MQ

Hey MQ people,
we are currently struggling to get a managed .net client to open a secured connection to a queuemanager via ssl. We tested the connection without SSL and it works fine, but the configuration of SSL is 'weird' to say the least.

We stumbled upon a couple blogposts and the instruction found here, following that, we managed to iron out the cipher differ error but now face the issue that the client is not sending a certificate, despite the trace showing that the keystore is accessed. The QMGRlog reveals the aformentiond error shown here:

I am unsure what other things we may have missed or forgotten, according to the instructions, IBM doc and a few forum posts we set everything the way it is supposed to be, but our client is still not sending the certificate when connecting to the QMGR.

Our testsetup is as follows:

The IBMMQDotnetClient 9.3.2.0 is running on a Windows 10 machine, we are calling the simpleput sample providing the arguments in the command line
-q QNMAE -m QMGR -k *USER -s TLS_RSA_WITH_AES_128_CBC_SHA256 -h QMGR.domain -p 4711 -l TLS_TUSR_AMS_1
The target QMGR runs on z/OS with MQ version 9.2
We added the Usercert to the Windowskeystore

Is there any other way to further debug/analyze things? The trace shows that SSL is working, the sample ends with a 2059, the queuemanager clearly tells us that the cert is missing.

KeyStore is *USERCertificateLabel set from sslConfigOptions = HUK_MQ_TUSR_AP954KeyResetCount is 0CertificationCheck = FalseHostname is :QMGR.domainCipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA256SSLPEERNAME value is ----------}  MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK----------{  MQEncryptedSocket.MakeSecuredConnection()Created an instance of SSLStreamsSetting current certificate store as 'User'Windows/Mac so use My Store  & CurrentStoreCreated store object to access certificatesOpened storeAccessing certificate - HUK_MQ_TUSR_AP954TLS12 supported - TrueTLS13 supported - TrueCipherspec protocol version:TLS 1.2Setting SslProtol as Tls12Starting SSL AuthenticationServer name is set to tls5f-tusr5f-ams5f-1.chl.mq.ibm.com-----------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])Client callback has been invoked to find client certificate-----------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK-----------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])Client callback has been invoked to find client certificate-----------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK-----------{  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors)Client did not specify a SSLPEERNAME, hence SSLPeerNameMatching not done-----------}  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OKSSL Authentication completed

 CompCode: 2, Reason: 2059 New MQException CompCode: 2 Reason: 2059 New NmqiException CompCode: 2 Reason: 2059 CompCode: 2, Reason: 2059----}  MQFAP.NmqiConnect(String,NmqiConnectOptions,MQConnectOptions,Hconn,Phconn,out int,out int,ManagedHconn) rc=OK CompCode: 2, Reason: 2059---}  MQFAP.MQCONNX(String,MQConnectOptions,Phconn,out int,out int) rc=OK IBM.WMQ.MQQueueManager#0392A42D throwing MQException: cc=2 rc=2059 New MQException CompCode: 2 Reason: 2059--}! MQQueueManager.Connect() rc=(Unknown(2059))

Any help or pointers are much appreciated.
Cheers
Sebastian

------------------------------
Sebastian Wilk
------------------------------

Hi Sebastian, 
I did this 2 years ago, and these are few lines from my notes - hope that helps ...

- add certificate to mmc, certificate should have private key so the certificate type should be pfx/p12
- allow required users to access private key from the certificate that is added to my user account or local computer store by using manager private key option 
- add friendly name to -> ibmwebspheremq<user id> ... this user id here is the user who executes MQ connection module (may be service account of application)
- if you choose certificate store location as "My user account" then you need to make use of *USER keystore ... but if you upload certificate in "Computer account" then make use of *SYSTEM keystore

Additionally, you can try this to validate your certificate setup - WinHttpCertCfg.exe, a Certificate Configuration Tool - Win32 apps | Microsoft Learn



------------------------------
Bhushan Raut

Original Message:
Sent: Wed May 10, 2023 03:14 AM
From: Sebastian Wilk
Subject: Managed .net Client does not send SSL certificate

Hey MQ people,
we are currently struggling to get a managed .net client to open a secured connection to a queuemanager via ssl. We tested the connection without SSL and it works fine, but the configuration of SSL is 'weird' to say the least.

