MQSeries.net :: View topic - Connecting QManager with SSL certificate returns 2059 code

MQSeries.net

Tech Exchange

Education

Certifications

Library

Info Center

SupportPacs

FAQÂ Â

Usergroups

RSS Feed - WebSphere MQ Support

RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Connecting QManager with SSL certificate returns 2059 code

Connecting QManager with SSL certificate returns 2059 code

« View previous topic :: View next topic »

Author

Message

aybuke

Posted: Fri Mar 11, 2022 3:28 am Post subject: Connecting QManager with SSL certificate returns 2059 code

Newbie

Joined: 10 Mar 2022
Posts: 3

Hi everyone,
I'm using the "amqmdnet.dll" and version is 9.0 on my .NET Framework 4.5 console application.
I'm facing a problem that I couldn't find the solution anywhere.
My problem is about when allotment buffer size from SSLStream.
I'm authenticating successfully. After authentication, the system writes and reads buffer from SSLStream.
You can find the "AMQ.0.TRC" logs below;

Quote:

000001CB 11:28:38.551108 20164.1 KeyStore is *SYSTEM
000001CC 11:28:38.551108 20164.1 KeyResetCount is 0
000001CD 11:28:38.551108 20164.1 CertificationCheck = False
000001CE 11:28:38.551108 20164.1 CipherSpec value is TLS_RSA_WITH_AES_256_CBC_SHA256
000001CF 11:28:38.551108 20164.1 SSLPEERNAME value is CN= acc.aybuke
000001D0 11:28:38.551108 20164.1 -----------} MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK
000001D1 11:28:38.554114 20164.1 -----------{ MQEncryptedSocket.MakeSecuredConnection()
000001D2 11:28:38.554114 20164.1 Created an instance of SSLStreams
000001D3 11:28:38.554114 20164.1 Setting current certificate store as 'Computer'
000001D4 11:28:38.554114 20164.1 Created store object to access certificates
000001D5 11:28:38.555109 20164.1 Opened store
000001D6 11:28:38.555109 20164.1 Accessing certificate - certaybuke
000001D7 11:28:38.555109 20164.1 TLS12 supported - True
000001D8 11:28:38.555109 20164.1 Setting SslProtol as Tls12
000001D9 11:28:38.555109 20164.1 Starting SSL Authentication
000001DA 11:28:38.560108 20164.1 ------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
000001DB 11:28:38.560108 20164.1 Client callback has been invoked to find client certificate
000001DC 11:28:38.560108 20164.1 ------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
000001DD 11:28:38.587126 20164.1 ------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
000001DE 11:28:38.587126 20164.1 Client callback has been invoked to find client certificate
000001DF 11:28:38.587126 20164.1 Use the first certificate that is from an acceptable issuer.
000001E0 11:28:38.588110 20164.1 ------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
000001E1 11:28:38.623123 20164.1 ------------{ MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors)
000001E2 11:28:38.623123 20164.1 Constructing IBM.WMQ.Nmqi.MQPeerNameMatching#02011057 MQMBID sn=p900-010-200430 su=_SIMXsI6_EeqgerCbjj3OkA pn=lib/dotnet/pc/winnt/nmqi/NmqiObject.cs
000001E3 11:28:38.623123 20164.1 Constructing IBM.WMQ.Nmqi.MQPeerNameMatching#02011057 MQMBID sn=p900-010-200430 su=_SIMXsI6_EeqgerCbjj3OkA pn=lib/dotnet/pc/winnt/nmqi/MQPeerNameMatching.cs
000001E4 11:28:38.626117 20164.1 -------------{ MQPeerNameMatching.ParseDN(String)
000001E5 11:28:38.626117 20164.1 DN String = CN= acc.aybuke
00000282 11:28:38.631122 20164.1 -------------} MQPeerNameMatching.ParseDN(String) rc=OK
00000283 11:28:38.633119 20164.1 -------------{ MQPeerNameMatching.IsMatchingPeerName(MQPeerNameMatching)
00000284 11:28:38.635119 20164.1 --------------{ MQPeerNameMatching.Wequals(String,String)
00000285 11:28:38.635119 20164.1 Returning True
00000286 11:28:38.635119 20164.1 --------------} MQPeerNameMatching.Wequals(String,String) rc=OK
00000287 11:28:38.635119 20164.1 Return value = True
00000288 11:28:38.635119 20164.1 -------------} MQPeerNameMatching.IsMatchingPeerName(MQPeerNameMatching) rc=OK
00000289 11:28:38.635119 20164.1 ------------} MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK
0000028A 11:28:38.636114 20164.1 SSL Authentication completed
