MQ

 View Only

  • 1.  Managed .net Client does not send SSL certificate

    Posted Wed May 10, 2023 03:14 AM

    Hey MQ people,
    we are currently struggling to get a managed .net client to open a secured connection to a queuemanager via ssl. We tested the connection without SSL and it works fine, but the configuration of SSL is 'weird' to say the least.

    We stumbled upon a couple blogposts and the instruction found here, following that, we managed to iron out the cipher differ error but now face the issue that the client is not sending a certificate, despite the trace showing that the keystore is accessed. The QMGRlog reveals the aformentiond error shown here:


    I am unsure what other things we may have missed or forgotten, according to the instructions, IBM doc and a few forum posts we set everything the way it is supposed to be, but our client is still not sending the certificate when connecting to the QMGR.

    Our testsetup is as follows:

    The IBMMQDotnetClient 9.3.2.0 is running on a Windows 10 machine, we are calling the simpleput sample providing the arguments in the command line
    -q QNMAE -m QMGR -k *USER -s TLS_RSA_WITH_AES_128_CBC_SHA256 -h QMGR.domain -p 4711 -l TLS_TUSR_AMS_1
    The target QMGR runs on z/OS with MQ version 9.2
    We added the Usercert to the Windowskeystore

    Is there any other way to further debug/analyze things? The trace shows that SSL is working, the sample ends with a 2059, the queuemanager clearly tells us that the cert is missing.

    KeyStore is *USER
CertificateLabel set from sslConfigOptions = HUK_MQ_TUSR_AP954
KeyResetCount is 0
CertificationCheck = False
Hostname is :QMGR.domain
CipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA256
SSLPEERNAME value is 
----------}  MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK
----------{  MQEncryptedSocket.MakeSecuredConnection()
Created an instance of SSLStreams
Setting current certificate store as 'User'
Windows/Mac so use My Store  & CurrentStore
Created store object to access certificates
Opened store
Accessing certificate - HUK_MQ_TUSR_AP954
TLS12 supported - True
TLS13 supported - True
Cipherspec protocol version:TLS 1.2
Setting SslProtol as Tls12
Starting SSL Authentication
Server name is set to tls5f-tusr5f-ams5f-1.chl.mq.ibm.com
-----------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
Client callback has been invoked to find client certificate
-----------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
-----------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
Client callback has been invoked to find client certificate
-----------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
-----------{  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors)
Client did not specify a SSLPEERNAME, hence SSLPeerNameMatching not done
-----------}  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK
SSL Authentication completed

     

     CompCode: 2, Reason: 2059
 New MQException CompCode: 2 Reason: 2059
 New NmqiException CompCode: 2 Reason: 2059
 CompCode: 2, Reason: 2059
----}  MQFAP.NmqiConnect(String,NmqiConnectOptions,MQConnectOptions,Hconn,Phconn,out int,out int,ManagedHconn) rc=OK
 CompCode: 2, Reason: 2059
---}  MQFAP.MQCONNX(String,MQConnectOptions,Phconn,out int,out int) rc=OK
 IBM.WMQ.MQQueueManager#0392A42D throwing MQException: cc=2 rc=2059
 New MQException CompCode: 2 Reason: 2059
--}! MQQueueManager.Connect() rc=(Unknown(2059))


    Any help or pointers are much appreciated.
    Cheers
    Sebastian



    ------------------------------
    Sebastian Wilk
    ------------------------------


  • 2.  RE: Managed .net Client does not send SSL certificate

    Posted Wed May 10, 2023 06:44 AM
    Edited by Bhushan Raut Wed May 10, 2023 06:49 AM

    Hi Sebastian, 
    I did this 2 years ago, and these are few lines from my notes - hope that helps ...

    - add certificate to mmc, certificate should have private key so the certificate type should be pfx/p12
    - allow required users to access private key from the certificate that is added to my user account or local computer store by using manager private key option 
    - add friendly name to -> ibmwebspheremq<user id> ... this user id here is the user who executes MQ connection module (may be service account of application)
    - if you choose certificate store location as "My user account" then you need to make use of *USER keystore ... but if you upload certificate in "Computer account" then make use of *SYSTEM keystore

    Additionally, you can try this to validate your certificate setup - WinHttpCertCfg.exe, a Certificate Configuration Tool - Win32 apps | Microsoft Learn



    ------------------------------
    Bhushan Raut
    ------------------------------

    Original Message


  • 3.  RE: Managed .net Client does not send SSL certificate

    Posted Thu May 11, 2023 03:41 AM

    The cert label name ibmwebspheremq<user id> ... is mandatory.
    The user id here is the user who executes MQ connection module (may be service account of application).



