Author |
Message
|
ammx |
Posted: Sun May 31, 2020 1:39 pm Post subject: self signed certificates not making connection |
|
|
Acolyte
Joined: 08 Sep 2017 Posts: 50
|
Hi! I am trying to make a SSL connection between an MQ server and my machine MQ(both 9.0 version). For both of them I am using self-signed certificates this way
my machine:
QMGRA(sender)
certificate(CN=localhost.....)
SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256)
remote server:
QMGRB(receiver)
certificate(CN=hostname.xxx.xx)
SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256)
SSLCAUTH(REQUIRED)
The path to the keystores is set correctly in each qmgr and the qmgr CERTLABL name too.
Since this is a one-way message communication(from QMGRA to QMGRB) and the receiver requires a certificate from the other side to valide, I extracted the public key from the QMGRA keystore and placed it in QMGRB keystore, after this I refreshed the security ssl of each qmgr but i keep getting the following error message in the QMGRB logs
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is '????' (if '????' it is unknown at this stage in the SSL processing).
The remote host is '????'.
certificates are in place i don't know what am I missing
Thanks in advance |
|
Back to top |
|
|
bruce2359 |
Posted: Sun May 31, 2020 2:05 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
What documented instructions are you following? Are you using the ikeyman utility? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
hughson |
Posted: Sun May 31, 2020 3:11 pm Post subject: Re: self signed certificates not making connection |
|
|
Padawan
Joined: 09 May 2013 Posts: 1948 Location: Bay of Plenty, New Zealand
|
ammx wrote: |
Since this is a one-way message communication(from QMGRA to QMGRB) ... |
It may be one-way message communication, but if both queue managers have a certificate, then both queue managers will present a certificate to the other side and both queue managers will need to be able to validate the other's certificate.
If you want only one-way certificate presentation and validation, only have a certificate at QMGRB - as you rightly said, the RCVR channel must have a certificate. If you go that route you will need to set SSLCAUTH(OPTIONAL) on the RCVR channel too.
Alternatively, exchange both certificates.
Cheers,
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
|
ammx |
Posted: Tue Jun 02, 2020 10:50 am Post subject: |
|
|
Acolyte
Joined: 08 Sep 2017 Posts: 50
|
Hi, thanks for your replies.
As you said I emptied the qmgr from the sender side QM_A and only left the certificate in the receiver side, QM_V. I also changed the SSLCAUTH to OPTIONAL on the RCVR and refreshed, but none of these worked. I keep getting the error message in QM_V logs:
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is '????' (if '????' it is unknown at this stage in the SSL processing).
after I checked the logs I made one last attempt to fix this by removing the cipher from the SSLCIPH in the sender, but this only caused the error logs in the sender side to change to:
AMQ9641: Remote CipherSpec error for channel 'QM_A.QM_V' to host 'xxxxxxx'
Could it be possible that the main reason for this is that the certificates are self-signed?? maybe if i changed them to CA signed that will fix it.
Regards |
|
Back to top |
|
|
bruce2359 |
Posted: Tue Jun 02, 2020 11:47 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
I asked you what step-by-step procedure are you following to implement certs? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
hughson |
Posted: Tue Jun 02, 2020 2:42 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013 Posts: 1948 Location: Bay of Plenty, New Zealand
|
ammx wrote: |
Could it be possible that the main reason for this is that the certificates are self-signed?? maybe if i changed them to CA signed that will fix it. |
No.
It is more likely that you haven't got your certificates labelled correctly. Changing to CA signed and using the same process for labelling as you are currently doing will yield the same results. Let's fix what you have first and then you can move to CA signed certificates later.
You haven't shown us any details about the labels of your certificates. Please can you show us that now.
Cheers,
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
|
ammx |
Posted: Wed Jun 03, 2020 5:50 am Post subject: |
|
|
Acolyte
Joined: 08 Sep 2017 Posts: 50
|
@bruce2359, @hughson
These are the following commands I followed to create the certificates
My machine(sender side):
runmqckm -cert -create -db key.kdb -stashed -label qma_cert -dn "CN=localhost,O=EPM,C=US,OU=QM_A" -x509version 3 -expire 365 -sig_alg SHA256WithRSA
Server(receiver side):
runmqckm -cert -create -db key.kdb -stashed -label qmv_cert -dn "CN=host12345.xxxx.xxxx.xxxx.xxx, O=EPM, C=US, OU=QM_V" -x509version 3 -expire 365 -sig_alg SHA256WithRSA
after these i added the cipher in the SSLCIPH in both sides and restarted the channels
Regards |
|
Back to top |
|
|
bruce2359 |
Posted: Wed Jun 03, 2020 6:24 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
One last try here: what step-by-step procedure are you following? Are you looking at some IBM-supplied step-by-step documentation? If so, what exactly? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
ammx |
Posted: Wed Jun 03, 2020 8:08 am Post subject: |
|
|
Acolyte
Joined: 08 Sep 2017 Posts: 50
|
no i am not following any step-by-step procedure guideline, I just searched the commands. |
|
Back to top |
|
|
bruce2359 |
Posted: Wed Jun 03, 2020 11:19 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008 Posts: 9442 Location: US: west coast, almost. Otherwise, enroute.
|
ammx wrote: |
no i am not following any step-by-step procedure guideline, I just searched the commands. |
It’s a bit more complicated than issuing some commands.
May I suggest googling "+mq step by step ssl certificate installation". _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
|
hughson |
Posted: Wed Jun 03, 2020 5:06 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013 Posts: 1948 Location: Bay of Plenty, New Zealand
|
ammx wrote: |
My machine(sender side):
runmqckm -cert -create -db key.kdb -stashed -label qma_cert -dn "CN=localhost,O=EPM,C=US,OU=QM_A" -x509version 3 -expire 365 -sig_alg SHA256WithRSA
Server(receiver side):
runmqckm -cert -create -db key.kdb -stashed -label qmv_cert -dn "CN=host12345.xxxx.xxxx.xxxx.xxx, O=EPM, C=US, OU=QM_V" -x509version 3 -expire 365 -sig_alg SHA256WithRSA
after these i added the cipher in the SSLCIPH in both sides and restarted the channels |
You don't mention anywhere whether you set the Certificate Label on each queue manger to reference these certificate labels (since you are using non-standard label names). Have you done the following commands?
Code: |
ALTER QMGR CERTLABL('qma_cert') |
Code: |
ALTER QMGR CERTLABL('qmv_cert') |
Cheers,
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
|
fjb_saper |
Posted: Thu Jun 04, 2020 5:32 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003 Posts: 20729 Location: LI,NY
|
And once you've done that, be aware that you're set up for 2 way SSL, which means that each truststore needs to have at a minimum each other's signer cert (public cert of a selfsigned cert)
Enjoy [/list] _________________ MQ & Broker admin |
|
Back to top |
|
|
ammx |
Posted: Tue Jun 16, 2020 11:24 am Post subject: |
|
|
Acolyte
Joined: 08 Sep 2017 Posts: 50
|
The problem was solved by configuring the SSL into another server, instead of my personal machine. |
|
Back to top |
|
|
|