0000028B 11:28:38.636114 20164.1 -----------} MQEncryptedSocket.MakeSecuredConnection() rc=OK
0000028C 11:28:38.636114 20164.1 ----------} MQTCPConnection.ConnectSocket(string,string,MQLONG) rc=OK
0000028D 11:28:38.636114 20164.1 Protocol connected..for this connection request.
0000028E 11:28:38.641112 20164.1 ----------{ MQFAPConnection.InitialiseSession()
0000028F 11:28:38.641112 20164.1 Constructing IBM.WMQ.MQID#02562BC8 MQMBID sn=p900-010-200430 su=_SIMXsI6_EeqgerCbjj3OkA pn=lib/dotnet/pc/winnt/nmqi/MQID.cs
00000290 11:28:38.644120 20164.1 Checking the encoding type.
00000291 11:28:38.644120 20164.1 -----------{ MQFAPConnection.AllocInitialDataTsh(byte,int) inputs [1] [268]
00000292 11:28:38.645115 20164.1 ------------{ MQFAPConnection.AllocateTSH(int,byte,MQTSH,int) inputs [0] [1] [null] [268]
00000293 11:28:38.646117 20164.1 -------------{ MQCommsBufferPool.AllocateBuffer(int) inputs [268]
00000294 11:28:38.646117 20164.1 Reusing buffer of capacity=1024BufferHashcode: 518963679
00000295 11:28:38.646117 20164.1 --------------{ MQCommsBufferImpl.Reset(bool) inputs [True]
00000296 11:28:38.646117 20164.1 --------------} MQCommsBufferImpl.Reset(bool) rc=OK
00000297 11:28:38.646117 20164.1 -------------} MQCommsBufferPool.AllocateBuffer(int) rc=OK
00000298 11:28:38.647117 20164.1 Constructing IBM.WMQ.MQTSH#01078A10 MQMBID sn=p900-010-200430 su=_SIMXsI6_EeqgerCbjj3OkA pn=lib/dotnet/pc/winnt/nmqi/MQTSH.cs
00000299 11:28:38.648116 20164.1 ------------} MQFAPConnection.AllocateTSH(int,byte,MQTSH,int) rc=OK returns [IBM.WMQ.MQTSH#01078A10]
0000029A 11:28:38.648116 20164.1 -----------} MQFAPConnection.AllocInitialDataTsh(byte,int) rc=OK returns [IBM.WMQ.MQTSH#01078A10]
0000029B 11:28:38.650111 20164.1 -----------{ MQTSH.WriteStruct(Byte [ ],int) inputs [System.Byte[]] [0]
0000029C 11:28:38.650111 20164.1 28bytes written
0000029D 11:28:38.650111 20164.1 -----------} MQTSH.WriteStruct(Byte [ ],int) rc=OK returns [28]
0000029E 11:28:38.650111 20164.1 -----------{ MQID.WriteStruct(Byte [ ],int) inputs [System.Byte[]] [28]
0000029F 11:28:38.650111 20164.1 -----------} MQID.WriteStruct(Byte [ ],int) rc=OK returns [240]
000002A0 11:28:38.650111 20164.1 -----------{ MQFAPConnection.RequestSendLock()
000002A1 11:28:38.650111 20164.1 -----------} MQFAPConnection.RequestSendLock() rc=OK
000002A2 11:28:38.651118 20164.1 -----------{ MQFAPConnection.SendTSH(MQTSH) inputs [IBM.WMQ.MQTSH#01078A10]
000002A3 11:28:38.654115 20164.1 ------------{ MQTCPConnection.Send(byte[],int,int,int,int) inputs [System.Byte[]] [0] [268] [1] [0]
000002A4 11:28:38.654115 20164.1 HDL:1280
000002A5 11:28:38.654115 20164.1 ----------------
000002A6 11:28:38.655118 20164.1 !! - Send Buffer:
000002A6 11:28:38.655118 20164.1 Data:- IBM.WMQ.MQTCPConnection#000AFCEB
000002A6 11:28:38.655118 20164.1 0x00000000 54 53 48 20 00 00 01 0C 02 01 31 00 00 00 00 00 : TSH ..1.....
000002A6 11:28:38.655118 20164.1 0x00000010 00 00 00 00 22 02 00 00 E4 04 00 00 49 44 20 20 : ...."..?..ID
(........................................BUFFER DETAILS_IN_THERE)
000002A7 11:28:38.655118 20164.1 Data Length --> 268
000002A8 11:28:38.655118 20164.1 Send >>
000002A9 11:28:38.657124 20164.1 -------------{ MQEncryptedSocket..Write(byte[], int, int)
000002AA 11:28:38.657124 20164.1 Writing 268 bytes onto wire
000002AB 11:28:38.660113 20164.1 Current total bytes read/write on socket: 0
000002AC 11:28:38.660113 20164.1 Write onto wire complete
000002AD 11:28:38.660113 20164.1 -------------} MQEncryptedSocket..Write(byte[], int, int) rc=OK
000002AE 11:28:38.660113 20164.1 Send returned 268
000002AF 11:28:38.660113 20164.1 Send << - n = 268
000002B0 11:28:38.660113 20164.1 ------------} MQTCPConnection.Send(byte[],int,int,int,int) rc=OK
000002B1 11:28:38.660113 20164.1 ------------{ MQCommsBufferImpl.Free()
000002B2 11:28:38.661123 20164.1 -------------{ MQCommsBufferPool.FreeBuffer(IMQCommsBuffer) inputs [IBM.WMQ.MQCommsBufferImpl#039490E2]
000002B3 11:28:38.661123 20164.1 --------------{ MQCommsBufferImpl.CheckPool(MQCommsBufferPool) inputs [IBM.WMQ.MQCommsBufferPool#038248FC]
