Pymqi - Connecting to IBM mq with SSL

Question

I am able to connect to IBM mq through Pymqi using installed MQ client v9 on my Linux machine. There is requirement of connecting through SSL. How should I create key repository for two way TLS(mTLS)?

`runmqakm` is used for that purpose. Do you need to do mYLS or just 1wayTLS? Have you been provided any specific requirements? — JoshMc, Aug 05 '20 at 06:20
When I tried, it says command not found. Will downloaded client library have support to run this command?. Haven't provided details on TLS — Vishnu, Aug 05 '20 at 06:48
What version of MQ client do you have (you say v9, but there is now three major releases: 9.0, 9.1, and most recenly 9.2)? How did you obtain it? Was it the installed client or the Redist client(you say installed so will assume it is is not redist)? What platform does your client run on (i.e. Linux, Windows, etc). — JoshMc, Aug 05 '20 at 06:53
I have installed 9.0.0.8 got it from IBM website. I have followed instructions from GitHub.com/dsuch/pymqi/issues/15 installed mqseriesclient not redist client. Running it on linux — Vishnu, Aug 05 '20 at 07:06
`/opt/mqm/bin/runmqakm` should be present. If you make it the "Primary" install it will also get a symlink under `/bin`. You can also run `setmqenv` to have the PATH updated if it is not primary. — JoshMc, Aug 05 '20 at 07:20
You will need to find out more details. If you require mTLS then you will need a cert that is trusted by the queue manager. If you want 1wayTLS you only need CA certs in your keystore so that you trust the queue manager's cert. I have seen this done many different ways, some times the MQ admin will provide you the keystore. Some times you need to get the cert via a cert management system. If you need help with a specific task, please update the question with more details on what needs to be accomplished. — JoshMc, Aug 05 '20 at 07:22
I missed to install MQSeriesGSKit. Now I have runmqakm available. Mq admin did mentioned about uploading csr to a cert management system and download the certificate chain.i will update once I have better info, thank you — Vishnu, Aug 05 '20 at 07:38
This TLS [tutorial](https://developer.ibm.com/components/ibm-mq/tutorials/mq-secure-msgs-tls) provides a worked example for configuring a client to connect to a trusted IBM MQ server over TLS. — richc, Aug 05 '20 at 14:25
Link given has references if server cert is available. I need to download certs via a cert management system. So in this case how should I proceed?. Should I be using runmqakm or runmqckm? — Vishnu, Aug 05 '20 at 15:12
`runmqckm` is the java version of `runmqakm` and supports Java Key Stores (jks), it also supports CMS keystores which is what the C API uses (this is what pymqi is built on). `runmqakm` is much quicker than `runmqckm`. — JoshMc, Aug 05 '20 at 20:01
Can pymqi read certs generated using java keytool or should it only be generated using commands (1. runmqakm -keydb -create -db filename -pw password -type cms -expire days –stash 2. runmqakm -certreq -create -db filename -pw password -label label -dn distinguished_name -size key_size -file filename -fips -sig_alg algorithm ). — Vishnu, Aug 07 '20 at 20:43
You will need to ensure you follow the naming convention for the client and server certificate labels in your keystore. This is covered in the [PyMQI tls doc](https://dsuch.github.io/pymqi/examples.html#how-to-use-ssl-tls) — richc, Aug 10 '20 at 17:14
Assuming you have the certificate, you'll need to put the certificate in a keystore and then pass this to your Python application. Create a keystore (using cms and stash in this example) `runmqakm -keydb -create -db clientKeyStore.kdb -pw -type cms -expire -stash` Then add add the server certificate `runmqakm -cert -add -label -db clientKeyStore.kdb -pw -trust enable -file ` Additional reference doc [here](https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q012680_.htm) — richc, Aug 10 '20 at 17:16
@richc Im asked to generate SSL using cert management system. I created key database, created csr and uploaded into my cert managemnt system ( which generated multiple CA certs and a personal certificate). So I did rename personal certificate as ibmwebspheremquser and added this along wit CA certs to my key database. Should this key database be only under - /var/mqm/ssl or any location as I specify as key_repo_location. what is queue manager’s certificate in this scenario when generating through cert managemnt system — Vishnu, Aug 10 '20 at 18:30
@Vishnu assuming queue manager name `QM1`, the MQ keystore will be under `/var/mqm/qmgrs/QM1/ssl`. By default, the store filename is `key` and must be a `.kdb`. Therefore, `/var/mqm/qmgrs/QM1/ssl/key.kdb`. Again assuming QM1, the server certificate label will be `ibmwebspheremqqm1`. For username `app`, in a default config, the client certificate label will be `ibmwebspheremqapp`. More info on [labels](https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q014340_.htm) and [stores](https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.sec.doc/q010090_.htm) — richc, Aug 10 '20 at 19:00
You’ll also need to include the `key.sth` stash file in the same directory as `key.kdb` — richc, Aug 10 '20 at 19:20
There is no need to keep the client `kdb/sth` file in `var/mqm/ssl`, you can put these in any location and reference them via at least three methods: 1. `key_repo_location`, 2. using the environment variable MQSSLKEYR, or 3. via a setting in the mqclient.ini file. @richc you have provided a great deal of info you should write it up in a nice answer that Vishnu can accept. — JoshMc, Aug 10 '20 at 23:35
@JoshMc As requested, I've written up an answer. It's little long, but I wanted to try and cover all the points raised in the comment discussion. — richc, Aug 11 '20 at 13:40
@richc I get error: pymqi.MQMIError: MQI Error. Comp: 2, Reason 2393: FAILED: MQRC_SSL_INITIALIZATION_ERROR, in /var/mqm/errors/AMQERR01.LOG : The SSL or TLS connection was closed by the remote host ; in some cases its name cannot be determined and so is shown as '????'. The channel did not start. My key database has ! ca_cert ! ca_cert - ibmwebspheremqsrveida — Vishnu, Aug 11 '20 at 20:23

