2

Below piece of code always returns 2059 MQRC_Q_MGR_NOT_AVAILABLE. I have not setup any .ini file, will that have any impact?

Server side log states below error:

AMQ9637: During handshake, the remote partner sent no certificate.

EXPLANATION:
The conversation cannot begin because a certificate has not been supplied by
the remote partner.

My code:

var properties = new Hashtable();
properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
properties.Add(MQC.SSL_PEER_NAME_PROPERTY, "CN=BL9UZ8L");
MQEnvironment.Hostname = "xyz.com";
MQEnvironment.Port = 6000;
MQEnvironment.Channel = "2BMQ.NET.SPL";
MQEnvironment.SSLKeyRepository = "*SYSTEM";
MQEnvironment.SSLCertRevocationCheck = false;
MQEnvironment.SSLCipherSpec = "TLS_RSA_WITH_AES_128_CBC_SHA256";//"TLS_RSA_WITH_AES_256_CBC_SHA256";
MQEnvironment.CertificateLabel = "2BMQ_PROD";
Environment.SetEnvironmentVariable("MQDOTNET_TRACE_ON", "2");
queueManager = new MQQueueManager("BL9UZ8L", properties);

Trace file extract generated at client

janw
  • 8,758
  • 11
  • 40
  • 62
Keep Learning
  • 39
  • 7
  • Should check be true?QEnvironment.SSLCertRevocationCheck = false; – jdweng Nov 02 '20 at 17:13
  • See Wiki (https://en.wikipedia.org/wiki/Transport_Layer_Security). If Server wants TLS 1.3, CBC is not accepted. You may need to add to client : System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12 – jdweng Nov 02 '20 at 17:16
  • @jdweng : Yes I tried with SSLCertRevocationCheck = true too, still same. And also tried both System.Net.SecurityProtocolType.Tls11 & System.Net.SecurityProtocolType.Tls12 still same issue. – Keep Learning Nov 02 '20 at 17:32
  • The issue is in the client. Are you using a URL with HTTPS? – jdweng Nov 02 '20 at 17:39
  • You would need to check with the MQ Admin what error is produced in the `AMQERR01.LOG` on the queue manager, in this case the queue manager is what is referenced by "remote partner sent no certificate" assuming that error is from the client side. – JoshMc Nov 02 '20 at 18:27
  • Does the MQ server has all the necessary CA certs to trust your client cert? I had once this problem where the CA cert was missing in the MQ server key store. – Daniel Steinmann Nov 02 '20 at 20:48
  • @JoshMc the error message was produced in queue manager not on client side. – Keep Learning Nov 03 '20 at 05:43
  • @DanielSteinmann As per the MQ admin team they say they have set appropriate CN for the channel on queue manager to acknowledge me as client. Not sure if I need to ask for anything more. – Keep Learning Nov 03 '20 at 05:44
  • Do you have a private key cert with friendly name `2BMQ_PROD` in your windows SYSTEM key store? What version (full version) of IBM MQ is your `amqmdnet.dll` from? – JoshMc Nov 03 '20 at 06:12
  • @JoshMc : Yes I do have imported .pfx cert in my windows system key store under personal certificates, and yes its friendly name is 2BMQ_PROD. Also I am not using the full version of IBM MQ client, I am having stand alone version i.e. I'm just using package from nuget, I just have the amqmdnetstd.dll referenced. Is it mandatory to have IBM MQ full client installation done? – Keep Learning Nov 03 '20 at 06:24
  • Having `amqmdnetstd.dll` should be fine. I noticed that you have both MQEnvironment settings and a properties hash table, I would suggest setting them all in the properties hash table, ex: `MQC.HOST_NAME_PROPERTY, MQC.PORT_PROPERTY, MQC.CHANNEL_PROPERTY, MQC.SSL_CERT_STORE_PROPERTY, CertificateLabel, MQC.SSL_CIPHER_SPEC_PROPERTY`, I'm sure you can find the others you need. Also perhaps this is a permission issue on SYSTEM keystore. See this [answer](https://stackoverflow.com/questions/7984945/the-credentials-supplied-to-the-package-were-not-recognized-error-when-authent/7990364#7990364). – JoshMc Nov 03 '20 at 07:14
  • Also this may be helpful [SSL connection in Managed MQ .NET (MQ v8)](https://community.ibm.com/community/user/imwuc/viewdocument/ssl-connection-in-managed-mq-net?CommunityKey=183ec850-4947-49c8-9a2e-8e7c7fc46c64&tab=librarydocuments). – JoshMc Nov 03 '20 at 07:17
  • @JoshMc Thanks much, I'll make the changes you suggested and go through the links you provided and will update the results. – Keep Learning Nov 03 '20 at 07:22
  • @JoshMc : Moved all settings to Hashtable properties and run the visual studio in admin mode to make sure its not permission issue to reach system key store, but still facing same Q Mgr not available issue, I doubt if its something on Q Mgr side, MQ admin is not very friendly, he just says everything is good and other clients are connecting perfectly fine. But I have doubts. – Keep Learning Nov 03 '20 at 07:50
  • Based on the error queue manager sees with "remote partner sent no certificate" it indicates you are NOT sending a cert. You indicate having the env variable `MQDOTNET_TRACE_ON` set, what does your trace show when you attempt to connect? Also note the label you specify is case sensitive and must match the friendly name exactly. – JoshMc Nov 03 '20 at 07:57
  • @JoshMc Added trace file extract to the question, please have a look and let me know if you have any comments on the same. Thanks – Keep Learning Nov 03 '20 at 08:31
  • Can you try to enable a [SSLStream trace](https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.2.0/com.ibm.mq.dev.doc/q120710_.htm) and see if this will provide anything future. Note the page does not appear to be updated for 9.2, I think you would need to adjust the sharedListeners section to match the .net standard dll as well as the version. Another test to help narrow down the problem would be to try this all with the .NET Framework dll `amqmdnet.dll` instead, the actual code should be the same under either Framework or Standard. Also possibly downgrade to 9.1.0.6 and try it. – JoshMc Nov 03 '20 at 09:03
  • Got it, thanks @JoshMc will your suggestions and see how it goes. Also i got kdb certs, can u please tell me if I want to connect as unmanaged connection how to do it in .Net? – Keep Learning Nov 03 '20 at 09:11
  • That would require the `amqmdnet.dll` and a mq client install, either a full installation or the redist zip extract. Change transport to `MQC.TRANSPORT_MQSERIES_CLIENT`. – JoshMc Nov 03 '20 at 09:22
  • @AjeetKulkarni: Adding the CN to the channel configuration is not enough. As I wrote, the MQ server needs all the CA certs of your certificate. Can you show us the output of `runmqakm -cert -list -db /var/mqm/qmgrs/BL9UZ8L/ssl/key.kdb -stashed` (or where ever your MQ server admin has the key database)? And also can you tell as the signing CAs of your client certificates? – Daniel Steinmann Nov 03 '20 at 14:48
  • @Ajeet Did you manage to solve this issue ? I am kind of stuck in a similar situation .. What was the Root cause and what changes you did to solve this problem ? – Akshay Joshi May 27 '21 at 16:51

