jackstow
Reputation: 11
IBMMQDotnetClient connecting with TLS 1.2 + kdb certificate
Im trying to connect to IBM MQ using the .net library "IBMMQDotnetClient" version 9.2.3, this connection has to be with TLS 1.2.
properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
properties.Add(MQC.HOST_NAME_PROPERTY, _hostname);
properties.Add(MQC.PORT_PROPERTY, port);
properties.Add(MQC.CHANNEL_PROPERTY, channel);
properties.Add(MQC.SSL_CERT_STORE_PROPERTY, @"C:\Root\ssl\keystore");
properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA256");
properties.Add(MQC.CERT_LABEL_PROPERTY, certLabel);
when I call the :
_mqQueueManager = new MQQueueManager(queueManager, properties);
I get the following MQException: Reason 2195 - Message "MQRC_UNEXPECTED_ERROR"
Does anyone know how to connect to the IBM MQ from a c# .netcore project using a .kdb/.sth certificate?
On the MQTRACEPATH log I see this:
000001CA 13:08:12.582896 29080.1 -----------} MQTCPConnection.ConnectUsingLocalAddr(ParsedLocalAddr,IPAddress,int) rc=OK
000001CB 13:08:12.582914 29080.1 IP:*****
000001CC 13:08:12.583357 29080.1 Constructing IBM.WMQ.Nmqi.MQEncryptedSocket#0083A9E6 MQMBID sn=p923-L210708 su=_rwPC4d_rEeuJxYd83sYP-w pn=basedotnet/nmqi/NmqiObject.cs
000001CD 13:08:12.583376 29080.1 Constructing IBM.WMQ.Nmqi.MQEncryptedSocket#0083A9E6 MQMBID sn=p923-L210708 su=_rwPC4d_rEeuJxYd83sYP-w pn=basedotnet/nmqi/MQEncryptedSocket_s.cs
000001CE 13:08:12.583712 29080.1 -----------{ MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions)
000001CF 13:08:12.583850 29080.1 IBM.WMQ.Nmqi.MQEncryptedSocket#0083A9E6 throwing MQException: cc=2 rc=2381
000001D0 13:08:12.584052 29080.1 New MQException CompCode: 2 Reason: 2381
000001D1 13:08:12.586100 29080.1 -----------}! MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=(Unknown(2381))
000001D2 13:08:12.586901 29080.1 CompCode: 2, Reason: 2381
000001D3 13:08:12.586982 29080.1 New MQException CompCode: 2 Reason: 2538
000001D4 13:08:12.588392 29080.1 -----------{ ManagedCommonServices.GetMessage(string objectId,uint returncode,uint control,out string basicmessage,out string extendedmessage,out string replymessage,MQLONG basicLength,MQLONG extendedLength,MQLONG replyLength)
000001D5 13:08:12.588428 29080.1 Returncode: 0x20009202 Control: 0x00000006
000001D6 13:08:12.590143 29080.1 -----------}! ManagedCommonServices.GetMessage(string objectId,uint returncode,uint control,out string basicmessage,out string extendedmessage,out string replymessage,MQLONG basicLength,MQLONG extendedLength,MQLONG replyLength) rc=(Unknown(536895768))
000001D7 13:08:12.591130 29080.1 -----------{ ManagedCommonServices.DisplayMessage(string,string,uint,uint)
000001D8 13:08:12.634418 29080.1 ------------{ ManagedCommonServices.GetMessage(string objectId,uint returncode,uint control,out string basicmessage,out string extendedmessage,out string replymessage,MQLONG basicLength,MQLONG extendedLength,MQLONG replyLength)
000001D9 13:08:12.634472 29080.1 Returncode: 0x20009202 Control: 0x00000013
000001DA 13:08:12.634686 29080.1 ------------}! ManagedCommonServices.GetMessage(string objectId,uint returncode,uint control,out string basicmessage,out string extendedmessage,out string replymessage,MQLONG basicLength,MQLONG extendedLength,MQLONG replyLength) rc=(Unknown(536895768))
000001DB 13:08:12.634805 29080.1 -----------}! ManagedCommonServices.DisplayMessage(string,string,uint,uint) rc=(Unknown(536895768))
000001DC 13:08:12.634880 29080.1 ----------} MQTCPConnection.ConnectSocket(string,string,MQLONG) rc=OK
