Closed johnllao closed 5 years ago
ibmmqmet
commented
5 years ago That code looks OK to me. Though the CipherSpec looks like it might be one of the deprecated/disabled ones. Is there anything in the qmgr or client error logs? They usually give a lot more information.
johnllao
commented
5 years ago Thanks. I tried checking the client error logs.
client error log shows below error. I tried all the cipher spec documented but stull getting the same error. any ideas?
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q014260_.htm
AMQ9641E: Remote CipherSpec error for channel 'XYZ.SVRCONN' to host
'server.com(1414)'.
EXPLANATION:
The remote end of channel 'XYZ.SVRCONN' on host 'server.com(1414)' has indicated a CipherSpec error
'SSLCIPH(TLS_RSA_WITH_AES_256_CBC_SHA256 ) -> SSLCIPH(????)'. The channel did
not start.
ACTION:
Check that the CipherSpec values specified on the XYZ.SVRCONN channel
definition on both the local and remote system match. If necessary, review the
queue manager error logs on the remote system to discover more information
about the CipherSpec error.Did you do what that message tells you? What does the queue manager error log say? What is the SVRCONN definition for the cipherspec?
johnllao
commented
5 years ago Unfortunately I cannot get access to the remote queue manager due to some restrictions and policies here. I have tried running all the cipher specs available on server but none of them was able to get connection
ECDHE-RSA-AES256-GCM-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-ECDSA-AES256-GCM-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-RSA-AES256-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-ECDSA-AES256-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-RSA-AES256-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-ECDSA-AES256-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-DSS-AES256-GCM-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
DHE-DSS-AES256-GCM-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
DH-RSA-AES256-GCM-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
DHE-RSA-AES256-GCM-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
DHE-RSA-AES256-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
DHE-DSS-AES256-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
DH-RSA-AES256-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
DH-DSS-AES256-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
DHE-RSA-AES256-SHA - MQRC_SSL_INITIALIZATION_ERROR
DHE-DSS-AES256-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-RSA-AES256-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-DSS-AES256-SHA - MQRC_SSL_INITIALIZATION_ERROR
DHE-RSA-CAMELLIA256-SHA - MQRC_SSL_INITIALIZATION_ERROR
DHE-DSS-CAMELLIA256-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-RSA-CAMELLIA256-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-DSS-CAMELLIA256-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDH-RSA-AES256-GCM-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
ECDH-ECDSA-AES256-GCM-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
ECDH-RSA-AES256-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
ECDH-ECDSA-AES256-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
ECDH-RSA-AES256-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDH-ECDSA-AES256-SHA - MQRC_SSL_INITIALIZATION_ERROR
AES256-GCM-SHA384 - MQRC_SSL_INITIALIZATION_ERROR
AES256-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
AES256-SHA - MQRC_SSL_INITIALIZATION_ERROR
CAMELLIA256-SHA - MQRC_SSL_INITIALIZATION_ERROR
PSK-AES256-CBC-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-RSA-AES128-GCM-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-ECDSA-AES128-GCM-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-RSA-AES128-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-ECDSA-AES128-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-RSA-AES128-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-ECDSA-AES128-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-DSS-AES128-GCM-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
DHE-DSS-AES128-GCM-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
DH-RSA-AES128-GCM-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