1 Answers1

0

I had the same problem as above (and a couple of other problems). Here are my findings, hope they are helpful:

  • I could not get the "CertificateLabel" property to work. Ended up setting the certificate friendly name to the default (right click certificate in certmgr and click properties), which is "ibmwebspheremq[userAccountName]" where [userAccountName] is replaced with the name of the user account running the program.
  • For it to work I had to change the "SSL Configuration Settings" in Local Group Policy Editor, so the "SSL Cipher Suite Order" contained the value of the "SSLCipherSpec" property (link to source about it).
  • [EDIT: This part about tracing doesn't work in all situations. I suspect it only works when WebSphere MQ is installed locally] In order to be able to see some WebSphere MQ logs, I enabled trace for it by using the environment variable "MQTRACEPATH" and set the value to a path, where I wanted the trace files to end.

Note that all my problems was due to my client not providing the server with a client certificate.

Ykok
  • 1,313
  • 13
  • 15
  • 1
    Sorry i couldn't update here, yeah i too solved this by using certificate friendly name long time back. Thanks for sharing all other details. – Keep Learning Jun 22 '22 at 14:41
  • 1
    For anyone still looking I have been struggling to get the trace to work. I finally got it to work by using Environment.SetEnvironmentVariable("MQDOTNET_TRACE_ON", "2"); Environment.SetEnvironmentVariable("MQTRACEPATH", "C:\\Temp\\MQTest2022"); – RobbZ Nov 18 '22 at 12:03