0

Note: I am running my python script on the same MQ Server. I am able to connect to Qmgr with one way ssl.

cd = pymqi.CD()
cd.ChannelName = channel
cd.ConnectionName = conn_info
cd.ChannelType = pymqi.CMQC.MQCHT_CLNTCONN
cd.TransportType = pymqi.CMQC.MQXPT_TCP
cd.SSLCipherSpec = ssl_cipher_spec
sco = pymqi.SCO()
sco.KeyRepository = key_repo_location
qmgr = pymqi.QueueManager(None)
qmgr.connect_with_options(queue_manager, cd, sco)
queue = pymqi.Queue(qmgr, queue_name)

I am running IBM MQ on a server, Configured Qmgr with ssl and able to connect to it using IBM Explorer. I am trying to connect python application using pymqi library to MQ Qmgr with ssl connection. Using ssl am unable to connect to the Qmgr.

runmqakm -cert -list -db client.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!   ibmwebspheremqqm1
*-  ibmwebspheremqapp

runmqakm -cert -list -db key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!   "cn=signer-cert"
!   ibmwebspheremqapp
-   ibmwebspheremqqm1

key.kdb --> Qmgr key db
client.kdb --> python application client key db

Steps performed: Created a client.kdb key db and created a certificate using runmqakm utility extracted qmgr public certificate and added to the client.kdb key db and extracted client pub cert and added to the qmgr key db.

MQ version - v9.2 Python version - 3.6 OS - RHELinux

Error on python Script: Traceback (most recent call last): File "ssl-mq.py", line 32, in qmgr.connect_with_options(queue_manager, cd, sco) File "/root/.local/lib/python3.6/site-packages/pymqi-1.12.10-py3.6-linux-x86_64.egg/pymqi/init.py", line 1747, in connect_with_options raise MQMIError(rv[1], rv[2]) pymqi.MQMIError: MQI Error. Comp: 2, Reason 2393: FAILED: MQRC_SSL_INITIALIZATION_ERROR

I understand that python code is not sending a certificate to MQ Qmgr and thats the reason it is failing. Within pymqi library am not sure where do i send my client cert?

AMQ9633E: Bad SSL certificate for channel 'TEST1'.

The details of the certificate which could not be validated are '[Class=]GSKVALMethod::X509 The certificate validation error was 575010