000002B4 11:28:38.661123 20164.1 --------------} MQCommsBufferImpl.CheckPool(MQCommsBufferPool) rc=OK
000002B5 11:28:38.661123 20164.1 --------------{ MQCommsBufferImpl.IsValid()
000002B6 11:28:38.661123 20164.1 --------------} MQCommsBufferImpl.IsValid() rc=OK
000002B7 11:28:38.662117 20164.1 UseCount on this buffer is found to be 0,Reseting this buffer of capacity 1024
000002B8 11:28:38.662117 20164.1 --------------{ MQCommsBufferImpl.Reset(bool) inputs [False]
000002B9 11:28:38.662117 20164.1 --------------} MQCommsBufferImpl.Reset(bool) rc=OK
000002BA 11:28:38.662117 20164.1 -------------} MQCommsBufferPool.FreeBuffer(IMQCommsBuffer) rc=OK
000002BB 11:28:38.662117 20164.1 ------------} MQCommsBufferImpl.Free() rc=OK
000002BC 11:28:38.662117 20164.1 -----------} MQFAPConnection.SendTSH(MQTSH) rc=OK
000002BD 11:28:38.662117 20164.1 -----------{ MQFAPConnection.ReleaseSendLock()
000002BE 11:28:38.662117 20164.1 -----------} MQFAPConnection.ReleaseSendLock() rc=OK
000002BF 11:28:38.664121 20164.1 -----------{ MQFAPConnection.ReceiveTSH(MQTSH) inputs [null]
000002C0 11:28:38.664121 20164.1 ------------{ MQCommsBufferPool.AllocateBuffer(int) inputs [32758]
000002C1 11:28:38.664121 20164.1 Reusing buffer of capacity=32768BufferHashcode: 1539224853
000002C2 11:28:38.664121 20164.1 -------------{ MQCommsBufferImpl.Reset(bool) inputs [True]
000002C3 11:28:38.664121 20164.1 -------------} MQCommsBufferImpl.Reset(bool) rc=OK
000002C4 11:28:38.664121 20164.1 ------------} MQCommsBufferPool.AllocateBuffer(int) rc=OK
000002C5 11:28:38.664121 20164.1 Constructing IBM.WMQ.MQTSH#027829A8 MQMBID sn=p900-010-200430 su=_SIMXsI6_EeqgerCbjj3OkA pn=lib/dotnet/pc/winnt/nmqi/MQTSH.cs
000002C6 11:28:38.665113 20164.1 ------------{ MQTSH.GetLength()
000002C7 11:28:38.665113 20164.1 ------------} MQTSH.GetLength() rc=OK returns [28]
000002C8 11:28:38.667115 20164.1 ------------{ MQTCPConnection.Receive(ref byte [ ],ref int,ref int) inputs [System.Byte[]] [0] [32768]
000002C9 11:28:38.667115 20164.1 HDL:1280
000002CA 11:28:38.667115 20164.1 Data Length --> 32768
000002CB 11:28:38.667115 20164.1 -------------{ MQEncryptedSocket..Read(byte[], int, int)
000002CC 11:28:38.667115 20164.1 Reading data from Socket
000002CD 11:28:38.669114 20164.1 MQEncryptedSocket.Read completed with 36bytes
000002CE 11:28:38.669114 20164.1 Current total bytes read/write on socket: 304
000002CF 11:28:38.669114 20164.1 -------------} MQEncryptedSocket..Read(byte[], int, int) rc=OK
000002D0 11:28:38.669114 20164.1 ----------------
000002D1 11:28:38.669114 20164.1 !! - Receive Buffer:
000002D1 11:28:38.669114 20164.1 Data:- IBM.WMQ.MQTCPConnection#000AFCEB
(........................................BUFFER DETAILS_IN_THERE)
000002D2 11:28:38.669114 20164.1 Data Length --> 36
000002D3 11:28:38.669114 20164.1 ------------} MQTCPConnection.Receive(ref byte [ ],ref int,ref int) rc=OK
000002D4 11:28:38.669114 20164.1 Bytes Read from Socket = 36
000002D5 11:28:38.670116 20164.1 ------------{ MQTSH.ReadStruct(Byte [ ],int) inputs [System.Byte[]] [0]
000002D6 11:28:38.670116 20164.1 ------------} MQTSH.ReadStruct(Byte [ ],int) rc=OK returns [28]
000002D7 11:28:38.670116 20164.1 ------------{ MQTSH.CheckTSH(byte [ ]) inputs [System.Byte[]]
000002D8 11:28:38.670116 20164.1 ------------} MQTSH.CheckTSH(byte [ ]) rc=OK returns [True]
000002D9 11:28:38.671115 20164.1 ------------{ MQFAPConnection.AnalyseErrorSegment(MQTSH) inputs [IBM.WMQ.MQTSH#027829A8]
000002DA 11:28:38.671115 20164.1 -------------{ MQTSH.GetLength()
000002DB 11:28:38.671115 20164.1 -------------} MQTSH.GetLength() rc=OK returns [28]
000002DC 11:28:38.671115 20164.1 Constructing IBM.WMQ.MQERD#00052E67 MQMBID sn=p900-010-200430 su=_SIMXsI6_EeqgerCbjj3OkA pn=lib/dotnet/pc/winnt/nmqi/MQERD.cs
000002DD 11:28:38.672116 20164.1 -------------{ MQERD.ReadStruct(Byte [ ],int) inputs [System.Byte[]] [28]
000002DE 11:28:38.672116 20164.1 -------------} MQERD.ReadStruct(Byte [ ],int) rc=OK returns [8]
000002DF 11:28:38.672116 20164.1 New MQException CompCode: 2 Reason: 2059
000002E0 11:28:38.672116 20164.1 New NmqiException CompCode: 2 Reason: 2059

