MQ

 View Only
  • 1.  MQ Client Connect with different certificates

    Posted Mon May 09, 2022 05:05 AM

    Hello together,

    we have a problem with an application which needs to connect to a queuemanager with different connectionparameters an SSL certificates.
    A connection without certificates doing well but if we switch to an ssl connection it seems that we only could use one certificate but not two different.

    Have anybody a hint what we could do?

    Thanks and regards



    ------------------------------
    Katja Meyer
    ------------------------------


  • 2.  RE: MQ Client Connect with different certificates

    Posted Mon May 09, 2022 06:02 AM
    Edited by Mark Taylor Mon May 09, 2022 06:02 AM
    You need to provide lots more information. What kind of application? Java? C? .Net? How are you specifying the TLS configuration? Using CCDT? Creating an MQSCO structure? Trying to use multple keystores or just multiple certs in a single keystore? Generally, the CERTLABL is what you'd probably need to be working with but how you access those capabilities will vary by environment.

    ------------------------------
    Mark Taylor
    Winchester
    ------------------------------



  • 3.  RE: MQ Client Connect with different certificates

    Posted Mon May 09, 2022 07:14 AM
    Hello Mark,

    its a .Net programm. We use a ccdt with QMGR Alias. Für each certificate we use an own Keystore. The reason is that the user is the same, only the common Name from the certificate is different so we cant use one keystore für both. But we need it for security reasons. 
    I have to ask the developer whether we use a MQSCO structure.

    Regards

    ------------------------------
    Katja Meyer
    ------------------------------



  • 4.  RE: MQ Client Connect with different certificates

    IBM Champion
    Posted Tue May 10, 2022 12:25 AM

    Hi Katja,

    So you have told us that you use a CCDT, which will be how your channel parameters, such as the SSLCipherSpec value are set. However, the CCDT does not provide a way to point to a Keystore, so you will need to tell us how you point to a Keystore for your application to use.

    Also, in your initial post you say that this application can use one certificate but not two certificates. Can you tell us more about whether this application is making more than one connection and needs to use a different certificate on each connection, or whether you just need to be able to run the application in two different ways, sometimes using one certificate and sometimes using another.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 5.  RE: MQ Client Connect with different certificates

    Posted Tue May 10, 2022 02:10 AM

    Hello Morag,

    we define the CCDT in the mqclient.ini and the keystore in the application itself. 

    KonfigTS:
    <ip name="" />
          <qmgr name="*OCR_MQTS" />
          <chl name="" />
          <request name="DE.HUK.TS.OCR.ZAD.REQUEST.SQ00" />
          <reply name="DE.HUK.TS.OCR.ZAD.REPLY.SQ00" />
          <timeout value="60000" />
          <sslkeyrepository name="D:\MQ_TOOLS\SSL\01\HUK_TUSR_ USER" />
     
    Konfig PR
    <ip name="" />
          <qmgr name="*OCR_MQPR" />
          <chl name="" />
          <request name="DE.HUK.PR.OCR.ZAD.REQUEST.SQ00" />
          <reply name="DE.HUK.PR.OCR.ZAD.REPLY.SQ00" />
          <timeout value="60000" />
          <sslkeyrepository name="D:\MQ_TOOLS\SSL\01\HUK_PUSR_USER" />

     

    The Connect to one of both konfigurations works, but not two connections to Konfig PR ans TS at the same time.

    Regards



    ------------------------------
    Katja Meyer
    ------------------------------



  • 6.  RE: MQ Client Connect with different certificates

    IBM Champion
    Posted Tue May 10, 2022 05:41 AM

    The behaviour you are seeing is working as designed. The second and subsequent connections in the same application will be made using the TLS environment that was used for the first connection.

    This limitation was lifted in IBM MQ V9.2.5 with the introduction of an additional configuration option to control TLS environment in C clients, the EnvironmentScope attribute of the SSL stanza of the client configuration file.

    You mentioned before that you were using .NET. In non-managed .NET, the connection drops down to the C client underneath, so this may apply to your environment too.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------