ACTION: Check which of the possible causes applies on your system. Correct the error, and restart the channel. This error might indicate that the remote end of the channel is configured to send the wrong certificate. Check the certificate label configuration at the remote end of the channel and ensure that the local key repository contains all of the necessary CA certificates.
JoshMc
  • 10,239
  • 2
  • 19
  • 38
Vishnu
  • 16
  • 4
  • Is that error the only error with the same timestamp in the client error logs? What error do you see on the queue manager's AMQERR01.LOG? Can you use `runmqakm -cert -list -db key.kdb -stashed` and add the output for both client and queue manger to you question (click edit)? – JoshMc Feb 04 '23 at 10:58
  • RE: https://developer.ibm.com/tutorials/mq-secure-msgs-tls/ Are you setting up simple TLS with server authentication or are you setting up mutual authentication? – chughts Feb 04 '23 at 14:25
  • Can you show us the rest of that error message, specifically the certificate details it is complaining about, and can you list out the certificate details in both your client and queue manager KDB files so we can compare them to the error message. Please update your question with these details rather than adding a s comment. – Morag Hughson Feb 06 '23 at 01:46
  • Can you tell us what parameters you used to create both the certificates? For example the key size may be too small – colin paice Feb 11 '23 at 10:19
  • @joshmc was able to connect using one way ssl. When am using mutual authentication am trying to send my client cert to the Qmgr using pymqi library am getting into issues. – Vishnu Mar 07 '23 at 20:56
  • @chughts I have successfully implemented simple TLS with Server Authentication. Now am trying to setup Mutual Authentication. – Vishnu Mar 07 '23 at 20:57
  • With our more detail there is not much too help you with. Seems your client can't find private key cert to use. What is the label of the cert in the key store? – JoshMc Mar 07 '23 at 22:30
  • @JoshMc i have two labels ibmwebspheremqqm1 which is my qmgr cert label and another lable ibmwebspheremqapp which is the client cert. am using pymqi library. My question is where do i send the certificate for mutual authentication? – Vishnu Mar 07 '23 at 22:32
  • @JoshMc I have updated the post and i have used similar setup -- https://stackoverflow.com/questions/63259241/pymqi-connecting-to-ibm-mq-with-ssl?rq=1 – Vishnu Mar 07 '23 at 22:42
  • This will work only if the user that your python runs as is called "app" or you specify the certlabel in some other way. They key on that other post is `-label ibmwebspheremq` – JoshMc Mar 07 '23 at 23:34
  • AMQ9633E: Bad SSL certificate for channel 'TEST1'. The details of the certificate which could not be validated are '[Class=]GSKVALMethod::X509 The certificate validation error was 575010. ACTION: Check which of the possible causes applies on your system. Correct the error, and restart the channel. This error might indicate that the remote end of the channel is configured to send the wrong certificate. Check the certificate label configuration at the remote end of the channel and ensure that the local key repository contains all of the necessary CA certificates. – Vishnu Mar 08 '23 at 16:01
  • @JoshMc I am using the same user (app) to run my python program. I have labels ibmwebspheremqapp(which has my client cert) and ibmwebspheremqqm1(which has my qmgr cert). Within my Python Program am giving cert label as ibmwebspheremqapp. but, still am getting above error – Vishnu Mar 08 '23 at 16:03
  • @JoshMc when I change the SSLCAuth to Optional on my channel it works absolutely fine. When i Change it to required, thats where the SSL Initialization Error is being thrown. I see in MQ errors trusted cert is being sent to MQ Qmgr which it is unable to validate. Not sure why it is sending trusted cert rather than default personal cert. – Vishnu Mar 08 '23 at 16:41
  • @richc did u test with mutual TLS Authentication? – Vishnu Mar 08 '23 at 19:17
  • 575010="No certificate chain was built". Check that you have the app public key in the queue manger kdb file. Can you explain what you mean by "trusted cert rather than default personal"? As long as label has your lowercase user the label doesn't need to be specified in Python. Can you look at the client side AMQERR01.LOG, in a full client install it world be under /var/mqm/errors if using Redist client it will be under $HOME. – JoshMc Mar 08 '23 at 20:20
  • @JoshMc I have the app public key in the Queue Manager. The label is in lowercase user (ibmwesbpheremqapp).the logs above provided are from /var/mqm/errors --> AMQ9633E Bad SSL and 575010. The certificate which am using on python end is self signed and doesnt have any chain associated. – Vishnu Mar 08 '23 at 22:06
  • I have added public key from Qmgr to my client key db. When am trying to connect to qmgr, i see qmgr public key is sent and 9633 error is thrown saying unable to validate. – Vishnu Mar 08 '23 at 22:08
  • Was this just a typo in your comment? ibmwe**sb**pheremqapp. Do you have the root cert that signs the queue manager cert in the client kdb file? Can you list and edit the question with the output of both the queue manager and client kdb? – JoshMc Mar 08 '23 at 22:53
  • Yes, it is a typo and I will list both key and client db output – Vishnu Mar 09 '23 at 02:57
  • @JoshMc i have updated the runmqakm output for qmgr keydb and client key db. – Vishnu Mar 09 '23 at 17:58
  • I think you need cn=signer-cert in your client kdb. – JoshMc Mar 10 '23 at 00:19
  • @JoshMc Thank you for all the help. Yes, the root cert was the issue. Once i have added the root cert it connected back. – Vishnu Mar 10 '23 at 13:18
  • 1. Please add the full AMQ9633E error into your question by editing it. – JoshMc Mar 10 '23 at 16:01
  • 2. Please kindly show thanks by accepting my answer and up voting it if you appreciate my time – JoshMc Mar 10 '23 at 16:02
  • 3. Delete all of your comments since all the information will be captured in the question and my answer. I'll do the same with my comments. Glad you got it working. – JoshMc Mar 10 '23 at 16:04
  • @Vishnu will you please accept my answer? – JoshMc Mar 13 '23 at 20:35

2 Answers2

0

The issue was client.kdb was missing the root certificate. When i have imported the cert into client.kdb i have validated that it has the entire certificate chain but for some reason mq cannot read it. I had to extract the root cert(signing authority cert) and import it to the client key db. Once that is done python application was able to connect to the Qmgr with mutual tls authentication.

Vishnu
  • 16
  • 4
0

You mentioned in the comments that you were getting a AMQ9633E: Bad SSL certificate for channel 'TEST1'. error with The certificate validation error was 575010.

The 575010 error means "No certificate chain was built". This normally means that you cert is not trusted because it's missing a signer cert.

Troubleshoot this error by running the following command against both the client and queue manager key store:

runmqakm -cert -list -db key.kdb -stashed
  1. Make sure the each has a personal certificate denoted by the hyphen in the first column.
  2. If the cert is signed by a CA make sure you have the root ca added to the other key store.
  3. If the cert is self signed make sure you have the public key of the cert added to the other key store.

In your case you are missing the cn=signer-cert that signed your queue manager cert in the client.kdb.

JoshMc
  • 10,239
  • 2
  • 19
  • 38