    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


  • 4.  RE: Managed .net Client does not send SSL certificate

    Posted Thu May 11, 2023 05:36 AM

    The label is set to the user that is running the simpleput sample, but I somehow get the feeling that you are talking about another location/parameter where the friendly name/label has to be set?



    ------------------------------
    Sebastian Wilk
    ------------------------------

    Original Message


  • 5.  RE: Managed .net Client does not send SSL certificate

    Posted Thu May 11, 2023 06:02 AM

    follow this - https://www.entrust.com/knowledgebase/ssl/how-to-change-a-friendly-name-in-microsoft-management-console-mmc
    you need to right click on personal certificate -> properties -> general -> friendly name

    make sure you have added root and intermediate certificates as appropriate (in same store where you added personal cert i.e. user or local computer)



    ------------------------------
    Bhushan Raut
    ------------------------------

    Original Message


  • 6.  RE: Managed .net Client does not send SSL certificate

    Posted 6 days ago

    Hi Sebastian ,

    I am currently struggling with the same problem as yours and the error code is same . Would you please let me know if your issue is fixed and what helped you to fix it 

    Your response is much appreciated

    Best

    Sanchita



    ------------------------------
    Sanchita Mondal
    ------------------------------

    Original Message


  • 7.  RE: Managed .net Client does not send SSL certificate

    Posted 6 days ago

    Sanchita, 

    Is you client certificate named "ibmwebspheremq<clientid> ?

    Replace the string <clientid> with the client id...

    If you want to be able to define a certificate label to use on the client side, you'd have to use a CCDT. (Client channel definition table).



    ------------------------------
    Francois Brandelik
    ------------------------------

    Original Message


  • 8.  RE: Managed .net Client does not send SSL certificate

    Posted 6 days ago

    Francois,

    Yes , the client certificate's friendly name property has been set to ibmwebspheremq<clientid> where clientid is the service account, the certificate is in pfx format.

    But still i get this error



    ------------------------------
    Sanchita Mondal
    ------------------------------

    Original Message


  • 9.  RE: Managed .net Client does not send SSL certificate

    Posted 6 days ago

    Hey Sanchita,

    unfortunately we did not solve the problem, but since the application itself was deprecated anyway we decided to not put any more time and energy into the problem.

    I'm not sure if there is an updated doc that may cover the issue, but in general working with .NET in that regard proved to be alot more challenging.



    ------------------------------
    Sebastian Wilk
    ------------------------------

    Original Message


  • 10.  RE: Managed .net Client does not send SSL certificate

    Posted 5 days ago

    Hello Sebastian,

    as far as i know, if a .NET managed client uses mutual TLS authentication, in order to send his own client certificate from a windows Keystore *USER/*SYSTEM, 

    the X.509 extension "Extended Key Usage (EKU) OID=(1.3.6.1.5.5.7.3.2)" must be set to >ClientAuthentication< explicitly. This must be done during creation of the CSR "Certificate Signing Request" for that client's certificate.

    Here's a basic guideline how to create a new CSR from Windows MMC

    https://www.entrust.com/knowledgebase/ssl/how-to-generate-certificate-signing-request-using-microsoft-management-console-mmc-on-windows-2012

    If you have created your CSR from MMC, a new private/public keypair was cretead by windows implicitly as well.

    At last, you just have to send the CSR to your company's PKI and import the sifned certificate in your Windows Keystore location.

    If the CA-signed certificate does not have this OID-Extension, the underlying windows Schannel Runtime will not select the certificate during SSL handshake operation.  

    Alternatively you cold create a p12-Keystore with JAVA Keytool and import this p12-Keystore into your windows Keystore location.

    If using Keytool, again make sure to add the extension EKU to ClientAuthentication:

    keytool -genkeypair -alias <ibmwebsphereMQ***> 
        -keystore "<keystoreName>.p12" 
        -keyalg RSA -keysize 4096 
        -sigalg SHA256withRSA 
        -dname "CN=<server-dns>, ..." 
        -ext eku=clientAuth



    ------------------------------
    Magnus Dümke
    ------------------------------

    Original Message