You might want to use something like SSLCERTLBL to force the client to use a specific cert in the store, so that you won't fail the SSL PEER check...
Original Message:
Sent: Thu August 15, 2024 06:46 AM
From: Arul Saravanan
Subject: MQ Client upgrade from 8.0.0.5 to 9.2.26
Hi Roger,
Its all the same .Net code and same certificate as well. Testing both the versions on same server by installing one at a time.
Thanks,
Arul
------------------------------
Arul Saravanan
Original Message:
Sent: Wed August 14, 2024 04:45 PM
From: Roger Lacroix
Subject: MQ Client upgrade from 8.0.0.5 to 9.2.26
Hello Arul,
Are you using the same .NET code and same SSL/TLS certificate with MQ v9.2.0.26 that you used with MQ v8.0.0.5?
Did you check the queue manager log file for error messages related to your connection attempt?
Note: I'm not an MQ SSL/TLS on .NET expert, so someone else will need to chime in.
later
Roger
------------------------------
Roger Lacroix
CTO
Capitalware Inc.
London Canada
https://capitalware.com
Original Message:
Sent: Wed August 14, 2024 04:31 AM
From: Arul Saravanan
Subject: MQ Client upgrade from 8.0.0.5 to 9.2.26
Hi Roger,
Thanks for your response. We are using .Net framework 4.7 and we can't move to latest version of MQ because of other technical restrictions in the application.
I was able to trace the requests sent to the MQ and identified it is an issue with the SSL Certificate installed in the client machine. It is a self signed certificate.
Connect
06:20:42.856839 27652.1 : Connect returned True
06:20:42.857092 27652.1 : TCP/IP LINGER disabled
06:20:42.857110 27652.1 : Using socket send buffer size 32768
06:20:42.857129 27652.1 : Using socket receive buffer size 32768
06:20:42.857142 27652.1 : --------------------} MQTCPConnection.ConnectUsingLocalAddr(ParsedLocalAddr,IPAddress,int) (rc=OK)
06:20:42.857148 27652.1 : IP:*******************
06:20:42.857401 27652.1 : Constructing IBM.WMQ.Nmqi.MQEncryptedSocket#0073673B MQMBID sn=p920-026-240612 su=_ilMFOyirEe-nc-kqTO-cfg pn=basedotnet/nmqi/NmqiObject.cs
06:20:42.857428 27652.1 : Constructing IBM.WMQ.Nmqi.MQEncryptedSocket#0073673B MQMBID sn=p920-026-240612 su=_ilMFOyirEe-nc-kqTO-cfg pn=basedotnet/nmqi/MQEncryptedSocket.cs
06:20:42.858385 27652.1 : ---------------------{ MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions)
06:20:42.858416 27652.1 : KeyStore is *USER
06:20:42.858429 27652.1 : CertificateLabel set from sslConfigOptions = *****************************
06:20:42.858448 27652.1 : KeyResetCount is 0
06:20:42.858458 27652.1 : CertificationCheck = False
06:20:42.858486 27652.1 : Hostname is : ********************
06:20:42.858493 27652.1 : CipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA256
06:20:42.858500 27652.1 : SSLPEERNAME value is
06:20:42.858507 27652.1 : --------------------} MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) (rc=OK)
06:20:42.860532 27652.1 : ---------------------{ MQEncryptedSocket.MakeSecuredConnection()
06:20:42.860577 27652.1 : Created an instance of SSLStreams
06:20:42.860586 27652.1 : Setting current certificate store as 'User'
06:20:42.860594 27652.1 : Created store object to access certificates
06:20:42.863206 27652.1 : Opened store
06:20:42.863218 27652.1 : Accessing certificate - lido.bilupgrade.prod.easyjet.com
06:20:42.863253 27652.1 : Adding certificate with FriendlyName - lido.bilupgrade.prod.easyjet.com
06:20:42.863312 27652.1 : TLS12 supported - True
06:20:42.863628 27652.1 : Setting SslProtol as Tls12
06:20:42.863639 27652.1 : Starting SSL Authentication
06:20:42.863646 27652.1 : -----------------------{ MQClientCfg.GetStringValue(StringCfgProperty)
06:20:42.863652 27652.1 : ----------------------} MQClientCfg.GetStringValue(StringCfgProperty) (rc=OK)
06:20:42.863657 27652.1 : OutboundSNI is set to
06:20:42.863663 27652.1 : Server name is set to *
06:20:42.865174 27652.1 : -----------------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
06:20:42.865190 27652.1 : Client callback has been invoked to find client certificate
06:20:42.865202 27652.1 : ----------------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) (rc=OK)
06:20:42.928170 27652.1 : -----------------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
06:20:42.928192 27652.1 : Client callback has been invoked to find client certificate
06:20:42.928200 27652.1 : Use the first certificate that is from an acceptable issuer.
06:20:42.928272 27652.1 : ----------------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) (rc=OK)
06:20:43.003988 27652.1 : -----------------------{ MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors)
06:20:43.004057 27652.1 : SSL Server Certificate validation failed - RemoteCertificateNameMismatch, RemoteCertificateChainErrors
06:20:43.004070 27652.1 : ----------------------} MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) (rc=OK)
06:20:43.006638 27652.1 : Exception received
System.Security.Authentication.AuthenticationException
Message: The remote certificate is invalid according to the validation procedure.
------------------------------
Arul Saravanan
Original Message:
Sent: Tue August 13, 2024 03:16 PM
From: Roger Lacroix
Subject: MQ Client upgrade from 8.0.0.5 to 9.2.26
> is not working after upgrading to 9.2.26
Did you mean "9.2.0.26"?
You left out important information.
- Are you using .NET Framework or .NET Core (aka .NET)?
- What release of .NET Framework or .NET Core are you using?
- Did you check IBM's MQ website for .NET Framework or .NET Core prerequisites?
Why are you upgrading to MQ v9.2 when it will go out of support in a year (September 2025)?
You should just go straight to IBM MQ v9.4 (the latest release).
later
Roger
------------------------------
Roger Lacroix
CTO
Capitalware Inc.
London Canada
https://capitalware.com
Original Message:
Sent: Fri August 09, 2024 06:30 AM
From: Arul Saravanan
Subject: MQ Client upgrade from 8.0.0.5 to 9.2.26
We have upgraded MQ .Net client from 8.0.0.5 to 9.2.26. The existing code logic with 8.0.0.5 is not working after upgrading to 9.2.26. We are getting error as MQRC_HOST_NOT_AVAILABLE even though we are providing valid hostnames. Is there any other dll to be referred apart from amqmdnt.dll?
------------------------------
Arul Saravanan
------------------------------