Unable to autheticate to IBM MQ C# with TLS-certificate
I'm trying to connect to a IBM MQ using .net core ("IBMMQDotnetClient" Version="9.2.0.1") with a certificate inside a linux container (mcr.microsoft.com/dotnet/core/runtime:3.1).
Configuration Hashtable:
new Hashtable {
{
MQC.HOST_NAME_PROPERTY, "localhost"
},
{
MQC.CHANNEL_PROPERTY, "DEV.SVRCONN"
},
{
MQC.PORT_PROPERTY, 1419
},
{
MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA"
},
{
MQC.SSL_CERT_STORE_PROPERTY, "*USER"
}}
The tracing reveals this exception:
0000702 17:37:10.738499 1.1 KeyStore is *USER
00000703 17:37:10.738530 1.1 KeyResetCount is 0
00000704 17:37:10.738543 1.1 CertificationCheck = False
00000705 17:37:10.738553 1.1 CipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA
00000706 17:37:10.738562 1.1 SSLPEERNAME value is
00000707 17:37:10.738570 1.1 -----------} MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK
00000708 17:37:10.738625 1.1 -----------{ MQEncryptedSocket.MakeSecuredConnection()
00000709 17:37:10.738653 1.1 Created an instance of SSLStreams
0000070A 17:37:10.738662 1.1 Setting current certificate store as 'User'
0000070B 17:37:10.738676 1.1 Linux so use My & CurrentUser
0000070C 17:37:10.738683 1.1 Created store object to access certificates
0000070D 17:37:10.738740 1.1 Opened store
0000070E 17:37:10.738750 1.1 Accessing certificate - ibmwebspheremqroot
0000070F 17:37:10.748556 1.1 Number of certificates in the store:6
00000710 17:37:10.748629 1.1 TLS12 supported - True
00000711 17:37:10.748648 1.1 Setting SslProtol as Tls
00000712 17:37:10.748655 1.1 Starting SSL Authentication
00000713 17:37:10.748738 1.1 ------------{ MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
00000714 17:37:10.748754 1.1 Client callback has been invoked to find client certificate
00000715 17:37:10.748766 1.1 ------------} MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK
00000716 17:37:10.766153 1.1 ------------{ MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) inputs [11]
00000717 17:37:10.766190 1.1 SSL Server Certificate validation failed - RemoteCertificateNameMismatch, RemoteCertificateChainErrors
00000718 17:37:10.766196 1.1 ------------} MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK
00000719 17:37:10.766662 1.1 System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
- The same code works on Windows
- I've installed the root CA that signed the certificate.
EDIT 1 @Morag Hughson - Regarding the certificates i've installed the organizations root CA, subCA that have signed the IBM MQ cert:
COPY ssl/ /usr/local/share/ca-certificates/
RUN update-ca-certificates --fresh --verbose
Also tried doing it in code:
var root = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
root.Open(OpenFlags.ReadWrite);
root.Add(theAppCert);
collection.Add(new X509Certificate2("./ssl/root.crt"));
root.AddRange(collection);
This is how i add the IBM MQ certificate
var collection = new X509Certificate2Collection();
collection.Import(File.ReadAllBytes("./ssl/key.p12"), "123456", X509KeyStorageFlags.PersistKeySet);
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
var theAppCert = collection.Find(X509FindType.FindBySubjectName, "app_test", false)[0];
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
theAppCert.FriendlyName ="ibmwebspheremq{Environment.UserName.ToLower()}";
}
store.Open(OpenFlags.ReadWrite);
store.Add(theAppCert);
EDIT 2
Is this sufficient?
0000049D 17:51:51.929051 1.1 Data:- IBM.WMQ.MQTCPConnection#02EED1CA
0000049D 17:51:51.929051 1.1 0x00000000 54 53 48 20 00 00 00 24 02 05 0A 00 00 00 00 00 : TSH ...$......
0000049D 17:51:51.929051 1.1 0x00000010 00 00 00 00 22 02 00 00 E4 04 00 00 08 00 00 00 : ...."..?....
0000049D 17:51:51.929051 1.1 0x00000020 1A 00 00 00 : ...
0000049E 17:51:51.929066 1.1 Data Length --> 36
0000049F 17:51:51.929071 1.1 ------------} MQTCPConnection.Receive(ref byte [ ],ref int,ref int) rc=OK
000004A0 17:51:51.929076 1.1 Bytes Read from Socket = 36
000004A1 17:51:51.929083 1.1 ------------{ MQTSH.ReadStruct(Byte [ ],int) inputs [System.Byte[]] [0]
000004A2 17:51:51.929106 1.1 ------------} MQTSH.ReadStruct(Byte [ ],int) rc=OK returns [28]
000004A3 17:51:51.929120 1.1 ------------{ MQTSH.CheckTSH(byte [ ]) inputs [System.Byte[]]
000004A4 17:51:51.929127 1.1 ------------} MQTSH.CheckTSH(byte [ ]) rc=OK returns [True]
000004A5 17:51:51.929134 1.1 ------------{ MQFAPConnection.AnalyseErrorSegment(MQTSH) inputs [IBM.WMQ.MQTSH#039490E2]
000004A6 17:51:51.929140 1.1 -------------{ MQTSH.GetLength()
000004A7 17:51:51.929145 1.1 -------------} MQTSH.GetLength() rc=OK returns [28]
000004A8 17:51:51.929196 1.1 Constructing IBM.WMQ.MQERD#003917F2 MQMBID sn=p920-001-200918 su=_tqsBSQMcEeuBJdh7_yjHsA pn=basedotnet/nmqi/MQERD.cs
000004A9 17:51:51.929208 1.1 -------------{ MQERD.ReadStruct(Byte [ ],int) inputs [System.Byte[]] [28]
000004AA 17:51:51.929216 1.1 -------------} MQERD.ReadStruct(Byte [ ],int) rc=OK returns [8]
000004AB 17:51:51.929231 1.1 New MQException CompCode: 2 Reason: 2059```
1 Answer
I managed to get it working by only installing one (CN=app_test) of the three certificates from the .p12 file into my local user store.
The file contained:
CN=Root CA v2, DC=corp1, DC=ad1, DC=xxx, DC=netCN=Appl Sub CA v2, DC=corp1, DC=ad1, DC=xxx, DC=netCN=app_test
If i install the whole collection of those three certificates i get a failure with the code 2059 from MQ.
answered on Stack Overflow Nov 1, 2020 by 
hazelrah
hazelrahUser contributions licensed under CC BY-SA 3.0