Is alias mentioned during "keytool -import" same as Certificate Label?

Question

We are connecting to IBM MQ from Java client we have successfully established the connection when sslauth is set to optional SSLCAUTH(OPTIONAL). But when we change it to required SSLCAUTH(REQUIRED) we are getting

AMQ9637E: During handshake, the remote partner sent no certificate

I have checked below link

Connecting to a Websphere MQ in Java with SSL/Keystore

T.Rob's answer mentions about "the QMgr must have your application's self-signed cert or a CA root cert that signed your app's cert in its keystore"

and below link

.Net and IBM MQ Managed connection SSL using pfx ca cert

which exactly quotes the exception/error that we are getting at Server / Queue Manager's end.(During handshake, the remote partner sent no certificate.)

As quoted by Daniel in one the comment of above answer "the MQ server needs all the CA certs of your certificate". I feel this may be issue in my case too.

My question is

In response section for AMQ9637E in IBM doc's

https://www.ibm.com/docs/en/ibm-mq/9.0?topic=multiplatforms-amq9xxx-remote

It is mentioned that "Look at the key repository on the remote side of this channel, and make sure the appropriate certificates are present, with correct labels.".

Here I am not very much sure about what labels is referring to is it referring to Alias name that we have given to certificate ?

Answer 1

Based on the labels you have a Java based application. Java does not use the cert label when selecting a cert to present, it picks a cert based on what signers the queue manager trusts. The queue manager must have the full signer chain in its key store for the java client to present a cert. If your cert is signed by an intermediate and then that is signed by a root you would need both in the queue manager key store.