richc · Accepted Answer · 2020-08-12T09:46:38.043

I have configured mutual tls between a python application using PyMQI backed with the IBM MQ toolkit for MacOS (9.1.5.0) and a queue manager running on a Raspberry Pi (9.2.0.0).

I have used self-signed certificates to make it easier to illustrate an end-to-end example of a TLS configuration with MQ. This would not normally be used in a production environment; your MQ administrator will typically provide any certificates that you might need to use which are often issued by a certificate authority. Where this is the case you can skip the certificate creation steps below.

Here are the steps I took:

Initial server and Python code setup

Setup an IBM MQ server following this tutorial which provides the default developer configuration.
Pulled in the the python sample code from this tutorial and put a message to DEV.QUEUE.1 without TLS configured.

General Config

Created some working directories on my Mac client.

mkdir tlsTest
cd tlsTest
mkdir client
mkdir server

Queue Manager config

Create the server keystore.

cd server

runmqakm -keydb -create -db key.kdb -pw <password> -stash

ls

Check to see key.crl key.kdb key.rdb key.sth.

Check that the store is empty.

runmqakm -cert -list -db key.kdb -stashed

No certificates were found.

Create the server certificate and put it in the new keystore key.kdb

runmqakm -cert -create -db key.kdb -stashed -dn "cn=qm,o=ibm,c=uk" -label ibmwebspheremq<QMName_lowerCase> -type cms

Check the certificate.

runmqakm -cert -list -db key.kdb -stashed

Certificates found
* default, - personal, ! trusted, # secret key
-    ibmwebspheremqqm1

The '-' denotes the client's private key and personal certificate in this keystore.

Extract the queue manager's public key.

runmqakm -cert -extract -label ibmwebspheremq<QMName_lowerCase> -db key.kdb -stashed -file QM.cert

Check to see the certificate file.

ls

QM.cert key.crl key.kdb key.rdb key.sth

Inspect the certificate.

runmqakm -cert -details -file QM.cert -stashed

Client Config

Change to the client directory.
```
cd ../client
```

Create the client keystore.

runmqakm -keydb -create -db client.kdb -pw <password> -stash

Create the client certificate and put it in the new keystore client.kdb.

runmqakm -cert -create -db client.kdb -stashed -dn "cn=pymqi,o=test,c=uk" -label ibmwebspheremq<userName_lowercase> -type cms

Extract the client's public key.

runmqakm -cert -extract -label ibmwebspheremq<userName_lowercase> -db client.kdb -stashed -file Client.cert

Optionally inspect the certificate by modifying previous runmqakm -cert -list commands from the earlier server steps.

