IBM Webshpere MQ client connecting remote queue using SSL

Question

I am trying to connect to the remote queues using secured SSL connection. I have all the details provided by third party regarding SSL connection and Queue Manager details. I have V8 version of MQ client installed on my windows machine.

SSL folder that thirdparty has shared contains jks,kdb,rdb and sth files.

I am using below code to initialize the properties in .net console application

    const string SslKeyRepository = @"ssl folder location with key name included";
        const string CipherSpec = "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
        const string CipherSuite = "SSL_RSA_WITH_3DES_EDE_CBC_SHA";
        const string SslPeerName = "Peername";
        const string ConnectionType = MQC.TRANSPORT_MQSERIES_CLIENT;

 static Hashtable init(String connectionType)
        {
            Hashtable connectionProperties = new Hashtable
            {
                {MQC.TRANSPORT_PROPERTY, connectionType},
                {MQC.PORT_PROPERTY, 1496},
                {MQC.SSL_CERT_STORE_PROPERTY, SslKeyRepository},
                {MQC.SSL_CIPHER_SPEC_PROPERTY, CipherSpec},
                {MQC.SSL_PEER_NAME_PROPERTY, $"CN=\"{SslPeerName}\""}
            };

            // Add the connection type

            // SSL

            // Set up the rest of the connection properties, based on the
            // connection type requested
            switch (connectionType)
            {
                case MQC.TRANSPORT_MQSERIES_BINDINGS:
                    break;
                case MQC.TRANSPORT_MQSERIES_CLIENT:
                case MQC.TRANSPORT_MQSERIES_XACLIENT:
                case MQC.TRANSPORT_MQSERIES_MANAGED:
                    connectionProperties.Add(MQC.HOST_NAME_PROPERTY, HostName);
                    connectionProperties.Add(MQC.CHANNEL_PROPERTY, Channel);
                    break;
            }

            return connectionProperties;
        }

I have tried few things but I end up getting exception "MQRC_SSL_INITIALIZATION_ERROR"

I would appreciate if you can help me with this.

Answer 1

There are many reasons for MQRC_SSL_INITIALIZATION_ERROR. Some of them are mechanical issues such as whether the keystore files can be accessed. Some are procedural such as whether the handshake fails. The best way to diagnose is methodically checking the configuration and then performing differential testing.

For the first part of this, perform the following checks. If you have already done so, don't cut corners. Do it again.

• Verify that the certificates are accessible by issuing runmqakm -cert -list against the KDB to verify that it is structurally intact and the stash file is present with the proper password.
• Verify that the kdb file is not in a world-readable directory is that the files are not marked world-readable.
• Verify that the service account that runs the app is the owner of the KDB files and containing folder and has write access. (Not sure why but GSKit insists that the KDB must be writeable at run time.)
• Issue runmqakm -cert -details to verify that the certificate(s) corresponding to the queue manager is/are present and the details. If the QMgr uses a self-signed cert there will be only one. If the QMgr uses a CA-signed cert there should be an intermediate and a root signer.
• Find out from the 3rd party whether they have specified SSLCAUTH(OPTIONAL) or SSLCAUTH(REQUIRED). If OPTIONAL then the KDB should have no personal certs, only signers. If REQUIRED then the KDB must have a personal cert and the label must be ibmwebspheremq[serviceaccount] in lower case.

For the differential testing, try some of the following tests:

• Test the app by connecting to a local QMgr using TLS (Note: MQ hasn't used SSL for years. It's TLS now. The old field names still retain SSL labels, though.) until you know that it is correctly configured. Go grab a copy of MQ Advanced for Developers and you can do integration testing on the desktop with your own QMgr, fully licensed for free.
• Test using one of the sample programs. Use amqsputc or amqsgetc, depending on whether the real app is supposed to have PUT or GET on the queue. These use the same KDB, samme certs, etc. the main difference being they are known-good code.
• Ask your business partner to let you test without SSL to make sure the "mechanical" parts of the configuration are correct. This includes things like the firewall routing, host, port and channel name, QMgr name, etc. If you can't connect with plaintext channels, you definitely won't succeed with TLS channels.
• Once that works, test with SSL enabled and SSLCAUTH(OPTIONAL) set at the QMgr. This demonstrates that the client can validate the QMgr's cert.
• Once that works, and if the objective is to use mutual authentication, test with SSLCAUTH(REQUIRED) set at the QMgr and a personal cert in the local KDB. This demonstrates that the QMgr can validate the client's cert.
• Then, and only then, turn on SSLPEER locally to filter on the QMgr cert's DN.

If these don't help, please update the question with detailed results of your testing. The most common issues include cert labels and KDB permissions. If the business partner gave you the JKS and KDB, these should generally not come with a personal cert, only trusted certs.