Unable to autheticate to IBM MQ C# with TLS-certificate

Question

I'm trying to connect to a IBM MQ using .net core ("IBMMQDotnetClient" Version="9.2.0.1") with a certificate inside a linux container (mcr.microsoft.com/dotnet/core/runtime:3.1).

Configuration Hashtable:

new Hashtable {
                    {
                        MQC.HOST_NAME_PROPERTY, "localhost"
                    },
                    {
                        MQC.CHANNEL_PROPERTY, "DEV.SVRCONN"
                    },
                    {
                        MQC.PORT_PROPERTY, 1419
                    },
                    {
                        MQC.SSL_CIPHER_SPEC_PROPERTY, "TLS_RSA_WITH_AES_128_CBC_SHA"
                    },
                    {
                        MQC.SSL_CERT_STORE_PROPERTY, "*USER"
                    }}

The tracing reveals this exception:

0000702 17:37:10.738499   1.1         KeyStore is *USER
00000703 17:37:10.738530   1.1         KeyResetCount is 0
00000704 17:37:10.738543   1.1         CertificationCheck = False
00000705 17:37:10.738553   1.1         CipherSpec value is TLS_RSA_WITH_AES_128_CBC_SHA
00000706 17:37:10.738562   1.1         SSLPEERNAME value is
00000707 17:37:10.738570   1.1        -----------}  MQEncryptedSocket.RetrieveAndValidateSSLParams(MQConnectOptions) rc=OK
00000708 17:37:10.738625   1.1        -----------{  MQEncryptedSocket.MakeSecuredConnection()
00000709 17:37:10.738653   1.1         Created an instance of SSLStreams
0000070A 17:37:10.738662   1.1         Setting current certificate store as 'User'
0000070B 17:37:10.738676   1.1         Linux so use My & CurrentUser
0000070C 17:37:10.738683   1.1         Created store object to access certificates
0000070D 17:37:10.738740   1.1         Opened store
0000070E 17:37:10.738750   1.1         Accessing certificate - ibmwebspheremqroot
0000070F 17:37:10.748556   1.1         Number of certificates in the store:6
00000710 17:37:10.748629   1.1         TLS12 supported - True
00000711 17:37:10.748648   1.1         Setting SslProtol as Tls
00000712 17:37:10.748655   1.1         Starting SSL Authentication
00000713 17:37:10.748738   1.1        ------------{  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[])
00000714 17:37:10.748754   1.1         Client callback has been invoked to find client certificate
00000715 17:37:10.748766   1.1        ------------}  MQEncryptedSocket.FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK   
00000716 17:37:10.766153   1.1        ------------{  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) inputs  [11]
00000717 17:37:10.766190   1.1         SSL Server Certificate validation failed - RemoteCertificateNameMismatch, RemoteCertificateChainErrors
00000718 17:37:10.766196   1.1        ------------}  MQEncryptedSocket.ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK
00000719 17:37:10.766662   1.1         System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

The same code works on Windows
I've installed the root CA that signed the certificate.

EDIT 1 @Morag Hughson - Regarding the certificates i've installed the organizations root CA, subCA that have signed the IBM MQ cert:

COPY ssl/ /usr/local/share/ca-certificates/
RUN update-ca-certificates --fresh --verbose

Also tried doing it in code:

var root = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
root.Open(OpenFlags.ReadWrite);
root.Add(theAppCert);
collection.Add(new X509Certificate2("./ssl/root.crt"));
root.AddRange(collection);

This is how i add the IBM MQ certificate

var collection = new X509Certificate2Collection();

collection.Import(File.ReadAllBytes("./ssl/key.p12"), "123456", X509KeyStorageFlags.PersistKeySet);

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

var theAppCert = collection.Find(X509FindType.FindBySubjectName, "app_test", false)[0];
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
    theAppCert.FriendlyName ="ibmwebspheremq{Environment.UserName.ToLower()}";
}
store.Open(OpenFlags.ReadWrite);
store.Add(theAppCert);

EDIT 2

Is this sufficient?

