0
votes

Im trying to use JKS ssl certificate in JMeter to authenticate to a IBM MQ connection factory. I have updated the jmeter system.properties with javax.net.ssl.keyStore and password fields with relevent entries. But it fails to connect stating

"Failed to connect to Queue Manager".

I am not able to debug it either because even though i updated the debugging in jmeter with log_level to "debug" in jmeter.properties its not displaying the necessary logs either.

I tried to use custom jndi.properties file and this is not recognized either (created a jar and stored it in lib and lib/ext folders). I have also tried to use ssl manager option of jmeter.But no luck on that either.

If anyone has configured Jmeter JMS Publisher(Not point to point) to authenticate to IBM MQ queue manager,any help would be really appreciated.

1

1 Answers

0
votes

There is a tremendous amount of information missing from this question. You will need to add detail if you want a more precise answer. However, perhaps in working through my reply you will find the error and fix it. If so, please come back and update your question with the details of what you did to fix it.

You mention that you want JMeter to authenticate to MQ. There is no mention of MQ authenticating to JMeter. However there is no option to use TLS with MQ where the QMgr does not require a certificate. Therefore, you need the following:

On the QMgr side

  • The QMgr must have a personal certificate.
  • The label of the QMgr's certificate must be in a specific format or (as of v8.0) the QMgr's property needs to point to the right certificate.
  • If the QMgr's certificate is CA-signed, the CA's signer cert(s) must be available to the QMgr for it's own certificate.
  • The QMgr must have either the CA signer cert(s) for JMeter's certificate (if CA-signed) or JMeter's public certificate (if self-signed).
  • The QMgr's channel must specify a CipherSuite.

On the JMeter side

  • JMeter must have a personal certificate.
  • If JMeter's certificate is CA-signed, the CA's signer cert(s) must be available in the trust store.
  • JMeter must have either the CA signer cert(s) for the QMgr's certificate (if CA-signed) or the QMgr's public certificate (if self-signed).
  • JMeter's MQ channel must specify the Cipherspec that corresponds to the CipherSuite set at the QMgr.

Of all the information I've listed here, almost none of it is available in the question as written. Someone responding has no reason to believe that the QMgr is even set up for TLS at this point. Nothing in the question indicates that this has been done. Assuming the QMgr is set up for TLS, does it work with IBM's sample programs? Again, we have no way to know from the question as written.

Please be aware though that, like any good security error, nearly all of the information is logged at the QMgr side. For example, if a login fails, the last thing you want to do is to tell the attacker that the User ID is bad or the password is bad. The error message should never provide more information for the attacker.

With this in mind, security errors on the client side tend to produce client-side error logs. Security errors on the QMgr side produce QMgr-side logs and very sparse client messages. If you follow up here, please post sufficient info for us to help diagnose the issue, including the QMgr-side error log entries.