000001DD 13:08:12.634996 29080.1 CompCode: 2, Reason: 2538
000001DE 13:08:12.635362 29080.1 New MQException CompCode: 2 Reason: 2538
000001DF 13:08:12.635379 29080.1 New NmqiException CompCode: 2 Reason: 2538
000001E0 13:08:12.635498 29080.1 ----------{ MQFAPConnection.CleanUp(Boolean,NmqiException) inputs [False] [CompCode: 2, Reason: 2538]
000001E1 13:08:12.635514 29080.1 ----------} MQFAPConnection.CleanUp(Boolean,NmqiException) rc=OK
000001E2 13:08:12.635594 29080.1 ---------} MQFAPConnection.Connect(MQConnectionSecurityParameters) rc=OK
000001E3 13:08:12.635614 29080.1 CompCode: 2, Reason: 2538
000001E4 13:08:12.635738 29080.1 --------} MQConnectionSpecification.CreateAndConnectConnection(MQConnectionSecurityParameters,MQFAP,String,MQConnectOptions,int) rc=OK
000001E5 13:08:12.635761 29080.1 -------} MQConnectionSpecification.GetSessionFromNewConnection(MQConnectionSecurityParameters,MQFAP,String,MQConnectOptions,int) rc=OK
000001E6 13:08:12.635768 29080.1 Exit AssingSession from new connection:
000001E7 13:08:12.635775 29080.1 ------} MQConnectionSpecification.GetSession(MQConnectionSecurityParameters,MQFAP,String,MQConnectOptions,int) rc=OK
000001E8 13:08:12.635782 29080.1 -----} MQFAPConnectionPool.GetSession(MQConnectOptions,MQConnectionSecurityParameters,MQChannelDefinition,String,int,String,String,int,int) rc=OK
000001E9 13:08:12.635791 29080.1 CompCode: 2, Reason: 2538
000001EA 13:08:12.635847 29080.1 New MQException CompCode: 2 Reason: 2538
000001EB 13:08:12.635857 29080.1 New NmqiException CompCode: 2 Reason: 2538
000001EC 13:08:12.635906 29080.1 CompCode: 2, Reason: 2538
000001ED 13:08:12.635973 29080.1 ----} MQFAP.NmqiConnect(String,NmqiConnectOptions,MQConnectOptions,Hconn,Phconn,out int,out int,ManagedHconn) rc=OK
000001EE 13:08:12.636003 29080.1 CompCode: 2, Reason: 2538
000001EF 13:08:12.636016 29080.1 ---} MQFAP.MQCONNX(String,MQConnectOptions,Phconn,out int,out int) rc=OK
000001F0 13:08:12.636026 29080.1 IBM.WMQ.MQQueueManager#03551B1B throwing MQException: cc=2 rc=2538
000001F1 13:08:12.636033 29080.1 New MQException CompCode: 2 Reason: 2538
000001F2 13:08:12.654150 29080.1 --}! MQQueueManager.Connect() rc=(Unknown(2538))
Upvotes: 1
Views: 1049
Answers (1)
JoshMc
Reputation: 10662
Managed mode which is the only mode supported in Core uses the Windows user or system keystore. You need to specify *USER or *SYSTEM as your MQC.SSL_CERT_STORE_PROPERTY. You will need to import your cert to the corresponding Windows key store.
Note that in managed mode the cipher you specify is only used to determine the TLS version to use, the actual negotiated cipher may not be what you specify. In your example it will negotiate to a TLS1.2 cipher. If the SVRCONN SSLCIPH does not match what is negotiated the connection will fail. If the queue manager is also at 9.2 you can specify ANY_TLS12 or ANY_TLS12_OR_HIGHER in the SVRCONN SSLCIPH to allow it to accept any available TLS1.2 cipher negotiated.
Upvotes: 3
Related Questions
- Unable to autheticate to IBM MQ C# with TLS-certificate
- Unable to connect to IBM MQ with TLS using .NET standard library
- Secure handshake failing during IBM.MQ MQQueueManager on Linux .net core
- Could not Connect to IBMMQ 7.5 using SSL
- IBM MQ 2538 error negotiating an SSL connection
- Connecting to IBM MQ over SSL via .net client
- Issue with SSL connection to IBM WEB MQ
- .NET client connecting to IBM MQ over SSL
- MQ connecting with SSL in C#
- SSL connect to MQ using .net mq client SSLV3?