0

I hava a .Net Core application that puts messages on an IBM message queue. The connection is secure ssl connection with cypherspec TLS_RSA_WITH_AES_256_CBC_SHA256. I am using the sample application from IBM .Net Core client for managed code. While running the code normally on my computer and Visual Studio debug it works on windows.

Have the certs in the Dockerfile

COPY ["myCAcert.crt", "/usr/local/share/ca-certificates/" ]
RUN  update-ca-certificates;

However the code fails when running from a Linux Docker container, I used the dotnet/core/aspnet:3.1-buster-slim in my dockerfile. I did telnet to check if the host has can be reachable and can be reachable. I don't know why I get this error on the container.

    private String hostName = "151.156.191.22";
    private int port = 1414;
    private String channelName = "CHANNELA";
    private String queueManagerName = "MYQUEUE";
    private String queueName = "MYQUEUENAME";
    private String userName = "s1user";
    private String password = "123tfdfa";
    private const String messageString = "test message";
    private int numberOfMsgs = 1;
    private String sslKeyRepository = "*USER";
    private String cipherSpec = "TLS_RSA_WITH_AES_256_CBC_SHA256";
    private String sslPeerName = null;
    private int keyResetCount = 0;
    private Boolean sslCertRevocationCheck = false;
    private MQQueueManager queueManager;
    private MQQueue queue;
    private Hashtable properties;
    private MQMessage message;

void PutMessages()
    {
        try
        {
            // mq properties
            properties = new Hashtable();
            properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
            properties.Add(MQC.HOST_NAME_PROPERTY, hostName);
            properties.Add(MQC.PORT_PROPERTY, port);
            properties.Add(MQC.CHANNEL_PROPERTY, channelName);
            properties.Add(MQC.USER_ID_PROPERTY, userName);
            properties.Add(MQC.PASSWORD_PROPERTY, password);

            if (sslKeyRepository != null)
            {
                properties.Add(MQC.SSL_CERT_STORE_PROPERTY, sslKeyRepository);
            }
            if (cipherSpec != null)
            {
                properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, cipherSpec);
            }
            if (sslPeerName != null)
            {
                properties.Add(MQC.SSL_PEER_NAME_PROPERTY, sslPeerName);
            }
            if (keyResetCount != 0)
            {
                properties.Add(MQC.SSL_RESET_COUNT_PROPERTY, keyResetCount);
            }
            if (sslCertRevocationCheck != false)
            {
                MQEnvironment.SSLCertRevocationCheck = sslCertRevocationCheck;
            }
            
            queueManager = new MQQueueManager(queueManagerName, properties);

Connecting to queue manager..

MQException caught: 2538 - MQRC_HOST_NOT_AVAILABLE
   at IBM.WMQ.MQQueueManager.Connect(String queueManagerName)
   at IBM.WMQ.MQQueueManager..ctor(String queueManagerName, Hashtable properties)

Error Code: CWSMQ0006
Nirjal Khadka
  • 31
  • 6
  • Have you installed the certificates on linux keystore? – subbaraoc May 30 '21 at 10:08
  • Hi, yes, I added via the dockerfile – Nirjal Khadka May 30 '21 at 10:22
  • Did you ping from the host "151.156.191.22" from your docker container? – Shashi May 30 '21 at 13:49
  • @sashi I did that too, I did telnet to the host and port 1818. I get the connected resopose back – Nirjal Khadka May 30 '21 at 14:58
  • Check the AMQERR01.LOG file of the queue manager to see if there are any messages generated when you receive the 2538. – JoshMc May 30 '21 at 18:27
  • @JoshMc checked the log. Nothing logged regarding the call, I can see – Nirjal Khadka May 31 '21 at 11:06
  • MQRC 2538 - MQRC_HOST_NOT_AVAILABLE - possible reasons are 1) The connection name in the client channel definition is incorrect. 2) The network is currently unavailable. 3) A firewall blocking the port, or protocol-specific traffic. 4) The security call initializing the IBM® WebSphere® MQ client is blocked by a security exit on the SVRCONN channel at the server. - Since you are able to telnet to server, #2 and #3 can be ruled out. So you need to focus #1 and #4. – Shashi May 31 '21 at 13:04
  • @Shashi #3, some firewalls can block TLS traffic but allow unencrypted traffic to pass. – JoshMc May 31 '21 at 14:14
  • The thing is this works in my windows enviroment, the host is available. The docker is running on linux with dotnet/core/aspnet:3.1-buster-slim image, but it fails. I checked with telnet connects with host port. It only fails on the docker, even tried disabling tls same issue – Nirjal Khadka Jun 01 '21 at 10:53
  • https://stackoverflow.com/questions/64580857/unable-to-autheticate-to-ibm-mq-c-sharp-with-tls-certificate has something similar, but perhaps something to do with the certificate store ? @hazelrah any help – Nirjal Khadka Jun 06 '21 at 16:18

1 Answers1

0

I found the solution to my own question. There are a few things that caused this error.

  1. The .net core has its own certificate store, should add the certificate there. Then use the following works also in Linux.
 X509Certificate2 certificateca1 = new X509Certificate2("MyCaCert.crt");
  X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadWrite);
            store.Add(certificate_ca_crt);

This will install the certificate in the certificate store. Next set the XMSC property as usual. The following will work.

cf.SetStringProperty(XMSC.WMQ_SSL_KEY_REPOSITORY, "*USER");

This blog has also the solution regarding the certificate https://wiliammbr.com/drop-messages-in-ibm-mq-using-net-core/ also here https://www.imwuc.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=fbad35e1-86ae-4a0b-3ebb-e990f6fd156e

Then I received 2059 error QManager not availabe. This was due the cypherspec I was using,

I had to change the cypher spec to AES_128. Also on the MQ server channel to accept AES128 because the official IBM .net library did not support AES256 in linux. More on the other stack overflow Error MQException caught: 2059 - MQRC_Q_MGR_NOT_AVAILABLE .Net Core Linux Docker Container IBM MQ, caused by cipherspec mismatch

 private String cipherSpec = "TLS_RSA_WITH_AES_256_CBC_SHA256";

Doing these changes, solved it for me. Please let me know if you are stuck with something similar.

Nirjal Khadka
  • 31
  • 6