MQ

 View Only
  • 1.  Connecting to IBM MQ SSL without .kdb file when using .Net

    Posted Mon February 26, 2024 12:17 PM
    Edited by Frank Martin Tue February 27, 2024 06:04 AM

    I am using MQ client 9.1 and able to successfully connect via SSL from my .Net application when I use keystore.kdb file.

    My question is, can I still connect from .Net application if I don't use keystore.kdb file and instead just import SSL certificate in Windows machine?

    I tried but can't find any syntax or way to do it so just curious if it is even possible?

    EDIT

    Here is relevant part of my code.

    MQEnvironment.SSLKeyRepository = "*SYSTEM";
    QProperties["CertificateLabel"] = "MyCert";
    QProperties[MQC.SSL_CERT_STORE_PROPERTY] = "*SYSTEM";

    If I use amqmdnet.dll and run code then I get error MQRC_KEY_REPOSITORY_ERROR

    If I use amqmdnetstd.dll and run code then I get error MQRC_HOST_NOT_AVAILABLE

    EDIT

    After I enabled trace, I am getting following error in logs. TLS1.2 is enabled on this machine. No idea what is causing below error.

    the client and server cannot communicate because they do not possess a common algorithm

    EDIT

    SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 are disabled.

    Only TLS 1.2 is enabled.


    EDIT

    I used the SslTcpClient example given below and it was throwing exact same error as mentioned above. Then I modified just one line of code and now I am able to connect. The trick was to define SSL protocol version 1.2. But how can I do the same in MQ?

    Example

    SslStream Class (System.Net.Security) | Microsoft Learn

    Original code which is throwing error

    sslStream.AuthenticateAsClient(serverName);

    Modified code which worked

    sslStream.AuthenticateAsClient(serverName, null, SslProtocols.Tls12, true);


    ------------------------------
    Frank Martin
    ------------------------------



  • 2.  RE: Connecting to IBM MQ SSL without .kdb file when using .Net

    Posted Mon February 26, 2024 04:12 PM

    Yes it possible . You should use managed .net client . In this case windows ( Microsoft ) code is responsible for ssl operation and it accesses windows key store 



    ------------------------------
    Yulia Vaisman
    ------------------------------



  • 3.  RE: Connecting to IBM MQ SSL without .kdb file when using .Net

    Posted Mon February 26, 2024 08:13 PM

    Thanks for the quick reply. Can you give me some example of managed .Net code or point me to some article?



    ------------------------------
    Frank Martin
    ------------------------------



  • 4.  RE: Connecting to IBM MQ SSL without .kdb file when using .Net

    Posted Mon February 26, 2024 11:33 PM

    The below links could be a good starting point 
    https://www.ibm.com/docs/en/ibm-mq/9.3?topic=client-configuring-tls-managed-mq-net
    https://www.ibm.com/docs/en/ibm-mq/9.3?topic=net-tls-support-managed-client

    There are MQ .NET Samples(&MQ_INSTALL_PATH&\tools\dotnet\samples\cs\base) shipped with the Product, you could refer to either SimplePut/SimpleGet in that folder.



    ------------------------------
    Ram Subba Rao Chalamalasetti
    ------------------------------



  • 5.  RE: Connecting to IBM MQ SSL without .kdb file when using .Net

    Posted Tue February 27, 2024 12:06 AM

    Updated my original post to include code.



    ------------------------------
    Frank Martin
    ------------------------------