DHE-RSA-AES128-GCM-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
DHE-RSA-AES128-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
DHE-DSS-AES128-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
DH-RSA-AES128-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
DH-DSS-AES128-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
DHE-RSA-AES128-SHA - MQRC_SSL_INITIALIZATION_ERROR
DHE-DSS-AES128-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-RSA-AES128-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-DSS-AES128-SHA - MQRC_SSL_INITIALIZATION_ERROR
DHE-RSA-SEED-SHA - MQRC_SSL_INITIALIZATION_ERROR
DHE-DSS-SEED-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-RSA-SEED-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-DSS-SEED-SHA - MQRC_SSL_INITIALIZATION_ERROR
DHE-RSA-CAMELLIA128-SHA - MQRC_SSL_INITIALIZATION_ERROR
DHE-DSS-CAMELLIA128-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-RSA-CAMELLIA128-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-DSS-CAMELLIA128-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDH-RSA-AES128-GCM-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
ECDH-ECDSA-AES128-GCM-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
ECDH-RSA-AES128-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
ECDH-ECDSA-AES128-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
ECDH-RSA-AES128-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDH-ECDSA-AES128-SHA - MQRC_SSL_INITIALIZATION_ERROR
AES128-GCM-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
AES128-SHA256 - MQRC_SSL_INITIALIZATION_ERROR
AES128-SHA - MQRC_SSL_INITIALIZATION_ERROR
SEED-SHA - MQRC_SSL_INITIALIZATION_ERROR
CAMELLIA128-SHA - MQRC_SSL_INITIALIZATION_ERROR
PSK-AES128-CBC-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-RSA-DES-CBC3-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-ECDSA-DES-CBC3-SHA - MQRC_SSL_INITIALIZATION_ERROR
EDH-RSA-DES-CBC3-SHA - MQRC_SSL_INITIALIZATION_ERROR
EDH-DSS-DES-CBC3-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-RSA-DES-CBC3-SHA - MQRC_SSL_INITIALIZATION_ERROR
DH-DSS-DES-CBC3-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDH-RSA-DES-CBC3-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDH-ECDSA-DES-CBC3-SHA - MQRC_SSL_INITIALIZATION_ERROR
DES-CBC3-SHA - MQRC_SSL_INITIALIZATION_ERROR
IDEA-CBC-SHA - MQRC_SSL_INITIALIZATION_ERROR
PSK-3DES-EDE-CBC-SHA - MQRC_SSL_INITIALIZATION_ERROR
KRB5-IDEA-CBC-SHA - MQRC_SSL_INITIALIZATION_ERROR
KRB5-DES-CBC3-SHA - MQRC_SSL_INITIALIZATION_ERROR
KRB5-IDEA-CBC-MD5 - MQRC_SSL_INITIALIZATION_ERROR
KRB5-DES-CBC3-MD5 - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-RSA-RC4-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDHE-ECDSA-RC4-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDH-RSA-RC4-SHA - MQRC_SSL_INITIALIZATION_ERROR
ECDH-ECDSA-RC4-SHA - MQRC_SSL_INITIALIZATION_ERROR
RC4-SHA - MQRC_SSL_INITIALIZATION_ERROR
RC4-MD5 - MQRC_SSL_INITIALIZATION_ERROR
PSK-RC4-SHA - MQRC_SSL_INITIALIZATION_ERROR
KRB5-RC4-SHA - MQRC_SSL_INITIALIZATION_ERROR
KRB5-RC4-MD5 - MQRC_SSL_INITIALIZATION_ERRORLog message
----- amqccisa.c : 954 --------------------------------------------------------
01/31/2019 02:55:58 PM - Process(19133.1) User(dcc) Program(ibmmqconn)
Host(server.com) Installation(MQNI09010100)
VRMF(9.1.1.0)
Time(2019-01-31T06:55:58.751Z)
RemoteHost(10.91.132.120(1416))
CommentInsert1(XYZ.SVRCONN)
CommentInsert2(KRB5-DES-CBC3-MD5)
AMQ9635E: Channel 'XYZ.SVRCONN' did not specify a valid CipherSpec.
EXPLANATION:
Channel 'XYZ.SVRCONN' specifies a value of 'KRB5-DES-CBC3-MD5' for CipherSpec
which is not valid to start a secure connection.
ACTION:
Check product documentation to confirm that the CipherSpec specified in the
channel definition is valid. Note that IBM may need to deprecate the use of
CipherSpecs via product maintenance in response to a security vulnerability.
A blank CipherSpec value specifies that the channel was expected to use a
plaintext connection but the remote channel defintion expects to use a secure
connection.
If the default list of enabled CipherSpecs has been provided by setting the
AMQ_ALLOWED_CIPHERS environment variable, or provided by setting the
'AllowedCipherSpecs' attribute under the SSL stanza in the qm.ini file, the
channel CipherSpec must be on this list.
