ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » rfhutil - connect using a channel with SSLPEERMAP

Post new topic  Reply to topic
 rfhutil - connect using a channel with SSLPEERMAP « View previous topic :: View next topic » 
Author Message
lfrestrepog
PostPosted: Fri Jun 18, 2021 5:42 am    Post subject: rfhutil - connect using a channel with SSLPEERMAP Reply with quote

Novice

Joined: 08 Jul 2014
Posts: 22

Hello, good day.

We have a few queue managers with server channels (SVRCONN) setup to require SSL authentication and using SSLPEERMAP authentication records. I'm trying to connect with rfhutil, so I filled the connection parameters according to the manual:

- Certificate Store Location: Path to my CMS keystore (just the stem)
- SSL: Check
- SSL Cipher Algorithm: TLS_RSA_WITH_AES_128_CBC_SHA256 (it matches my channel definition)

I did try a few other settings after the first failure to connect, anyway the error message is consistently:
Quote:
18.03.51 2393 SSL unable to initialize - check SSL parms


On the queue manager error log we get the following:

Code:

06/03/21 12:07:15 - Process(32571694.3779) User(mqm) Program(amqrmppa)
                    Host(devhost) Installation(Installation3)
                    VRMF(9.2.0.0) QMgr(DEVQMGR)
                    Time(2021-06-03T17:07:15.941Z)
                    RemoteHost(10.18.140.175)
                    ArithInsert1(406)
                    CommentInsert1(????)
                    CommentInsert2(gsk_secure_soc_read)

AMQ9638E: SSL communications error for channel '????'.

EXPLANATION:
An unexpected SSL communications error occurred for a channel, as reported in
the preceding messages. The channel is '????'; in some cases its name cannot be
determined and so is shown as '????'. The channel did not start.
ACTION:
Investigate the problem reported in the preceding messages. Review the local
and remote console logs for reports of network errors. Correct the errors and
restart the channel.
----- amqccisa.c : 10873 ------------------------------------------------------
06/03/21 12:07:15 - Process(32571694.3779) User(mqm) Program(amqrmppa)
                    Host(devhost) Installation(Installation3)
                    VRMF(9.2.0.0) QMgr(DEVQMGR)
                    Time(2021-06-03T17:07:15.941Z)
                    CommentInsert1(????)
                    CommentInsert2(32571694)
                    CommentInsert3(10.18.140.175)

AMQ9999E: Channel '????' to host '10.18.140.175' ended abnormally.

EXPLANATION:
The channel program running under process ID 32571694 for channel '????' ended
abnormally. The host name is '10.18.140.175'; in some cases the host name
cannot be determined and so is shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.


I also use MQ Explorer with the same certificates and it works, so I believe the configuration on the queue manager is fine. I also believe my keystore is fine, because I can list the certificates using gsk8capicmd_64 (with -stashed option).

We have IBM MQ v9.2 on AIX (if that's relevant at all).

Any hints of what else to check or try would be very appreciated.

Thanks.
_________________
--
Luis Fernando Restrepo Gutiérrez
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Jun 18, 2021 5:53 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

rfhutil, or rfhutilc?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
lfrestrepog
PostPosted: Fri Jun 18, 2021 6:01 am    Post subject: Reply with quote

Novice

Joined: 08 Jul 2014
Posts: 22

right, I meant rfhutilc.

(although I did try rfhutil out of desperation, with environment variable MQ_CONNECT_TYPE=CLIENT)
_________________
--
Luis Fernando Restrepo Gutiérrez
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Jun 18, 2021 6:51 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

How are you specifying the connection details to rfhutilc?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
markt
PostPosted: Fri Jun 18, 2021 7:40 am    Post subject: Reply with quote

Knight

Joined: 14 May 2002
Posts: 502

I'd expect something to be in the client-side error logs too.

And I'd not be surprised to find you've not got the CA certs associated with the qmgr's cert installed in the kdb.

