bit tricky to find the correct name for the label".

    Since you are using the CERTLABL attribute on the channel (and the same goes for the queue manager wide certificate) you can label your certificate any way you want. There is no longer any need to following the historic "ibmwebspheremq<qmgr-name>" style of label. Just make the label whatever you want and fill in that string in the CERTLABL attribute on the channel and/or queue manager.

    It wasn't completely clear from your question why you were using the channel specific labels if you only need to connect QM1 to QM2 - it would be simpler if you could leave the channel CERTLABL attributes blank and have the channels make use of the queue manager wide certificate - which is specified in the queue manager object CERTLABL attribute.

    P.S. If you do choose to continue with the historic pattern of label as you seem to have for the queue manager labels in your setup, please note that it is ibmwebspheremqqm1 and not ibmwebsphermqqm1 as you have - you're missing a letter 'e'.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------

    Original Message


  • 3.  RE: Connecting 2 queue managers with SSL: AMQ9645E: Certificate label not found for channel 'REMOTE'

    Posted 9 days ago

    Hi Morag,

    My first problem is try to create a cert label that the CHANNEL is not finding.

    Here is the doc im folllowing https://community.ibm.com/community/user/integration/discussion/connecting-2-queue-managers-with-ssl-amq9645e-certificate-label-not-found-for-channel-remote#bmd5c85d66-e1f0-4b9a-96f2-019513b00e4c

    So i create the QM with the code i posted before:

    pki:
    keys:
    - name: default
           ....
      -  name: ib,websphermqqm1
    is it a fault of the operator that doesnt create the cert label? I can see the folders imported in
    sh-5.1$ pwd
    /etc/mqm/pki/keys
    sh-5.1$ ls
    default  ibmwebspheremqqm1

    you mentioned "It wasn't completely clear from your question why you were using the channel specific labels if you only need to connect QM1 to QM2 - it would be simpler if you could leave the channel CERTLABL attributes blank and have the channels make use of the queue manager wide certificate - which is specified in the queue manager object CERTLABL attribute."
    Both QueueManagers has different CA, so maybe the solution is to use queue manager cert and import all CA into "trust"?


    ------------------------------
    Andres Colodrero
    ------------------------------

    Original Message


  • 4.  RE: Connecting 2 queue managers with SSL: AMQ9645E: Certificate label not found for channel 'REMOTE'

    Posted 9 days ago

    The link you provided for the doc you are following is a link to this thread - could you check and post the correct URL?

    You appear to be telling me that you have asked for a certificate label to be created called "default"? And indeed I did see that label was in your key database file. So it seems that it has correctly made the certificate label that you requested. 

    Both queue managers using a different CA is not a reason to use channel CERTLABLs. Just exchange the CA certificates so that the key database file for each queue manager contains the CA that signed the other queue manager's certificate and blank out the channel definition CERTLABL attributes.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------

    Original Message


  • 5.  RE: Connecting 2 queue managers with SSL: AMQ9645E: Certificate label not found for channel 'REMOTE'

    Posted 9 days ago

    This is the link: https://www.ibm.com/docs/en/ibm-mq/9.2?topic=manager-example-configuring-tls

    Yes, i create 2 cert label Default for the queue manager. Then im trying to create a cert label for the channels.

    why im doing this? Probably because after doing some research i thought it was the correct way :).

    I didnt know how the channel will pick up the certificate, so i decided to create the certfiicate label with a single key/crt

    So now, i imported all the necesary CA authorities into "trust", in QM1:

    pki:
    keys:
      - name: default
        secret:
          items:
            - qm1.key
            - qm1.crt
            - qm1-ca-bundle.crt
          secretName: test-qm1
    trust:
      - name: default
        secret:
          items:
            - user-ca-bundle.crt
            - qm1-ca-bundle.crt
            - qm2-ca-bundle.crt
          secretName: test-mq-ca

    And similar for the second queue.

    It seems to works now!

    in RCVR qm2             
    DIS CHSTATUS(REMOTE) ALL
         2 : DIS CHSTATUS(REMOTE) ALL
       CHANNEL(REMOTE)                         CHLTYPE(RCVR)
       SSLCERTI(CN=qm1 test self signed CA)
       SSLCIPH(TLS_CHACHA20_POLY1305_SHA256)   SSLKEYDA( )
       SSLKEYTI( )                          
       SSLPEER(SERIALNUMBER=00:94:EA:A8:B6:B5:22:C1:FD,CN=rb test qm)
       SSLRKEYS(0)                             STATUS(RUNNING)

    and SDR from qm1

         2 : dis chstatus(REMOTE) all
    AMQ8417I: Display Channel Status details.
       CHANNEL(REMOTE)                         CHLTYPE(SDR)
       CONNAME(10.20.67.6(1414))               
       RQMNAME(QM2)                  SHORTRTS(10)
       SECPROT(TLSV13)                      
       SSLCERTI(CN=qm1  test self signed CA)
       SSLCIPH(TLS_CHACHA20_POLY1305_SHA256)   SSLKEYDA( )
       SSLKEYTI( )                          
       SSLPEER(SERIALNUMBER=00:C3:F2:14:3E:32:FC:98:72,CN=qm2 test qm)
       SSLRKEYS(0)                             STATUS(RUNNING)
       STOPREQ(NO)                             SUBSTATE(MQGET)
       XBATCHSZ(0,0)                           XMITQ(TESTQMARION)
       XQTIME(0,0)                             RVERSION(09040101)
       RPRODUCT(MQMM) 

    Thanks for your time!



    ------------------------------
    Andres Colodrero
    ------------------------------

    Original Message


  • 6.  RE: Connecting 2 queue managers with SSL: AMQ9645E: Certificate label not found for channel 'REMOTE'

    Posted 9 days ago

    So the instructions you are following is for connecting a client application to a queue manager.

    You wanted to connect two queue managers together. So I guess that didn't help because the instructions didn't really cover what you wanted to do.

    In order for QM1 to be able to validate a connection from QM2, it must has access to the CA certificate that signed QM2s certificate - you achieved that but putting the qm2-ca-bundle.crt into QM1's key.kbd. (And vice versa).

    The channel picks up the certificate referred to in the QMGR object attribute CERTLABL - see it with DISPLAY QMGR CERTLABL - assuming that the CERTLABL attribute on the channel is blank.

    Glad you got it working.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------

    Original Message