We stumbled upon a couple blogposts and the instruction found here, following that, we managed to iron out the cipher differ error but now face the issue that the client is not sending a certificate, despite the trace showing that the keystore is accessed. The QMGRlog reveals the aformentiond error shown here:

I am unsure what other things we may have missed or forgotten, according to the instructions, IBM doc and a few forum posts we set everything the way it is supposed to be, but our client is still not sending the certificate when connecting to the QMGR.

Our testsetup is as follows:

The IBMMQDotnetClient 9.3.2.0 is running on a Windows 10 machine, we are calling the simpleput sample providing the arguments in the command line
-q QNMAE -m QMGR -k *USER -s TLS_RSA_WITH_AES_128_CBC_SHA256 -h QMGR.domain -p 4711 -l TLS_TUSR_AMS_1
The target QMGR runs on z/OS with MQ version 9.2
We added the Usercert to the Windowskeystore

Is there any other way to further debug/analyze things? The trace shows that SSL is working, the sample ends with a 2059, the queuemanager clearly tells us that the cert is missing.

KeyStore is *USERCertificateLabel set from sslConfigOptions = HUK_MQ_TUSR_AP954KeyResetCount is 0CertificationCheck = FalseHostname is :QMGR.domainCipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA256SSLPEERNAME value is ----------}  MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK----------{  MQEncryptedSocket.MakeSecuredConnection()Created an instance of SSLStreamsSetting current certificate store as 'User'Windows/Mac so use My Store  & CurrentStoreCreated store object to access certificatesOpened storeAccessing certificate - HUK_MQ_TUSR_AP954TLS12 supported - TrueTLS13 supported - TrueCipherspec protocol version:TLS 1.2Setting SslProtol as Tls12Starting SSL AuthenticationServer name is set to tls5f-tusr5f-ams5f-1.chl.mq.ibm.com-----------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])Client callback has been invoked to find client certificate-----------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK-----------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])Client callback has been invoked to find client certificate-----------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK-----------{  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors)Client did not specify a SSLPEERNAME, hence SSLPeerNameMatching not done-----------}  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OKSSL Authentication completed

 CompCode: 2, Reason: 2059 New MQException CompCode: 2 Reason: 2059 New NmqiException CompCode: 2 Reason: 2059 CompCode: 2, Reason: 2059----}  MQFAP.NmqiConnect(String,NmqiConnectOptions,MQConnectOptions,Hconn,Phconn,out int,out int,ManagedHconn) rc=OK CompCode: 2, Reason: 2059---}  MQFAP.MQCONNX(String,MQConnectOptions,Phconn,out int,out int) rc=OK IBM.WMQ.MQQueueManager#0392A42D throwing MQException: cc=2 rc=2059 New MQException CompCode: 2 Reason: 2059--}! MQQueueManager.Connect() rc=(Unknown(2059))

Any help or pointers are much appreciated.
Cheers
Sebastian

------------------------------
Sebastian Wilk
------------------------------

The cert label name ibmwebspheremq<user id> ... is mandatory.
The user id here is the user who executes MQ connection module (may be service account of application).

Hi Sebastian, 
I did this 2 years ago, and these are few lines from my notes - hope that helps ...

