I'm updating an app to connect to IBM MQ over TLS. The current error I'm seeing is a 2059 reason code. The trace log doesn't appear to include more info. Does anyone have suggestions as to what to check?
I've already done the following:
Established a signed cert and self-signed cert that's been imported onto the client and server
Enabled the Windows Group Policy as described on this blog - SSL Cipher Suite Order
Added the properties to specify the cipher spec in the application code:
factory.SetStringProperty(XMSC.WMQ_CHANNEL, channel); factory.SetIntProperty(XMSC.WMQ_CONNECTION_MODE, connectionMode); factory.SetStringProperty(XMSC.WMQ_QUEUE_MANAGER, ""); factory.SetIntProperty(XMSC.WMQ_BROKER_VERSION, brokerVersion); factory.SetIntProperty(XMSC.WMQ_CLIENT_RECONNECT_OPTIONS, XMSC.WMQ_CLIENT_RECONNECT); factory.SetStringProperty(XMSC.WMQ_SSL_KEY_REPOSITORY, "*SYSTEM"); factory.SetStringProperty(XMSC.WMQ_SSL_CIPHER_SPEC, "TLS_RSA_WITH_AES_256_CBC_SHA256"); factory.SetBooleanProperty(XMSC.WMQ_SSL_CERT_REVOCATION_CHECK, false);
See the linked exception for more information.
at IBM.XMS.Client.WMQ.Factories.WmqConnectionFactory.CreateV7ProviderConnection(XmsPropertyContext connectionProps)
at IBM.XMS.Client.WMQ.Factories.WmqConnectionFactory.CreateProviderConnection(XmsPropertyContext connectionProps)
Linked Exception : CompCode: 2, Reason: 2059
[23/02/2021 22:52:18:792930 Pacific Standard Time] 00000006 < UOW= source=IBM.XMS.Client.WMQ.Factories.WmqConnectionFactory method=CreateProviderConnection(XmsPropertyContext) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:792930 Pacific Standard Time] 00000006 < UOW= source=IBM.XMS.Client.Impl.XmsConnectionFactoryImpl method=CreateConnection(Stirng,String) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:792930 Pacific Standard Time] 00000006 < UOW= source=IBM.XMS.Client.Impl.XmsConnectionFactoryImpl method=CreateConnection() [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[2/23/2021 10:52:18 PM ] [ ] Error : IBM.XMS.XMSException: CWSMQ0006E: An exception was received during the call to the method ConnectionFactory.CreateConnection: CompCode: 2, Reason: 2059.
During execution of the specified method an exception was thrown by another component.
See the linked exception for more information.
at IBM.XMS.Client.WMQ.Factories.WmqConnectionFactory.CreateProviderConnection(XmsPropertyContext connectionProps)
at IBM.XMS.Client.Impl.XmsConnectionFactoryImpl.CreateConnection(String userID, String password)
at IBM.XMS.Client.Impl.XmsConnectionFactoryImpl.CreateConnection()
Trace showing SSL Auth:
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
TLS12 supported - True
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Setting SslProtol as Tls12
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Starting SSL Authentication
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 > UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
entry
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Client callback has been invoked to find client certificate
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 > UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
entry
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Client callback has been invoked to find client certificate
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 > UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
entry
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Client did not specify a SSLPEERNAME, hence SSLPeerNameMatching not done
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
SSL Authentication completed
Server Log
AMQ9631E: The CipherSpec negotiated during the SSL handshake does not match the
required CipherSpec for channel 'MQEXPLORER.CHL'.
EXPLANATION:
There is a mismatch between the CipherSpecs on the local and remote ends of
channel 'MQEXPLORER.CHL'. The channel will not run until this mismatch is
resolved. The CipherSpec required in the local channel definition is
'TLS_RSA_WITH_AES_256_CBC_SHA256'. The name of the CipherSpec negotiated during
the SSL handshake is 'TLS_RSA_WITH_AES_128_CBC_SHA256'. A code is displayed if
the name of the negotiated CipherSpec cannot be determined.
ACTION:
Change the channel definitions for 'MQEXPLORER.CHL' so the two ends have
matching CipherSpecs and restart the channel. If the certificate in use by one
end of the channel is a Global Server Certificate, then the negotiated
CipherSpec may not match that specified on either end of the channel. This is
because the SSL protocol allows a Global Server Certificate to automatically
negotiate a higher level of encryption. In these cases specify a CipherSpec
which meets the requirements of the Global Server Certificate.
enter code here
Update Removing AES_128 from the Windows policy helped resolve the last error, but I'm still seeing a 2059 reason code. The server is saying the certificate wasn't specified but the client trace says otherwise.
Client Trace
[03/03/2021 09:23:51:063098 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
SSL Authentication completed
[03/03/2021 09:23:51:063098 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=MakeSecuredConnection() rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[03/03/2021 09:23:51:063098 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.MQTCPConnection method=ConnectSocket(string,string,MQLONG) rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[03/03/2021 09:23:51:063098 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.MQTCPConnection org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Protocol connected..for this connection request.
....
[03/03/2021 09:23:51:078705 Pacific Standard Time] 00000006 X UOW= source=IBM.WMQ.MQFAP org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
CompCode: 2, Reason: 2059
[03/03/2021 09:23:51:078705 Pacific Standard Time] 00000006 d UOW= source= org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
New MQException CompCode: 2 Reason: 2059
[03/03/2021 09:23:51:078705 Pacific Standard Time] 00000006 d UOW= source= org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
New NmqiException CompCode: 2 Reason: 2059
Server Log
AMQ9637E: During handshake, the remote partner sent no certificate.
EXPLANATION:
The conversation cannot begin because a certificate has not been supplied by
the remote partner.
The channel name is 'TST.CHL'.
If this error message is written on the receiving side of the channel, then the
channel attributes 'SSLCAUTH' caused the check to be made.
ACTION:
Look at the key repository on the remote side of this channel, and make sure
the appropriate certificates are present, with correct labels.
----- amqccisa.c : 8146 -------------------------------------------------------
03/03/21 09:23:51 - Process(140687.1923660) User(mqsystem) Program(amqrmppa)
AMQ9999E: Channel 'TST.CHL' to <host> ended abnormally.
EXPLANATION:
The channel program running under process ID 140687 for channel 'TST.CHL' ended
abnormally. The host name is '<>; in some cases the host name cannot
be determined and so is shown as '????'.
TLS_RSA_WITH_AES_256_CBC_SHA256fall in your cipher order? What version is the MQ queue manager? – JoshMc