I have forwarded this to the developers for their review.
David A.
MQ admin, MQ developer, MQ firefighter, real firefighter.
Original Message:
Sent: Fri April 12, 2024 11:44 AM
From: Tim Zielke
Subject: Problems with SSL
Hi David,
If your IBM MQ client application is Java, this blog post helps explain how to run and analyze a JSSE (basically a TLS) trace on the client side.
https://community.ibm.com/community/user/integration/blogs/tim-zielke1/2020/06/10/java-jsse-debug-trace
Thanks,
Tim
------------------------------
Tim Zielke
Original Message:
Sent: Thu April 11, 2024 04:33 AM
From: Francois Brandelik
Subject: Problems with SSL
Hi David,
If you do not want to specify the certificate label to be used to connect to MQ, the client certificate should have the name ibmwebspheremq<userid> with the userid of the user running the mq process.
Otherwise you'd have to look at specifying the certlabel, perhaps in the CCDT.
Hope it helps
------------------------------
Francois Brandelik
Original Message:
Sent: Wed April 10, 2024 03:36 PM
From: David Awerbuch
Subject: Problems with SSL
Hi Neil,
We are running into a similar situation, and my google search for the error code AMQ9638E brought me here. However, I am encountering this issue with an MQ Client trying to connect to queue manager. In this case the recevier (qmgr) has all the necessary certs it needs for itself, I suspect there is an issue on the Client side but not able to put my finger on it.
Thanks,
David
------------------------------
----------------------------------------------------------------------
David Awerbuch
MQ admin, MQ developer, MQ firefighter, real firefighter.
Original Message:
Sent: Thu September 10, 2020 01:14 AM
From: Neil Casey
Subject: Problems with SSL
Hi Kristjan,
From your last certificate process paragraph, it looks as though you are creating a certificate for your sender queue manager, but not creating a certificate for the receiver.
This is going to fail because of the asymmetry of the TLS connection process.
TLS requires that the SERVER side (in MQ this is the RECEIVER channel) must have a certificate/key pair (a personal certificate). So you need to create a personal certificate for the queue manager which has the receiver channel.
If you specify in the receiver channel configuration the option SSLCAUTH(REQUIRED), then the sender channel queue manager ALSO has to have a ceritifcate/key pair.
So, your two queue managers have 2 different names. QM1 and QM2. They will each host sender and receiver channels between the 2 queue managers.
You need to create certs for each qmgr in their own keystore, extract and exchange them, and then add the certs into the partner QM keystore.
Then you have to either restart the queue manager or issue the runmqsc command "refresh security(*) type(ssl)". This is because MQ caches the keystore in memory and you have to tell it to flush the cached copy and reload it.
Then in the channel definitions of the SENDER channel, you should include SSLCIPH to pick a cipher (or a cipher group like ANY_TLS12) and put the DN of the RECEIVER queue manager in the SSLPEER. You can also use CHLAUTH records of type SSLPEERMAP to validate the SSLPEER, which has the advantage of allowing you to validate the certificate issuer as well.
The receiver channel is a mirror image of the sender. It must have a compatible cipher (the same one or a member of the group named by the partner, or a group which includes the cipher set in the partner). The SSLPEER should be the DN of the sender channel QM certificate.
I hope that helps.
Regards,
------------------------------
Neil Casey
Senior Consultant
Syntegrity Solutions
Melbourne, Victoria
IBM Champion (Cloud) 2019-20
+61 (0) 414 615 334
Original Message:
Sent: Wed September 09, 2020 03:24 AM
From: Kristjan Voolaid
Subject: Problems with SSL
Hello everyone!
Two months ago I started at a new company and one of my first "real/big" tasks have been setting up IBM MQ for messaging. I have set up singe node with basic configuration in our test environment (when messages are coming through, I will continue to set up failover).
The problem we have with our first client (who sends us messages) is that, when pinging channel, they recieve error: AMQ9638E: SSL communications error for channel '***********'.
From logs I only see also very unclear messages:
AMQ9638E: SSL communications error for channel '***********'EXPLANATION:An unexpected SSL communications error occurred for a channel, as reported inthe preceding messages. The channel is '***********'; in some cases itsname cannot be determined and so is shown as '????'. The channel did not start.ACTION:Investigate the problem reported in the preceding messages. Review the localand remote console logs for reports of network errors. Correct the errors andrestart the channel.
Our partner sent us Intermediate and Root certificate which I added to our qmgr keystore. Just for clarity, I will add the commands:
runmqakm -cert -add -db key.kdb -stashed -file root_cert.txt -label "GlobalSign Root CA - R3"runmqakm -cert -add -db key.kdb -stashed -file Intermediate_cert.txt -label "GlobalSign nv-sa"
Am I doing something wrong? Like I said, I just started with IBM MQ from zero and doesnt have any experience with it. I have been going over the docs continuously to learn and get up to speed.
Other thing is that I set up "playground" to my localhost (one server for sending messages and other two for recieving). When I generate self-signed certificates, extract and add them to valid keystore, I get the same errors. When I disable SSL for channels, messages are coming through.
Will post the certificate process once again:
On SDR noderunmqckm -cert -create -db key.kdb -stashed -label ibmwebspheremqtest -dn "CN=MANO, O=ABC, C=US" -size 2048 -x509version 3 -expire 365runmqckm -cert -extract -db key.kdb -stashed -label ibmwebspheremqtest -target test.arm -format asciiOn RCVR noderunmqckm -cert -add -db key.kdb -stashed -label ibmwebspheremqtest -file test.arm -format ascii
Can anyone tell, am I doing something wrong?
Thanks
------------------------------
Kristjan Voolaid
------------------------------