8

I own the following findings in order to work againts WMQ Secure-Channel:

  1. Defined Secure-Channel in the WMQ farm
  2. Public/Private keys
  3. Unmanaged Security-Exit assembly

My question is how to utilize these resources and interact with a Secure Channel using the XMS API? (Using C#)

This is what I've tried so far, but without success:

private IConnectionFactory CreateConnectionFactory()
{
    XMSFactoryFactory factoryFactory = XMSFactoryFactory.GetInstance(XMSC.CT_WMQ);

    IConnectionFactory connectionFactory = factoryFactory.CreateConnectionFactory();

    connectionFactory.SetStringProperty(XMSC.WMQ_HOST_NAME, _wmqHostName);
    connectionFactory.SetIntProperty(XMSC.WMQ_PORT, _wmqPort);
    connectionFactory.SetStringProperty(XMSC.WMQ_CHANNEL, _wmqChannel);
    connectionFactory.SetIntProperty(XMSC.WMQ_CONNECTION_MODE, XMSC.WMQ_CM_CLIENT_UNMANAGED);
    connectionFactory.SetStringProperty(XMSC.WMQ_QUEUE_MANAGER, _wmqQueueManager);
    connectionFactory.SetIntProperty(XMSC.WMQ_BROKER_VERSION, 0);
    connectionFactory.SetStringProperty(XMSC.WMQ_SECURITY_EXIT, "MySecurityExitName");

    return (connectionFactory);
}

I get the following error when calling it:

CWSMQ0006E: An exception was received during the call to the method ConnectionFactory.CreateConnection: CompCode: 2, Reason: 2195 . During execution of the specified method an exception was thrown by another component. See the linked exception for more information.

UPDATE:

I found the following Technote which describes my problem and its possible (not tested) solution:

https://www-304.ibm.com/support/docview.wss?uid=swg1IC82112

Yair Nevet
  • 12,725
  • 14
  • 66
  • 108

2 Answers2

4

Good that you found that Technote. Also make sure that...

  • If doing mutual authentication (SVRCONN channel is set to SSLCAUTH(REQUIRED)) that the app's personal certificate has a label matching the service account. Example, if the app is running as dotnetacct the label of the personal cert in its keystore would be ibmwebspheremqdotnetacct.
  • Get the channel running without SSL or an exit first. Then do server-authenticated SSL, then mutually authenticated SSL, then add the exit back in. This isolates problems.
  • Use the latest WMQ client. I do not mean the latest fix pack for v7.0 or v7.1 but the latest v7.5 (as of this writing) client. Download as SupportPac MQC75. Later clients are compatible with back-level QMgrs and they have more fixes/features.
  • Install the full client and not just the classes or assemblies you think you need. This gets you all sorts of utilities such as client-side tracing.
  • Use the amqssslc sample to test your channel and certificates. This is usually at C:\Program Files (x86)\IBM\WebSphere MQ\tools\c\Samples\Bin\amqssslc.exe and is one of the utilities supplied when installing the full client.
  • Go to the WMQ SupportPacs page and look for MH03 WebSphere MQ SSL Configuration Checker and MO04 WebSphere MQ SSL Wizard. These can help with configuration and problem diagnosis.
T.Rob
  • 31,522
  • 9
  • 59
  • 103
  • Thanks Rob, When using a Security Exit, do I need to add more properties when constructing the Connection Factory in order to support the Secure Channel? – Yair Nevet Apr 08 '14 at 04:21
  • If that's a server-side exit, then the only properties you can add from the client side are the ID and password. All other fields accessible to the exit, such as the certificate details, are provided by the connection request automatically. However, exits can be client-side as well and if you have that, the answer depends on the exit itself. – T.Rob Apr 08 '14 at 14:33
  • There are two kinds of Security-Exits? – Yair Nevet Apr 08 '14 at 14:35
  • It is possible to run a server-side-only exit such as BlockIP2 or to run a pair of exits that talk to each other, with one at the server and one at the client or remote QMgr. http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.sec.doc/q010640_.htm – T.Rob Apr 08 '14 at 14:51
3

I figured-out that you can't use an unmanaged Security Exit assembly with IBM.XMS API (IBM.XMS.dll), and this is what I currently have.

From the XMS docs:

XMSC.WMQ_SECURITY_EXIT

This property is relevant only when an application connects to a queue manager in managed client mode. Also, only managed exits are supported.

Eventually, I came up with replacing the usage of the XMS API with the MQ Classes for .NET (Native .NET API of IBM for WMQ) which does support using an unmanaged Security Exit, by setting its MQC.SECURITY_EXIT_PROPERTY property (should be served in the form of a Hashtable entry). To be more specific, this is the assembly: amqmdnet.dll

Yair Nevet
  • 12,725
  • 14
  • 66
  • 108