Explorer working is useful to know that the qmgr is ok, but it uses a different keystore on the client side. so you can't verify anything about the kdb contents.
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Jun 18, 2021 8:15 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

markt wrote:
I'd expect something to be in the client-side error logs too.

And I'd not be surprised to find you've not got the CA certs associated with the qmgr's cert installed in the kdb.

Explorer working is useful to know that the qmgr is ok, but it uses a different keystore on the client side. so you can't verify anything about the kdb contents.

Not one of my finest moments - forgetting that MQ Explorer uses a jks key store and not a kdb
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
lfrestrepog
PostPosted: Fri Jun 18, 2021 9:14 am    Post subject: Reply with quote

Novice

Joined: 08 Jul 2014
Posts: 22

About the CMS keystore, I imported all keys from my working JKS store following this guide: https://www.ibm.com/docs/en/ibm-mq/9.2?topic=wsalw-importing-personal-certificate-into-key-repository-aix-linux-windows

So I would expect all server certificates to be present in my CMS store (or have my connection fail with the JKS store too). Anyway, I did list the certificates in my store (using
Code:
gsk8capicmd_64 -cert -list all -db "d:\workspace\ssl mq\mq_qa.kdb" -stashed
) and I see all the required certificates there (didn't check any of their fingerprints or details though).

There are certificate related errors in the client logs:

Code:

18/06/2021 11:53:28 - Process(5276.1) User(lfrgutie) Program(rfhutilc.exe)
                      Host(dev) Installation(Installation1)
                      VRMF(9.2.0.2)
                      Time(2021-06-18T16:53:28.396Z)
                      CommentInsert1(Windows 10 Enterprise x64 Edition, Build 9200 (MQ Windows (x64 platform) 32-bit))
                      CommentInsert2(C:\Program Files\IBM\MQ (Installation1))
                      CommentInsert3(9.2.0.2 (p920-002-210312))
                     
AMQ6287I: IBM MQ V9.2.0.2 (p920-002-210312).

EXPLICACIÓN:
Información del sistema IBM MQ:
Información de host:- Windows 10 Enterprise x64 Edition, Build 9200 (MQ Windows
(x64 platform) 32-bit)
Instalación        :- C:\Program Files\IBM\MQ (Installation1)
Versión            :- 9.2.0.2 (p920-002-210312)
ACCIÓN:
Ninguna.
----- amqxeida.c : 6604 -------------------------------------------------------
18/06/2021 11:53:28 - Process(5276.1) User(lfrgutie) Program(rfhutilc.exe)
                      Host(dev) Installation(Installation1)
                      VRMF(9.2.0.2)
                      Time(2021-06-18T16:53:28.388Z)
                      CommentInsert1([Class=]GSKVALMethod::X509[Issuer=]CN=CORPROOTCABC[#=]4c0000000259cd3d3487110e56000000000002[Subject=]CN=CORPISSUINGCABC,DC=AMBIENTESBC,DC=LAB[Class=]GSKVALMethod::X509[Issuer=]CN=CORPISSUINGCABC,DC=AMBIENTESBC,DC=LAB[#=]1b00021e86f04)
                      CommentInsert2(gsk_attribute_get_buffer - GSK_UNKNOWNREVOCATIONSTATUS_SUBJECT)
                      CommentInsert3(ADMINS.SVRCONN)
                     
AMQ9716E: La comprobación del estado de revocación del certificado SSL remoto
ha fallado para el canal 'ADMINS.SVRCONN'.

EXPLICACIÓN:
IBM MQ no ha podido determinar el estado de revocación del certificado SSL
remoto por uno de los motivos siguientes:
(a) El canal no ha podido contactar con ninguno de lo servidores CRL o
  programas de respuesta OCSP para el certificado.
(b) Ninguno de los programas de respuesta OCSP contactados conoce el estado de
  revocación del certificado.
(c) Se ha recibido una respuesta OCSP, pero la firma digital de la respuesta no
  se ha podido comprobar.

