I have configured ssl for queue manager name "QMA" and channel named "QMACLCHL". Just set certificate label and chipher name. For queue manager also set the key store path (default value). In that directory generated .kbd file and stashed password file. By commands like these:
cd /var/mqm/qmgrs/QMA/ssl runmqakm -keydb -create -db key.kdb -pw ********* -stash runmqakm -cert -create -db key.kdb -label certqma -stashed -size 2048 -sigalg SHA512WithRSA -dn CN=QMA runmqakm -cert -extract -db key.kdb -label certqma -file qma.arm -stashed runmqakm -cert -add -db key.kdb -lable "QMA" -file /var/mqm/qmgrs/QMA/ssl/qma.arm -format ascii -stashed Then copied these file on another PC and try to connect to queue manager over SSL. My .net code looks like this:
Hashtable properties = new Hashtable(); properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED); properties.Add(MQC.MQCA_SSL_KEY_REPOSITORY, "E:\\workspace ttttt\\test_projects\\IBMMQ\\Receiver\\ssl\\key"); properties.Add(MQC.SSL_CERT_STORE_PROPERTY, "E:\\workspace ttttt\\test_projects\\IBMMQ\\Receiver\\ssl"); ; properties.Add(MQC.MQCACH_SSL_CIPHER_SUITE, "TLS_RSA_WITH_AES_128_CBC_SHA256"); properties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA256");//TLS_RSA_WITH_AES_128_CBC_SHA properties.Add(MQC.MQCACH_SSL_PEER_NAME, "net_client"); properties.Add(MQC.SSL_RESET_COUNT_PROPERTY, 400000); properties.Add(MQC.USER_ID_PROPERTY, "mqm"); properties.Add(MQC.HOST_NAME_PROPERTY, "172.19.165.167"); properties.Add(MQC.CHANNEL_PROPERTY, "QMACLCHL"); properties.Add(MQC.CONNECTION_NAME_PROPERTY, "172.19.165.167(1414)"); // create connection Console.Write("Connecting to queue manager.. "); MQEnvironment.SSLCertRevocationCheck = false; //MQEnvironment.SSLCipherSpec = "TLS_RSA_WITH_AES_128_CBC_SHA256"; MQEnvironment.CertificateLabel = "certqma"; queueManager = new MQQueueManager("QMA", properties); Also I configured environment variables (MQCHLLIB, MQCHLTAB) for tab configuration file. Code above generate trace like below and enven doesn't try to connect:
Remote Address:172.19.165.167:1414 000001BC 19:37:21.374097 11208.4 Local Address:0.0.0.0:0 000001BD 19:37:21.374139 11208.4 Bind 000001BE 19:37:21.380208 11208.4 Bind returned 0.0.0.0:17040 000001BF 19:37:21.380256 11208.4 Connect 000001C0 19:37:21.382369 11208.4 Connect returned True 000001C1 19:37:21.383946 11208.4 TCP/IP LINGER disabled 000001C2 19:37:21.383997 11208.4 Using socket send buffer size 32768 000001C3 19:37:21.384409 11208.4 Using socket receive buffer size 32768 000001C4 19:37:21.384450 11208.4 -----------} MQTCPConnection.ConnectUsingLocalAddr(ParsedLocalAddr,IPAddress,int) rc=OK 000001C5 19:37:21.384959 11208.4 Constructing IBM.WMQ.Nmqi.MQEncryptedSocket#004CACA0 MQMBID sn=p912-L190313.DE su=_FGqKtkWOEemwVcDgaesw_A pn=basedotnet/nmqi/NmqiObject.cs 000001C6 19:37:21.384986 11208.4 Constructing IBM.WMQ.Nmqi.MQEncryptedSocket#004CACA0 MQMBID sn=p912-L190313.DE su=_FGqKtkWOEemwVcDgaesw_A pn=basedotnet/nmqi/MQEncryptedSocket_s.cs 000001C7 19:37:21.386449 11208.4 -----------{ MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) 000001C8 19:37:21.387062 11208.4 IBM.WMQ.Nmqi.MQEncryptedSocket#004CACA0 throwing MQException: cc=2 rc=2381 000001C9 19:37:21.388522 11208.4 New MQException CompCode: 2 Reason: 2381 000001CA 19:37:21.399370 11208.4 -----------}! MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=(Unknown(2381)) 000001CB 19:37:21.401318 11208.4 CompCode: 2, Reason: 2381 000001CC 19:37:21.401693 11208.4 New MQException CompCode: 2 Reason: 2538 000001CD 19:37:21.405884 11208.4 -----------{ ManagedCommonServices.GetMessage(string objectId,uint returncode,uint control,out string basicmessage,out string extendedmessage,out string replymessage,MQLONG basicLength,MQLONG When I removed property MQC.SSL_CIPHER_SPEC_PROPERTY, app try to connect to server but server reject the connection with error:
AMQ9639E: Remote channel 'QMACLCHL' did not specify a CipherSpec. EXPLANATION: Remote channel 'QMACLCHL' did not specify a CipherSpec when the local channel expected one to be specified. I don't understand what I am doint wrong. Please, help me. Thanks.