When I debug the code, I'm stucking below lines on the class "MQFAPConnection";

Code:

if ((mQTSH.ControlFlags1 & 8u) != 0)
{
AnalyseErrorSegment(mQTSH);
}

The field "ControlFlags1" is "10". So, the result of the if condition is 8 and it throws error.
The "ControlFlags1" field is filled while reading buffer from SSLStream.

Additionally, I'm sending these information to the QManager;

Code:

connectionProperties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
connectionProperties.Add(MQC.HOST_NAME_PROPERTY, "xxx.xxx.xxx.xx");
connectionProperties.Add(MQC.PORT_PROPERTY, 1414);
connectionProperties.Add(MQC.CHANNEL_PROPERTY, "Ccc");
connectionProperties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_256_CBC_SHA256");
connectionProperties.Add(MQC.SSL_CERT_STORE_PROPERTY, "*SYSTEM");
connectionProperties.Add(MQC.SSL_PEER_NAME_PROPERTY, "CN= acc.aybuke");
MQEnvironment.CertificateLabel = "certaybuke";

Why I get an exception for that? It seems there is nothing wrong. I'm sending all required information. Can anyone help me for this problem.

fjb_saper

Posted: Sat Mar 12, 2022 8:51 am Post subject:

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY

Verify if the managed transport supported SSL at version 9.0?
I would definitely want to upgrade your client to version 9.2.0.5...

_________________
MQ & Broker admin

bruce2359

Posted: Sat Mar 12, 2022 9:19 am Post subject:

Poobah

Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.

Also, please confirm that the connection worked successfully before you introduced SSL/TLS.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.

aybuke

Posted: Mon Mar 14, 2022 12:11 am Post subject:

Newbie

Joined: 10 Mar 2022
Posts: 3

Firstly, thank you for your responses.
@fjb_saper according to IBM documentation, it supports the TLS protocol for version 9.0.

@bruce2359 how can I check the connection before sending SSL? Actually, it seems I can connect. Because I'm authanticating successfuly to the server with the certificate.

bruce2359

Posted: Mon Mar 14, 2022 4:37 am Post subject:

Poobah

Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.

aybuke wrote:

I'm authenticating successfully.

