MQ

 View Only
  • 1.  Managed .net Client does not send SSL certificate

    Posted Wed May 10, 2023 03:14 AM

    Hey MQ people,
    we are currently struggling to get a managed .net client to open a secured connection to a queuemanager via ssl. We tested the connection without SSL and it works fine, but the configuration of SSL is 'weird' to say the least.

    We stumbled upon a couple blogposts and the instruction found here, following that, we managed to iron out the cipher differ error but now face the issue that the client is not sending a certificate, despite the trace showing that the keystore is accessed. The QMGRlog reveals the aformentiond error shown here:


    I am unsure what other things we may have missed or forgotten, according to the instructions, IBM doc and a few forum posts we set everything the way it is supposed to be, but our client is still not sending the certificate when connecting to the QMGR.

    Our testsetup is as follows:

    The IBMMQDotnetClient 9.3.2.0 is running on a Windows 10 machine, we are calling the simpleput sample providing the arguments in the command line
    -q QNMAE -m QMGR -k *USER -s TLS_RSA_WITH_AES_128_CBC_SHA256 -h QMGR.domain -p 4711 -l TLS_TUSR_AMS_1
    The target QMGR runs on z/OS with MQ version 9.2
    We added the Usercert to the Windowskeystore

    Is there any other way to further debug/analyze things? The trace shows that SSL is working, the sample ends with a 2059, the queuemanager clearly tells us that the cert is missing.

    KeyStore is *USER
    CertificateLabel set from sslConfigOptions = HUK_MQ_TUSR_AP954
    KeyResetCount is 0
    CertificationCheck = False
    Hostname is :QMGR.domain
    CipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA256
    SSLPEERNAME value is 
    ----------}  MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK
    ----------{  MQEncryptedSocket.MakeSecuredConnection()
    Created an instance of SSLStreams
    Setting current certificate store as 'User'
    Windows/Mac so use My Store  & CurrentStore
    Created store object to access certificates
    Opened store
    Accessing certificate - HUK_MQ_TUSR_AP954
    TLS12 supported - True
    TLS13 supported - True
    Cipherspec protocol version:TLS 1.2
    Setting SslProtol as Tls12
    Starting SSL Authentication
    Server name is set to tls5f-tusr5f-ams5f-1.chl.mq.ibm.com
    -----------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
    Client callback has been invoked to find client certificate
    -----------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
    -----------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
    Client callback has been invoked to find client certificate
    -----------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
    -----------{  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors)
    Client did not specify a SSLPEERNAME, hence SSLPeerNameMatching not done
    -----------}  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK
    SSL Authentication completed
    

     

     CompCode: 2, Reason: 2059
     New MQException CompCode: 2 Reason: 2059
     New NmqiException CompCode: 2 Reason: 2059
     CompCode: 2, Reason: 2059
    ----}  MQFAP.NmqiConnect(String,NmqiConnectOptions,MQConnectOptions,Hconn,Phconn,out int,out int,ManagedHconn) rc=OK
     CompCode: 2, Reason: 2059
    ---}  MQFAP.MQCONNX(String,MQConnectOptions,Phconn,out int,out int) rc=OK
     IBM.WMQ.MQQueueManager#0392A42D throwing MQException: cc=2 rc=2059
     New MQException CompCode: 2 Reason: 2059
    --}! MQQueueManager.Connect() rc=(Unknown(2059))
    


    Any help or pointers are much appreciated.
    Cheers
    Sebastian



    ------------------------------
    Sebastian Wilk
    ------------------------------


  • 2.  RE: Managed .net Client does not send SSL certificate

    Posted Wed May 10, 2023 06:44 AM
    Edited by Bhushan Raut Wed May 10, 2023 06:49 AM

    Hi Sebastian, 
    I did this 2 years ago, and these are few lines from my notes - hope that helps ...

    - add certificate to mmc, certificate should have private key so the certificate type should be pfx/p12
    - allow required users to access private key from the certificate that is added to my user account or local computer store by using manager private key option 
    - add friendly name to -> ibmwebspheremq<user id> ... this user id here is the user who executes MQ connection module (may be service account of application)
    - if you choose certificate store location as "My user account" then you need to make use of *USER keystore ... but if you upload certificate in "Computer account" then make use of *SYSTEM keystore

    Additionally, you can try this to validate your certificate setup - WinHttpCertCfg.exe, a Certificate Configuration Tool - Win32 apps | Microsoft Learn



    ------------------------------
    Bhushan Raut
    ------------------------------



  • 3.  RE: Managed .net Client does not send SSL certificate

    IBM Champion
    Posted Thu May 11, 2023 03:41 AM

    The cert label name ibmwebspheremq<user id> ... is mandatory.
    The user id here is the user who executes MQ connection module (may be service account of application).



    ------------------------------
    Francois Brandelik
    ------------------------------



  • 4.  RE: Managed .net Client does not send SSL certificate

    Posted Thu May 11, 2023 05:36 AM

    The label is set to the user that is running the simpleput sample, but I somehow get the feeling that you are talking about another location/parameter where the friendly name/label has to be set?



    ------------------------------
    Sebastian Wilk
    ------------------------------



  • 5.  RE: Managed .net Client does not send SSL certificate

    Posted Thu May 11, 2023 06:02 AM

    follow this - https://www.entrust.com/knowledgebase/ssl/how-to-change-a-friendly-name-in-microsoft-management-console-mmc
    you need to right click on personal certificate -> properties -> general -> friendly name

    make sure you have added root and intermediate certificates as appropriate (in same store where you added personal cert i.e. user or local computer)



    ------------------------------
    Bhushan Raut
    ------------------------------