App Connect

Expand all | Collapse all

ACE - MQ SSL Error

  • 1.  ACE - MQ SSL Error

    Posted Tue December 01, 2020 04:33 AM
    Hello,

    I have ACE installed on Openshift and it reads/writes messages to a QM. I have configured truststore in ACE integration server to for  SSL (one-way) to connect to the remote Queue Manger. I am getting below error:

    Failed to make a client connection to queue manager 'TESTQM' using hostname '***.containers.appdomain.cloud' on port '443': MQCC=2; MQRC=2381.

    server.conf.yaml:
    ResourceManagers:
    HTTPSConnector:
    TruststoreFile: '/home/aceuser/truststores/clientkey.jks'
    TruststoreType: 'JKS'
    TruststorePassword: '***'

    Any help on this will be helpful.

    ------------------------------
    Abinash Dalai
    ------------------------------


  • 2.  RE: ACE - MQ SSL Error

    Posted Wed December 02, 2020 05:10 AM
    Hi Abinash,

    If you are using the MQ Input/Output nodes you will need to setup ACE in a similar way to a C based client for TLS.

    For one-way TLS you should only need the root CA that signed the queue manager's cert or the public cert of the queue manager's self signed cert added to your ACE key db. 

    Here are a couple of links that might help:

    https://www.ibm.com/support/knowledgecenter/SSTTDS_11.0.0/com.ibm.etools.mft.doc/bc28631_.html
    https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q010090_.html
    https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.explorer.doc/e_ssl_mqclients.html
    https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q012680_.html




  • 3.  RE: ACE - MQ SSL Error

    Posted Wed December 02, 2020 05:24 AM
    Edited by Abinash Dalai Wed December 02, 2020 05:25 AM
    Thank you @Martin Evans for the suggestion. I have tried the route to add the public certs to key.db, now  receiving below error.

    1. Added the self signed certificates to QueueManger(key.key and key.crt) using k8s secret.(Can read and write to queue from a JMS Program with jks truststore)
    2. From the "key.crt", created the .kdb, .rdb, and .sth files using runmqakm/runmqckm.
    3. During the integration server creation in CloudPak nvigator, added these 3 files as Keystore config and created one server.conf.yaml with(BrokerRegistry:mqKeyRepository: '/home/aceuser/keystores/key').
    4. Now I am receiving the below error in the pod logs:
    Failed to make a client connection to queue manager 'TESTQM' using hostname '***.containers.appdomain.cloud' on port '443': MQCC=2; MQRC=2393

    ------------------------------
    Abinash Dalai
    ------------------------------



  • 4.  RE: ACE - MQ SSL Error

    Posted Wed December 02, 2020 06:10 AM
    Hi Abinash,

    The first thing I'd check is that the cipher spec on the client matches the qmgr channel, note that the C client uses the exact same name as the definition on the qmgr channel (unlike Java). Failing that you might have to turn tracing on and take a look there. Also make sure the channel is not set to require 2-way, I think that's the default.






  • 5.  RE: ACE - MQ SSL Error

    Posted Wed December 02, 2020 07:27 AM
    Hello Martin,

    The Cipher spec is matching with QMGR. In Qmgr I have used ANYTLS_12 and in ACE flow also I have tried with both ANYTLS_12 and TLS_RSA_WITH_AES_128_CBC_SHA256. Also created a new Integration server with trace enabled form CloudPak dashboard, but no traces are appearing as such.

    The channel is configured with one-way SSL only.

    If any implementation video // documents are available that will be much helpful.

    ------------------------------
    Abinash Dalai
    ------------------------------