Unable to autheticate to IBM MQ C# with TLS-certificate

0

I'm trying to connect to a IBM MQ using .net core ("IBMMQDotnetClient" Version="9.2.0.1") with a certificate inside a linux container (mcr.microsoft.com/dotnet/core/runtime:3.1).

Configuration Hashtable:

new Hashtable {
                    {
                        MQC.HOST_NAME_PROPERTY, "localhost"
                    },
                    {
                        MQC.CHANNEL_PROPERTY, "DEV.SVRCONN"
                    },
                    {
                        MQC.PORT_PROPERTY, 1419
                    },
                    {
                        MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA"
                    },
                    {
                        MQC.SSL_CERT_STORE_PROPERTY, "*USER"
                    }}

The tracing reveals this exception:

0000702 17:37:10.738499   1.1         KeyStore is *USER
00000703 17:37:10.738530   1.1         KeyResetCount is 0
00000704 17:37:10.738543   1.1         CertificationCheck = False
00000705 17:37:10.738553   1.1         CipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA
00000706 17:37:10.738562   1.1         SSLPEERNAME value is
00000707 17:37:10.738570   1.1        -----------}  MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK
00000708 17:37:10.738625   1.1        -----------{  MQEncryptedSocket.MakeSecuredConnection()
00000709 17:37:10.738653   1.1         Created an instance of SSLStreams
0000070A 17:37:10.738662   1.1         Setting current certificate store as 'User'
0000070B 17:37:10.738676   1.1         Linux so use My & CurrentUser
0000070C 17:37:10.738683   1.1         Created store object to access certificates
0000070D 17:37:10.738740   1.1         Opened store
0000070E 17:37:10.738750   1.1         Accessing certificate - ibmwebspheremqroot
0000070F 17:37:10.748556   1.1         Number of certificates in the store:6
00000710 17:37:10.748629   1.1         TLS12 supported - True
00000711 17:37:10.748648   1.1         Setting SslProtol as Tls
00000712 17:37:10.748655   1.1         Starting SSL Authentication
00000713 17:37:10.748738   1.1        ------------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
00000714 17:37:10.748754   1.1         Client callback has been invoked to find client certificate
00000715 17:37:10.748766   1.1        ------------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK   
00000716 17:37:10.766153   1.1        ------------{  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) inputs  [11]
00000717 17:37:10.766190   1.1         SSL Server Certificate validation failed - RemoteCertificateNameMismatch, RemoteCertificateChainErrors
00000718 17:37:10.766196   1.1        ------------}  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK
00000719 17:37:10.766662   1.1         System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
  • The same code works on Windows
  • I've installed the root CA that signed the certificate.

EDIT 1 @Morag Hughson - Regarding the certificates i've installed the organizations root CA, subCA that have signed the IBM MQ cert:

COPY ssl/ /usr/local/share/ca-certificates/
RUN update-ca-certificates --fresh --verbose

Also tried doing it in code:

var root = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
root.Open(OpenFlags.ReadWrite);
root.Add(theAppCert);
collection.Add(new X509Certificate2("./ssl/root.crt"));
root.AddRange(collection);

This is how i add the IBM MQ certificate

var collection = new X509Certificate2Collection();

collection.Import(File.ReadAllBytes("./ssl/key.p12"), "123456", X509KeyStorageFlags.PersistKeySet);

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

var theAppCert = collection.Find(X509FindType.FindBySubjectName, "app_test", false)[0];
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
    theAppCert.FriendlyName ="ibmwebspheremq{Environment.UserName.ToLower()}";
}
store.Open(OpenFlags.ReadWrite);
store.Add(theAppCert);

EDIT 2

Is this sufficient?

0000049D 17:51:51.929051   1.1         Data:- IBM.WMQ.MQTCPConnection#02EED1CA
0000049D 17:51:51.929051   1.1          0x00000000 54 53 48 20 00 00 00 24 02 05 0A 00 00 00 00 00 : TSH ...$......
0000049D 17:51:51.929051   1.1          0x00000010 00 00 00 00 22 02 00 00 E4 04 00 00 08 00 00 00 : ...."..?....
0000049D 17:51:51.929051   1.1          0x00000020 1A 00 00 00                                     : ...
0000049E 17:51:51.929066   1.1          Data Length --> 36
0000049F 17:51:51.929071   1.1        ------------}  MQTCPConnection.Receive(ref byte [ ],ref int,ref int) rc=OK
000004A0 17:51:51.929076   1.1         Bytes Read from Socket = 36
000004A1 17:51:51.929083   1.1        ------------{  MQTSH.ReadStruct(Byte [ ],int) inputs  [System.Byte[]] [0]
000004A2 17:51:51.929106   1.1        ------------}  MQTSH.ReadStruct(Byte [ ],int) rc=OK returns [28]
000004A3 17:51:51.929120   1.1        ------------{  MQTSH.CheckTSH(byte [ ]) inputs  [System.Byte[]]
000004A4 17:51:51.929127   1.1        ------------}  MQTSH.CheckTSH(byte [ ]) rc=OK returns [True]
000004A5 17:51:51.929134   1.1        ------------{  MQFAPConnection.AnalyseErrorSegment(MQTSH) inputs  [IBM.WMQ.MQTSH#039490E2]
000004A6 17:51:51.929140   1.1        -------------{  MQTSH.GetLength()
000004A7 17:51:51.929145   1.1        -------------}  MQTSH.GetLength() rc=OK returns [28]
000004A8 17:51:51.929196   1.1         Constructing IBM.WMQ.MQERD#003917F2 MQMBID sn=p920-001-200918 su=_tqsBSQMcEeuBJdh7_yjHsA pn=basedotnet/nmqi/MQERD.cs
000004A9 17:51:51.929208   1.1        -------------{  MQERD.ReadStruct(Byte [ ],int) inputs  [System.Byte[]] [28]
000004AA 17:51:51.929216   1.1        -------------}  MQERD.ReadStruct(Byte [ ],int) rc=OK returns [8]
000004AB 17:51:51.929231   1.1         New MQException CompCode: 2 Reason: 2059```
c#
.net
linux
ssl
ibm-mq
asked on Stack Overflow Oct 28, 2020 by hazelrah • edited Oct 29, 2020 by hazelrah

1 Answer

1

I managed to get it working by only installing one (CN=app_test) of the three certificates from the .p12 file into my local user store.

The file contained:

  • CN=Root CA v2, DC=corp1, DC=ad1, DC=xxx, DC=net
  • CN=Appl Sub CA v2, DC=corp1, DC=ad1, DC=xxx, DC=net
  • CN=app_test

If i install the whole collection of those three certificates i get a failure with the code 2059 from MQ.

answered on Stack Overflow Nov 1, 2020 by hazelrah

User contributions licensed under CC BY-SA 3.0