- add certificate to mmc, certificate should have private key so the certificate type should be pfx/p12
- allow required users to access private key from the certificate that is added to my user account or local computer store by using manager private key option 
- add friendly name to -> ibmwebspheremq<user id> ... this user id here is the user who executes MQ connection module (may be service account of application)
- if you choose certificate store location as "My user account" then you need to make use of *USER keystore ... but if you upload certificate in "Computer account" then make use of *SYSTEM keystore

Additionally, you can try this to validate your certificate setup - WinHttpCertCfg.exe, a Certificate Configuration Tool - Win32 apps | Microsoft Learn



------------------------------
Bhushan Raut

Original Message:
Sent: Wed May 10, 2023 03:14 AM
From: Sebastian Wilk
Subject: Managed .net Client does not send SSL certificate

Hey MQ people,
we are currently struggling to get a managed .net client to open a secured connection to a queuemanager via ssl. We tested the connection without SSL and it works fine, but the configuration of SSL is 'weird' to say the least.

We stumbled upon a couple blogposts and the instruction found here, following that, we managed to iron out the cipher differ error but now face the issue that the client is not sending a certificate, despite the trace showing that the keystore is accessed. The QMGRlog reveals the aformentiond error shown here:

I am unsure what other things we may have missed or forgotten, according to the instructions, IBM doc and a few forum posts we set everything the way it is supposed to be, but our client is still not sending the certificate when connecting to the QMGR.

Our testsetup is as follows:

The IBMMQDotnetClient 9.3.2.0 is running on a Windows 10 machine, we are calling the simpleput sample providing the arguments in the command line
-q QNMAE -m QMGR -k *USER -s TLS_RSA_WITH_AES_128_CBC_SHA256 -h QMGR.domain -p 4711 -l TLS_TUSR_AMS_1
The target QMGR runs on z/OS with MQ version 9.2
We added the Usercert to the Windowskeystore

Is there any other way to further debug/analyze things? The trace shows that SSL is working, the sample ends with a 2059, the queuemanager clearly tells us that the cert is missing.

KeyStore is *USERCertificateLabel set from sslConfigOptions = HUK_MQ_TUSR_AP954KeyResetCount is 0CertificationCheck = FalseHostname is :QMGR.domainCipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA256SSLPEERNAME value is ----------}  MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK----------{  MQEncryptedSocket.MakeSecuredConnection()Created an instance of SSLStreamsSetting current certificate store as 'User'Windows/Mac so use My Store  & CurrentStoreCreated store object to access certificatesOpened storeAccessing certificate - HUK_MQ_TUSR_AP954TLS12 supported - TrueTLS13 supported - TrueCipherspec protocol version:TLS 1.2Setting SslProtol as Tls12Starting SSL AuthenticationServer name is set to tls5f-tusr5f-ams5f-1.chl.mq.ibm.com-----------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])Client callback has been invoked to find client certificate-----------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK-----------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])Client callback has been invoked to find client certificate-----------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK-----------{  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors)Client did not specify a SSLPEERNAME, hence SSLPeerNameMatching not done-----------}  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OKSSL Authentication completed

 CompCode: 2, Reason: 2059 New MQException CompCode: 2 Reason: 2059 New NmqiException CompCode: 2 Reason: 2059 CompCode: 2, Reason: 2059----}  MQFAP.NmqiConnect(String,NmqiConnectOptions,MQConnectOptions,Hconn,Phconn,out int,out int,ManagedHconn) rc=OK CompCode: 2, Reason: 2059---}  MQFAP.MQCONNX(String,MQConnectOptions,Phconn,out int,out int) rc=OK IBM.WMQ.MQQueueManager#0392A42D throwing MQException: cc=2 rc=2059 New MQException CompCode: 2 Reason: 2059--}! MQQueueManager.Connect() rc=(Unknown(2059))

Any help or pointers are much appreciated.
Cheers
Sebastian

------------------------------
Sebastian Wilk
------------------------------

The label is set to the user that is running the simpleput sample, but I somehow get the feeling that you are talking about another location/parameter where the friendly name/label has to be set?

The cert label name ibmwebspheremq<user id> ... is mandatory.
The user id here is the user who executes MQ connection module (may be service account of application).

Hi Sebastian, 
I did this 2 years ago, and these are few lines from my notes - hope that helps ...

