Latest WAS Liberty MQ connection with SSL certificate

Question

Guys I am trying to connect to MQ Hub from WAS Liberty application. Our MQ Hub supports only SSL certificate authentication. I have created QCF, Keystore with JKS file and with certificate inside it. Then I created defaultSSLConfig and pointed to that keystore.

But I could not find anyway to specify the SSLConfig in the QCF and read on some page that it was not possible. The only way was to use defaultSSLConfig and specify keystore from there which I did. So now I am here and MQ connection does not work. On the MQ Hub logs I see the error saying that "The channel is lacking a certificate to use for the SSL handshake."

This is how my QCF looks like, no parameter to specify an SSL config

<jmsConnectionFactory connectionManagerRef="ConMgr" jndiName="jms/wmqCF">
         <properties.wmqJms channel="TEST_CHANNEL" hostName="REMOVED" port="1415" queueManager="ALQ.TEST" transportType="CLIENT" sslCipherSuite="SSL_RSA_WITH_AES_128_CBC_SHA"/>
    </jmsConnectionFactory>

Full error on MQ side

EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The
channel
name is 'XXX.ADM.SVRCONN' (if '????' it is unknown at this stage in the SSL
processing).

The remote host is 'XXX (10.xx.xx.x)'.

The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the
key
repositories for both ends of the channel.

----- amqccisa.c : 7355

02/14/17 15:07:44 - Process(7510.304808) User(mqm) Program(amqrmppa)
Host(xxx) Installation(Installation1)
VRMF(7.5.0.6) QMgr(XXXXX)

AMQ9999: Channel 'XXX.ADM.SVRCONN' to host 'xxx (10.xx.xx.xx)' ended abnormally.

EXPLANATION:
The channel program running under process ID 7510 for channel 'XX.ADM. SVRCONN'
ended abnormally. The host name is 'xx (10.xx.xx.xx)'; in some
cases the
host name cannot be determined and so is shown as '????'.

ACTION:
Look at previous error messages for the channel program in the error
logs to
determine the cause of the failure. Note that this message can be
excluded
completely or suppressed by tuning the "ExcludeMessage" or
"SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.

I have tagged the question as you suggested. The error I get on the MQ HUB side is the one I mention in the question. I dont see this as a MQ Hub problem but rather the implementation of the QCF in the Liberty. Have traditional WAS ND installations that work fine with the same MQ HUB using SSL cert authentication. It is WAS Liberty that is not working. — bortek
Here is what IO see on MQ side. Look at the original message, I updated it. — bortek

bortek bortek · Accepted Answer · 2017-02-17T10:33:54

It is working now :) What we think was the cause of the problem is this bug http://www-01.ibm.com/support/docview.wss?uid=swg1IT16056

Although the error in APAR above is not the same I was getting. I was seeing this error on the Liberty (client side)

Caused by: com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with
compcode '2' ('MQCC_FAILED') reason '2059' ('MQRC_Q_MGR_NOT_AVAILABLE'). at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason. java:203)

I was using this resource adapter when the problem was manifesting itself: 9.0.1.0-IBM-MQ-Java-InstallRA.jar Then we decided to try lower version of the adapter which had that APAR/fix in it and thus used this one: 8.0.0.6-WS-MQ-Java-InstallRA.jar

So that solved the problem.

I was pretty sure that the above bugfix was included in Ver 9.X of the resource adapter but as it turns out it is not the case.

Latest WAS Liberty MQ connection with SSL certificate

----- amqccisa.c : 7355

2 Answers