0000049D 17:51:51.929051   1.1         Data:- IBM.WMQ.MQTCPConnection#02EED1CA
0000049D 17:51:51.929051   1.1          0x00000000 54 53 48 20 00 00 00 24 02 05 0A 00 00 00 00 00 : TSH ...$......
0000049D 17:51:51.929051   1.1          0x00000010 00 00 00 00 22 02 00 00 E4 04 00 00 08 00 00 00 : ...."..?....
0000049D 17:51:51.929051   1.1          0x00000020 1A 00 00 00                                     : ...
0000049E 17:51:51.929066   1.1          Data Length --> 36
0000049F 17:51:51.929071   1.1        ------------}  MQTCPConnection.Receive(ref byte [ ],ref int,ref int) rc=OK
000004A0 17:51:51.929076   1.1         Bytes Read from Socket = 36
000004A1 17:51:51.929083   1.1        ------------{  MQTSH.ReadStruct(Byte [ ],int) inputs  [System.Byte[]] [0]
000004A2 17:51:51.929106   1.1        ------------}  MQTSH.ReadStruct(Byte [ ],int) rc=OK returns [28]
000004A3 17:51:51.929120   1.1        ------------{  MQTSH.CheckTSH(byte [ ]) inputs  [System.Byte[]]
000004A4 17:51:51.929127   1.1        ------------}  MQTSH.CheckTSH(byte [ ]) rc=OK returns [True]
000004A5 17:51:51.929134   1.1        ------------{  MQFAPConnection.AnalyseErrorSegment(MQTSH) inputs  [IBM.WMQ.MQTSH#039490E2]
000004A6 17:51:51.929140   1.1        -------------{  MQTSH.GetLength()
000004A7 17:51:51.929145   1.1        -------------}  MQTSH.GetLength() rc=OK returns [28]
000004A8 17:51:51.929196   1.1         Constructing IBM.WMQ.MQERD#003917F2 MQMBID sn=p920-001-200918 su=_tqsBSQMcEeuBJdh7_yjHsA pn=basedotnet/nmqi/MQERD.cs
000004A9 17:51:51.929208   1.1        -------------{  MQERD.ReadStruct(Byte [ ],int) inputs  [System.Byte[]] [28]
000004AA 17:51:51.929216   1.1        -------------}  MQERD.ReadStruct(Byte [ ],int) rc=OK returns [8]
000004AB 17:51:51.929231   1.1         New MQException CompCode: 2 Reason: 2059```

Does the application key store have the necessary certificates to validate the remote certificate - i.e. the queue manager's certificate? You don't describe in your question anything to show what certificates are in your keystore. — Morag Hughson, Oct 29 '20 at 03:40
I've tried different CertificateLabels but i thought they were just used on Windows to locate the certificate (based on FriendlyName). How does it work on Linux? — hazelrah, Oct 29 '20 at 07:58
The trace indicates it is looking for `Accessing certificate - ibmwebspheremqroot`, do you have a private key with that label. — JoshMc, Oct 29 '20 at 09:00
Thanks to your questions @JoshMc i think i've been authenticated: I set `MQEnvironment.CertificateLabel` and MQC.SSL_PEER_NAME_PROPERTY = `CN=STOH27CT` where STOH27CT is the MQ hostname. The trace gives me `SSL Authentication completed` but then further down: `0000702 15:38:34.774493 1.1 New MQException CompCode: 2 Reason: 2059` — hazelrah, Oct 29 '20 at 16:12
Can you please add the new trace around the 2059 (you will need to show what happens above this to tell real cause. Note that SSLPEER is meant to be a value that matches the queue manager cert, not the value of your own cert. Also the label is separate from the DN value of the cert (the DN contains the CN, OU, O, etc). Normally I don't see the label containing "CN=", but that does not mean that you could not set the label to a string that contains "CN=". What does the queue manager AMQERR01.LOG show at the time of your error if anything? — JoshMc, Oct 29 '20 at 16:15
I've attached parts of the logs and asked our team regarding MQ managers logs — hazelrah, Oct 29 '20 at 17:22
Manager errors: AMQ9637E: During handshake, the remote partner sent no certificate. EXPLANATION: The conversation cannot begin because a certificate has not been supplied by the remote partner. I try to set the label: `MQEnvironment.CertificateLabel = "ibmwebspheremqd1014a"` And if i run `openssl pkcs12 -info -in ssl/d1014key.p12` I can see: `friendlyName: ibmwebspheremqd1014a` — hazelrah, Oct 30 '20 at 09:58
Finally got it working - i filtered out all other certificates and only added the mq-cert to user store: `var Cert = collection.Find(X509FindType.FindBySubjectName, "app_test", false)[0];` — hazelrah, Oct 30 '20 at 10:25
I am interested to understand more how you fixed it. Please post a self answer with more detail, understanding what your p12 key store looked like when it was not working vs working would be good. — JoshMc, Oct 31 '20 at 09:15

score 1 · Accepted Answer · answered Nov 01 '20 at 19:19

1

I managed to get it working by only installing one (CN=app_test) of the three certificates from the .p12 file into my local user store.

The file contained:

CN=Root CA v2, DC=corp1, DC=ad1, DC=xxx, DC=net
CN=Appl Sub CA v2, DC=corp1, DC=ad1, DC=xxx, DC=net
CN=app_test

If i install the whole collection of those three certificates i get a failure with the code 2059 from MQ.

answered Nov 01 '20 at 19:19

hazelrah

11
3

This [answer](https://stackoverflow.com/questions/22618108/adding-an-intermediate-certificates-to-a-pkcs12-file) seems to indicate the certs should be in reverse order with client cert first and root last. – JoshMc Nov 01 '20 at 22:00

Unable to autheticate to IBM MQ C# with TLS-certificate

1 Answers1

Linked