- add certificate to mmc, certificate should have private key so the certificate type should be pfx/p12
- allow required users to access private key from the certificate that is added to my user account or local computer store by using manager private key option 
- add friendly name to -> ibmwebspheremq<user id> ... this user id here is the user who executes MQ connection module (may be service account of application)
- if you choose certificate store location as "My user account" then you need to make use of *USER keystore ... but if you upload certificate in "Computer account" then make use of *SYSTEM keystore

Additionally, you can try this to validate your certificate setup - WinHttpCertCfg.exe, a Certificate Configuration Tool - Win32 apps | Microsoft Learn



------------------------------
Bhushan Raut

Original Message:
Sent: Wed May 10, 2023 03:14 AM
From: Sebastian Wilk
Subject: Managed .net Client does not send SSL certificate

Hey MQ people,
we are currently struggling to get a managed .net client to open a secured connection to a queuemanager via ssl. We tested the connection without SSL and it works fine, but the configuration of SSL is 'weird' to say the least.

We stumbled upon a couple blogposts and the instruction found here, following that, we managed to iron out the cipher differ error but now face the issue that the client is not sending a certificate, despite the trace showing that the keystore is accessed. The QMGRlog reveals the aformentiond error shown here:

I am unsure what other things we may have missed or forgotten, according to the instructions, IBM doc and a few forum posts we set everything the way it is supposed to be, but our client is still not sending the certificate when connecting to the QMGR.

Our testsetup is as follows:

The IBMMQDotnetClient 9.3.2.0 is running on a Windows 10 machine, we are calling the simpleput sample providing the arguments in the command line
-q QNMAE -m QMGR -k *USER -s TLS_RSA_WITH_AES_128_CBC_SHA256 -h QMGR.domain -p 4711 -l TLS_TUSR_AMS_1
The target QMGR runs on z/OS with MQ version 9.2
We added the Usercert to the Windowskeystore

Is there any other way to further debug/analyze things? The trace shows that SSL is working, the sample ends with a 2059, the queuemanager clearly tells us that the cert is missing.

KeyStore is *USERCertificateLabel set from sslConfigOptions = HUK_MQ_TUSR_AP954KeyResetCount is 0CertificationCheck = FalseHostname is :QMGR.domainCipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA256SSLPEERNAME value is ----------}  MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK----------{  MQEncryptedSocket.MakeSecuredConnection()Created an instance of SSLStreamsSetting current certificate store as 'User'Windows/Mac so use My Store  & CurrentStoreCreated store object to access certificatesOpened storeAccessing certificate - HUK_MQ_TUSR_AP954TLS12 supported - TrueTLS13 supported - TrueCipherspec protocol version:TLS 1.2Setting SslProtol as Tls12Starting SSL AuthenticationServer name is set to tls5f-tusr5f-ams5f-1.chl.mq.ibm.com-----------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])Client callback has been invoked to find client certificate-----------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK-----------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])Client callback has been invoked to find client certificate-----------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK-----------{  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors)Client did not specify a SSLPEERNAME, hence SSLPeerNameMatching not done-----------}  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OKSSL Authentication completed

 CompCode: 2, Reason: 2059 New MQException CompCode: 2 Reason: 2059 New NmqiException CompCode: 2 Reason: 2059 CompCode: 2, Reason: 2059----}  MQFAP.NmqiConnect(String,NmqiConnectOptions,MQConnectOptions,Hconn,Phconn,out int,out int,ManagedHconn) rc=OK CompCode: 2, Reason: 2059---}  MQFAP.MQCONNX(String,MQConnectOptions,Phconn,out int,out int) rc=OK IBM.WMQ.MQQueueManager#0392A42D throwing MQException: cc=2 rc=2059 New MQException CompCode: 2 Reason: 2059--}! MQQueueManager.Connect() rc=(Unknown(2059))

Any help or pointers are much appreciated.
Cheers
Sebastian

------------------------------
Sebastian Wilk
------------------------------