@bruce2359 how can I check the connection before sending SSL? Actually, it seems I can connect.

Authenticating is not the same as connecting to a qmgr.

aybuke wrote:

Because I'm authanticating successfuly to the server with the certificate.

https://www.ibm.com/docs/en/ibm-mq/9.2?topic=arc-2059-080b-rc2059-[url]mqrc-q-mgr-not-available[/url]
2059 ReasonCode means qmgr not available. Which means you did not/can not MQCONNect to the qmgr.

How to prove (demonstrate) that your qmgr configuration is correct - before applying SSL/TLS attributes:

With no SSL/TLS attributes enabled, can you successfully execute amqsput? amqsget? Do these sample apps still return a ReasonCode 2059?

What is the name of the qmgr you are attempting to MQCONNect to?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.

aybuke

Posted: Thu Mar 17, 2022 6:52 am Post subject:

Newbie

Joined: 10 Mar 2022
Posts: 3

Thank you bruce.
When I run the command "amqsput TEST.FROM_AYBUKE"
I'm getting

Quote:

Sample AMQSPUT0 start
MQCONNX ended with reason code 2058

Also, I have a log from the server side;

Quote:

AMQ9637E: During handshake, the remote partner sent no certificate.

EXPLANATION:
The conversation cannot begin because a certificate has not been supplied by
the remote partner.

I put the certificates to my windows certificate store and all certificates can be found by the system successfully.
SSLPeerName matching returns true.
Local and remote Certificates are founded by the system successfully.

How the response says "there is no certificate."?

RogerLacroix

Posted: Thu Mar 17, 2022 10:10 am Post subject:

Jedi Knight

Joined: 15 May 2001
Posts: 3265
Location: London, ON Canada

aybuke wrote:

When I run the command "amqsput TEST.FROM_AYBUKE"

First off, you need to be using amqsputc if the queue manager is remote. amqsput (without the 'c') is for connecting to a local queue manager.

aybuke wrote:

Local and remote Certificates are founded by the system successfully.
How the response says "there is no certificate."?

How did you tell amqsputc where to find your SSL/TLS values? (MQ cannot read your mind!)

Did you put your SSL/TLS values in a CCDT file?

For CCDT file, did you correctly set the MQCHLLIB and MQCHLTAB environment variables?

i.e. On Windows, you would need to set the environment variables as:

Code:

set MQCHLLIB=C:\MyCCDTFiles
set MQCHLTAB=MQA1.TAB

Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter

bruce2359

Posted: Thu Mar 17, 2022 1:01 pm Post subject:

Poobah

Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.

RogerLacroix wrote:

aybuke wrote:

When I run the command "amqsput TEST.FROM_AYBUKE"

First off, you need to be using amqsputc if the queue manager is remote. amqsput (without the 'c') is for connecting to a local queue manager.

Oooops, that was my error. Thanks, Roger. Good catch.

I asked the OP aybuke to attempt the client-to-qmgr application-level connectivity BEFORE adding SSL/TLS to the mix. Amqsputc, amqsgetc, ...
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.

fjb_saper

Posted: Thu Mar 24, 2022 1:16 am Post subject:

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY

I am not sure that at version 9.0 you are allowed to use the windows store, hence the question if it was supported for a MANAGED connection.

Have you tried running it with an UNMANAGED connection and a cms store?
Did it work then?

_________________
MQ & Broker admin

hughson

Posted: Fri Mar 25, 2022 1:14 am Post subject: Re: Connecting QManager with SSL certificate returns 2059 co

Padawan

Joined: 09 May 2013
Posts: 1967
Location: Bay of Plenty, New Zealand

aybuke wrote:

Code:

000002D9 11:28:38.671115 20164.1 ------------{ MQFAPConnection.AnalyseErrorSegment(MQTSH) inputs [IBM.WMQ.MQTSH#027829A8]

This shows that you are being sent an error from the queue manager because it doesn't like something. Therefore there should be an error in the queue manager AMQERR01.LOG that says what it didn't like. Please can you tell us what that says.

P.S. I see you are setting the peer name:-

aybuke wrote:

Additionally, I'm sending these information to the QManager;

Code:

connectionProperties.Add(MQC.SSL_PEER_NAME_PROPERTY, "CN= acc.aybuke");

Are you trying to make sure that you only talk to a queue manager that presents a certificate with this Distinguished Name?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software

Display posts from previous:

Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Connecting QManager with SSL certificate returns 2059 code

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Protected by Anti-Spam ACP