Los detalles del certificado en cuestión son
'[Class=]GSKVALMethod::X509[Issuer=]CN=CORPROOTCABC[#=]4c0000000259cd3d3487110e56000000000002[Subject=]CN=CORPISSUINGCABC,DC=AMBIENTESBC,DC=LAB[Class=]GSKVALMethod::X509[Issuer=]CN=CORPISSUINGCABC,DC=AMBIENTESBC,DC=LAB[#=]1b00021e86f04'.


El nombre del canal es 'ADMINS.SVRCONN'. En algunos casos, el nombre de canal
no se puede determinar y, por lo tanto, se muestra como '????'. El canal no se
ha iniciado.

IBM MQ no permite que el canal empiece a menos que se pueda determinar el
estado de revocación del certificado.
ACCIÓN:
Si el certificado contiene una extensión AuthorityInfoAccess, asegúrese de que
el servidor OCSP nombrado en la extensión de certificado esté disponible y bien
configurado.

Si el certificado contiene una extensión CrlDistributionPoint, asegúrese de que
el servidor CRL nombrado en la extensión de certificado esté disponible y bien
configurado.

Si ha especificado servidores CRL o OCSP en IBM MQ, compruebe que dichos
servidores estén disponibles y bien configurados.

Asegúrese de que el depósito de claves locales tenga los certificados SSL
necesarios para verificar la firma digital de la respuesta del servidor OCSP.
----- amqccisa.c : 9109 -------------------------------------------------------


I also tried to disable OCSP/CRL checking, adding the following to my mqclient.ini

Code:

SSL:
   AllowTLSV13=TRUE
   OCSPAuthentication=OPTIONAL
   OCSPCheckExtensions=NO
   CDPCheckExtensions=NO


But the connection still fails with same error messages

Any ideas or hints are much appreciated.

Thanks.
_________________
--
Luis Fernando Restrepo Gutiérrez
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Jun 18, 2021 9:28 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

So you are setting the location of the key store using the MQSSLKEYR environment variable? Why not set it in the SSLKeyRepository stanza of mqclient.ini file?

I'm assuming you're using a CCDT, and if so have you tried using amqsputc to cut-out test whether you can connect?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
lfrestrepog
PostPosted: Fri Jun 18, 2021 10:44 am    Post subject: Reply with quote

Novice

Joined: 08 Jul 2014
Posts: 22

So, I just tried amqsputc as suggested by exerk and it did work fine. I'm using the following environment variables: MQCHLTAB, MQCHLLIB, MQ_CONNECT_TYPE, MQSSLKEYR and MQCERTLABL.

But I'm not sure how to set my connection up in rfhutil (or rfhutilc) to use a CCDT, is there any reference manual?

Anyway, that test with amqsputc shows that the CMS store is fine, and the problem is now narrowed down to my lack of expertise with rfhutil

Thanks.
_________________
--
Luis Fernando Restrepo Gutiérrez
Back to top
View user's profile Send private message
lfrestrepog
PostPosted: Fri Jun 18, 2021 11:23 am    Post subject: Reply with quote

Novice

Joined: 08 Jul 2014
Posts: 22

It appears it's the current version of rfhutil that doesn't work well with CCDT, there's an open issue about it: https://github.com/ibm-messaging/mq-rfhutil/issues/1

Thanks everyone for your advise.
_________________
--
Luis Fernando Restrepo Gutiérrez
Back to top
View user's profile Send private message
RimRim
PostPosted: Wed Jan 18, 2023 3:56 am    Post subject: Reply with quote

Newbie

Joined: 18 Jan 2023
Posts: 5

Did u find it resolved. Am facing the exact same issue while trying to connect via rfhutilc
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » rfhutil - connect using a channel with SSLPEERMAP
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.