The behaviour you are seeing is working as designed. The second and subsequent connections in the same application will be made using the TLS environment that was used for the first connection.
You mentioned before that you were using .NET. In non-managed .NET, the connection drops down to the C client underneath, so this may apply to your environment too.
Original Message:
Sent: Tue May 10, 2022 02:10 AM
From: Katja Meyer
Subject: MQ Client Connect with different certificates
Hello Morag,
we define the CCDT in the mqclient.ini and the keystore in the application itself.
KonfigTS:
<ip name="" />
<qmgr name="*OCR_MQTS" />
<chl name="" />
<request name="DE.HUK.TS.OCR.ZAD.REQUEST.SQ00" />
<reply name="DE.HUK.TS.OCR.ZAD.REPLY.SQ00" />
<timeout value="60000" />
<sslkeyrepository name="D:\MQ_TOOLS\SSL\01\HUK_TUSR_ USER" />
Konfig PR
<ip name="" />
<qmgr name="*OCR_MQPR" />
<chl name="" />
<request name="DE.HUK.PR.OCR.ZAD.REQUEST.SQ00" />
<reply name="DE.HUK.PR.OCR.ZAD.REPLY.SQ00" />
<timeout value="60000" />
<sslkeyrepository name="D:\MQ_TOOLS\SSL\01\HUK_PUSR_USER" />
The Connect to one of both konfigurations works, but not two connections to Konfig PR ans TS at the same time.
Regards
------------------------------
Katja Meyer
Original Message:
Sent: Tue May 10, 2022 12:25 AM
From: Morag Hughson
Subject: MQ Client Connect with different certificates
Hi Katja,
So you have told us that you use a CCDT, which will be how your channel parameters, such as the SSLCipherSpec value are set. However, the CCDT does not provide a way to point to a Keystore, so you will need to tell us how you point to a Keystore for your application to use.
Also, in your initial post you say that this application can use one certificate but not two certificates. Can you tell us more about whether this application is making more than one connection and needs to use a different certificate on each connection, or whether you just need to be able to run the application in two different ways, sometimes using one certificate and sometimes using another.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Mon May 09, 2022 07:14 AM
From: Katja Meyer
Subject: MQ Client Connect with different certificates
Hello Mark,
its a .Net programm. We use a ccdt with QMGR Alias. Für each certificate we use an own Keystore. The reason is that the user is the same, only the common Name from the certificate is different so we cant use one keystore für both. But we need it for security reasons.
I have to ask the developer whether we use a MQSCO structure.
Regards
------------------------------
Katja Meyer
Original Message:
Sent: Mon May 09, 2022 06:02 AM
From: Mark Taylor
Subject: MQ Client Connect with different certificates
You need to provide lots more information. What kind of application? Java? C? .Net? How are you specifying the TLS configuration? Using CCDT? Creating an MQSCO structure? Trying to use multple keystores or just multiple certs in a single keystore? Generally, the CERTLABL is what you'd probably need to be working with but how you access those capabilities will vary by environment.
------------------------------
Mark Taylor
Winchester
Original Message:
Sent: Mon May 09, 2022 05:05 AM
From: Katja Meyer
Subject: MQ Client Connect with different certificates
Hello together,
we have a problem with an application which needs to connect to a queuemanager with different connectionparameters an SSL certificates.
A connection without certificates doing well but if we switch to an ssl connection it seems that we only could use one certificate but not two different.
Have anybody a hint what we could do?
Thanks and regards
------------------------------
Katja Meyer
------------------------------