Exchange public keys

Populate the client's keystore with the queue manager's public key.

runmqakm -cert -add -label ibmwebspheremq<QMName_lowerCase> -db client.kdb -stashed -file ../server/QM.cert

Check the certificate.

runmqakm -cert -list -db client.kdb -stashed

Certificates found
* default, - personal, ! trusted, # secret key
!    ibmwebspheremqqm1
-    ibmwebspheremqapp

The '!' shows that the queue manager's public key is trusted.

Populate the queue manager's keystore with the client's public key.

Change to the server directory.

cd ../server

runmqakm -cert -add -label ibmwebspheremq<userName_lowercase> -db key.kdb -stashed -file ../client/Client.cert

Check the certificates.

runmqakm -cert -list -db key.kdb -stashed

Certificates found
* default, - personal, ! trusted, # secret key
!    ibmwebspheremqapp
-    ibmwebspheremqqm1

Configure TLS on the Queue Manager

Move the key.kdb and key.sth files from the tlsTest/server directory to /var/mqm/qmgrs/ssl/QM1 directory on the queue manager's file system.

Modify the DEV.APP.SVRCONN channel to accept TLS 1.2 cipher suites.

runmqsc QM1

ALTER CHANNEL(DEV.APP.SVRCONN) CHLTYPE(SVRCONN) SSLCIPH(ANY_TLS12)

Refresh the queue manager's security subsystem.
```
REFRESH SECURITY(*) TYPE(SSL)
```

TLS enabled the MQ PyMQI application

Add cipher spec and label into the Python app and include the sco options.

cd.SSLCipherSpec = b'ANY_TLS12'
sco = pymqi.SCO()
#include file name but not file extension
sco.KeyRepository = b'tlsTest/client/client'
sco.CertificateLabel =b'ibmwebspheremqapp'

Change the qmgr.connect line to add sco options.

qmgr.connect_with_options(queue_manager, user=b'app', password=b'<your_password>', cd=cd, sco=sco)

Test Python app.

Alternate configuration to use environment variables to reference label and keystore

Change the python app to remove label and keystore.

#sco = pymqi.SCO()
#sco.KeyRepository = b'tlsTest/client/client'
#sco.CertificateLabel =b'ibmwebspheremqapp'
#qmgr.connect_with_options(queue_manager, user=b'app', password=b'<your_password>', cd=cd, sco=sco)
qmgr.connect_with_options(queue_manager, user=b'app', password=b'<your_password>', cd=cd)

Set environment variables.

export MQSSLKEYR=tlsTest/client/client
export MQCERTLABL=ibmwebspheremqapp

Test Python app.

My first response would be "have you tried?". The difference as I mentioned in my comment above is that `runmqckm` is Java based and `runmqakm` is complied. From what I remember the only difference is that `runmqckm` supports `jks`files and `runmqakm` does not support `jks` files. Both support pkcs7 and CMS. — JoshMc, Aug 11 '20 at 20:18
@JoshMc in /var/mqm/errors/AMQERR01.LOG has error - AMQ9716: Remote SSL certificate revocation status check failed for channel EXPLANAT: IBM MQ failed to determine the revocation status of the remote SSL certificate for one of the following reasons: (a) The channel was unable to contact any of the CRL servers or OCSP responders for the certificate. (b) None of the OCSP responders contacted knows the revocation status of the certificate. (c) An OCSP response was received, but the digital signature of the response could not be verified. Any suggestion on how to get this resolved? — Vishnu, Aug 12 '20 at 03:14
This normally means you can't get the the OCSP responders. You can disable this check in the SSL stanza of the mqclient.ini to test further. — JoshMc, Aug 12 '20 at 03:51
As @JoshMC says your client has been presented a certificate that, although it trusts, contains details of a revocation server to validate that the certificate has not been revoked. IBM MQ has attempted to contact that server to validate the cert but has been unable to and so blocked the connection. You need to either: * Ensure that your client could connect to the revocation server * Change your ClientRevocationChecks setting on the SSL stanza in the mqclient.ini file to OPTIONAL or DISABLED. See: https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.con.doc/q016900_.htm — Rob Parker, Aug 12 '20 at 09:41
@JoshMc, hi Josh ..in my key db the client cert instead of being like personal certificate - , showing as trusted cert !, how can i modify this to personal cert ? — Vishnu, Aug 13 '21 at 18:56

Pymqi - Connecting to IBM mq with SSL

1 Answers1

Linked