MQ

 View Only
  • 1.  MQRC_SSL_INITIALIZATION_ERROR in ASP.Net application

    Posted Tue January 30, 2024 03:36 PM
    0

    I have an ASP.Net 4.8 application which is connecting to MQ using SSL. The non-SSL part works fine i.e. I am able to connect to MQ if I use non SSL connection so the problem is in SSL.

    MQ team has setup SSL at their end and I MQ 7.5 client is installed on my machine. I am using amqmdnet.dll in my application. MQ team provided me with following:

    1. SSL certificate: I have imported it in Windows machine
    2. Root certificate: I have also imported it in Windows machine
    3. jks file: I have converted this file to .kdb file using utility runmqckm
    4. The above utility generated 3 files; Keystore.kdb, Keystore.rdb, Keystore.sth and they are present on C:\

    Here is my code and the error message I am getting:

    MQEnvironment.SSLCipherSpec = "TLS_RSA_WITH_AES_256_CBC_SHA256";
    queueProperties[MQC.HOST_NAME_PROPERTY] = "mq.ssl.local"; queueProperties[MQC.PORT_PROPERTY] = 443; queueProperties[MQC.CHANNEL_PROPERTY] = "Some Channel"; queueProperties[MQC.USER_ID_PROPERTY] = "some user"; queueProperties[MQC.PASSWORD_PROPERTY] = "some password"; queueProperties.Add(MQC.SSL_CERT_STORE_PROPERTY, @"C:\Keystore"); queueProperties[MQC.TRANSPORT_PROPERTY] = MQC.TRANSPORT_MQSERIES_CLIENT;

    Getting error MQRC_SSL_INITIALIZATION_ERRORIES_MANAGED

    Can someone please tell me how to fix this issue? MQ is very confusing. Do I also need to use those certificates somewhere in code?

    Logs are showing error detail as follows:

    AMQ9665: SSL connection closed by remote end of channel 'MQ.ABC.SSL'.

    EXPLANATION:
    The SSL or TLS connection was closed by the remote host '192.168.1.23
    (192.168.1.23)(443)' during the secure socket handshake. The channel is
    'MQ.ABC.SSL'; in some cases its name cannot be determined and so is shown as
    '????'. The channel did not start.
    ACTION:
    Check the remote end of the channel for SSL and TLS errors. Fix them and
    restart the channel.



    ------------------------------
    Frank Martin
    ------------------------------


  • 2.  RE: MQRC_SSL_INITIALIZATION_ERROR in ASP.Net application

    IBM Champion
    Posted Tue January 30, 2024 06:54 PM

    Frank,

    When a connection fails to succeed for security related reasons, the side that is rejecting the connection has the details, the side that is being rejected typically has very little detail. In your error message it says "The SSL or TLS connection was closed by the remote host "  and "Check the remote end of the channel for SSL and TLS errors.". There is likely more helpful diagnostic info there. It is not always possible to solve failed connections without checking logs at both ends.

    You show port 443. While this is typical for HTTPs, it is almost certainly not correct for the MQ Server you are trying to connect. The default port number for an MQ Listener is 1414. The MQ Admin may have changed it to a different port. Almost certainly not 443. Validate with the MQ Administrator what port number you should be using. It would be the same port used in your successful non TLS connection - MQ does not use different ports for TLS versus non TLS (unlike HTTP/HTTPs).

    MQ 7.5 went out of support in 2018. You should use a supported version of MQ Client, like version 9.3.  Another factor that may be getting you here is that new MQ Servers are more restrictive in which TLS protocols they will allow (rejecting older ones) while ancient clients like 7.5 may be attempting that just. Again. more details in the logs on the server end is probably true. 



    ------------------------------
    Peter Potkay
    ------------------------------



  • 3.  RE: MQRC_SSL_INITIALIZATION_ERROR in ASP.Net application

    Posted Sun February 04, 2024 05:44 AM
    Edited by Frank Martin Sun February 04, 2024 06:09 AM

    IBM MQ client 7.5 is installed. MQ team is saying that .Net client must be in unmanaged mode. Are they talking about MQ client or my .Net application? How can I make my application as unmanaged?

    I am using amqmdnet.dll in my .Net application.

    I even tried the following utility but it is showing a different error:

    Command

    AMQSSSLC -m cqm -c ABC.CORP.SSL -x mqtesting.mycorp.local:443 -k "C:\IBM\Keystore" -s TLS_RSA_WITH_AES_256_CBC_SHA256

    Error

    Connecting to queue manager cqm
    Using the server connection channel ABC.CORP.SSL
    on connection name mqtesting.mycorp.local:443.
    Using SSL CipherSpec TLS_RSA_WITH_AES_256_CBC_SHA256
    Using SSL key repository stem C:\IBM\Keystore
    No OCSP configuration specified.
    MQCONNX ended with reason code 2538

    Error in logs is:

    AMQ9202: Remote host 'mqtesting.mycorp.local:443'
    not available, retry later.

    EXPLANATION:
    The attempt to allocate a conversation using TCP/IP to host
    'mqtesting.mycorp.local:443' for channel
    ABC.CORP.SSL was not successful. However the error may be a transitory one and
    it may be possible to successfully allocate a TCP/IP conversation later. 

    In some cases the remote host cannot be determined and so is shown as '????'.
    ACTION:
    Try the connection again later. If the failure persists, record the error
    values and contact your systems administrator. The return code from TCP/IP is
    11001 (X'0'). The reason for the failure may be that this host cannot reach the
    destination host. It may also be possible that the listening program at host
    'mqtesting.mycorp.local:443' was not running.  If
    this is the case, perform the relevant operations to start the TCP/IP listening
    program, and try again. 


    ------------------------------
    Frank Martin
    ------------------------------



  • 4.  RE: MQRC_SSL_INITIALIZATION_ERROR in ASP.Net application

    IBM Champion
    Posted Mon February 05, 2024 02:52 PM

    (1) If your MQ .NET application is running in 'managed mode' then all you need is the IBM MQ .NET DLLs from the NuGet Gallery and you put the following line in your .NET application:

    prop.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);

    Note: IBM has 2 releases of IBM MQ called: IBM MQ classes for .NET Framework and IBM MQ classes for .NET Standard (aka Base .NET Classes). You can read my explanation of the difference between these packages here.

    (2) If your MQ .NET application is running in 'unmanaged mode' then you need the full IBM MQ client installed and you put the following line in your .NET application:

    prop.Add(MQC.TRANSPORT_PROPERTY, TRANSPORT_MQSERIES_CLIENT);

    Basically, when your MQ .NET application is running in 'unmanaged mode', it will use the same MQ libraries as a regular C application.

    later

    Roger



    ------------------------------
    Roger Lacroix
    CTO
    Capitalware Inc.
    London ON Canada
    https://capitalware.com
    ------------------------------