Reputation: 7412
IBM MQ: Establishing an SSL connection
We're struggling to get IBM MQ to work across SSL.
We've been provided with the certificate chain for the remote host and installed into the Windows Certificate Store (Local Machine). These all look valid.
We're using the following connection properties:
connectionProperties.Add(MQC.SSL_PEER_NAME_PROPERTY, "other-server.com");
connectionProperties.Add(MQC.SSL_CIPHER_SUITE_PROPERTY, "TLS_RSA_WITH_AES_256_CBC_SHA256"); connectionProperties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_256_CBC_SHA256");
connectionProperties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
connectionProperties.Add("CertificateLabel", "ibmwebspheremqmywindowsusernamewithoutdomain");
MQEnvironment.SSLCertRevocationCheck = true;
We've established that the "CertificateLabel" is the "Friendly name" in Windows parlance.
We've proven unencrypted communication and network-level configuration.
We're using 8.0.0.7 client.
These are the issues we've come across:
- All secure communications fail with a 2538 error. (MQRC_HOST_NOT_AVAILABLE, https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.tro.doc/q045380_.htm)
- No success setting the Friendly Name to
ibmwebspheremqandibmwebspheremqmywindowsusername@domainandibmwebspheremqmywindowsusernamewithoutdomain
General questions:
- Are we correct in assuming that we can install generated certificates exclusively in the Windows Certificate Store?
- Is the 2538 error even related to SSL communications? It feels like a network error, though there is that final point in the referenced error documentation.
- Is there anywhere we can look for more informative error information? eg. relating to the SSL trust chain to see if there is an issue there?
Upvotes: 2
Views: 1562
Answers (1)
Reputation: 7412
The issue was the following line:
connectionProperties.Add(MQC.SSL_PEER_NAME_PROPERTY, "otherserver.com");
Turns out that:
- It needs it in a canonical format, so
DN=, etc. - You don't even need that line
Though we did learn a few things along the way:
The line:
connectionProperties.Add("CertificateLabel", "ibmwebspheremqmyusername");Is the string
ibmwebspheremqplus your Windows username (without your domain) and the label should be set on the Friendly name of your client machine's outgoing certificate NOT including the username.The various folders inside your Windows certificate store are significant. The intermediate CAs should be correctly filed.
Upvotes: 2
Related Questions
- How to establish SSL communication be IBM MQ & the MQ java client?
- Implement SSL in IBM MQ in Node js
- Could not Connect to IBMMQ 7.5 using SSL
- Configuring SSL channel connectivity on MQ client machine
- Connecting to IBM MQ over SSL via .net client
- Configure SSL for IBM MQ v7.5
- .NET client connecting to IBM MQ over SSL
- MQ connecting with SSL in C#
- SSL connection to IBM MQ through ssl channel from java client
- SSL connect to MQ using .net mq client SSLV3?