All CipherSpecs that use NULL, SHA-1, MD5, DES, Triple DES, RC2 and RC4
algorithms have been deprecated. All other CipherSpecs that use the SSLv3 or
TLSv1 protocol have been deprecated. Continued use of any of these CipherSpecs
is not recommended but may be temporarily enabled by setting the
AMQ_SSL_WEAK_CIPHER_ENABLE environment variable, or via the
'AllowWeakCipherSpec' attribute under the SSL stanza in the qm.ini file.
Change channel 'XYZ.SVRCONN' to specify a valid CipherSpec. For a start, "-" is not valid in a cipherspec. Separation of elements is done with underscores. But you should have been told the cipherspec to use by whoever told you which channel to use (and the rest of the pertinent information).
parrobe
commented
5 years ago Looking at that list of CipherSpecs there are very few that i think MQ has. When you say you're supplying ones that are available on the server do you mean the Queue Manager or the actual machine MQ is running on?
For reference, here is a list of the CipherSpecs that MQ supports by default.
Additionally MQ can support older, weaker CipherSpecs but these have to be enabled on the queue manager
On a side note in case you look at this in the future, if you are doing anything with using Java -> MQ then you will need to use this table to match the CipherSuites Java uses to the CipherSpecs that MQ uses.
johnllao
commented
5 years ago Thanks. One more question, for the mq-golang. can I pass a CipherSuite instead of individual CipherSpec ?
johnllao
commented
5 years ago Also, do I need to install the IBM MQ client from https://developer.ibm.com/messaging/mq-downloads/? Since I don't have admin privilege on my windows 10 workstation, I used the "Redistributable IBM MQ Clients" instead?
ibmmqmet
commented
5 years ago The latest (9.1.1) redist client is good enough as it includes the necessary pieces to compile against.
johnllao
commented
5 years ago I have created queue manager from IBM Cloud. Connecting using user name and password looks fine however after enabling TLS/SSL got below error.
See the screenshot of the config and code snippet below. Can you help me figure-out anything I missed.
Error message
AMQ9642E: No SSL or TLS certificate for channel 'CLOUD.APP.SVRCONN'.
EXPLANATION:
The channel 'CLOUD.APP.SVRCONN' did not supply a certificate to use during SSL
or TLS handshaking, but a certificate is required by the remote queue manager.
The remote host is 'a6 (130.198.80.166)(31235)'.
The channel did not start.
ACTION:
Ensure that the key repository of the local queue manager or MQ client contains
a certificate which is associated with the queue manager or client. If you have
configured a certificate label, check that the certificate exists.
Alternatively, if appropriate, change the remote channel definition so that its
SSLCAUTH attribute is set to OPTIONAL and it has no SSLPEER value set. Channel SSL Config
SSL certificate is setup in the channel
Queue manager SSL Config
SSL certificate is setup in the queue manager
Keystore commands Created a certificate store and added the certificate qmgrcert downloaded from the queue manager
runmqakm -keydb -create -db key.kdb -pw dcc -type cms -stash
runmqakm -keydb -stashpw -db key.kdb -pw dcc
runmqakm -cert -add -db key.kdb -pw dcc -type pem -file qmgrcert.pem -label qmgrcert
runmqakm -cert -list all -db key.kdb -pw dcc
5724-H72 (C) Copyright IBM Corp. 1994, 2018.
Certificates found
* default, - personal, ! trusted, # secret key
! qmgrcert
! "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US"
! "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"
Code snippet Pass certificate store into the code
func openQueueManager() (*ibmmq.MQQueueManager, error) {
var cno = ibmmq.NewMQCNO()
cno.Options = ibmmq.MQCNO_CLIENT_BINDING
var cd = ibmmq.NewMQCD()
cd.ChannelName = "CLOUD.APP.SVRCONN"
cd.ConnectionName = "qm1-c28c.qm.au-syd.mq.appdomain.cloud(31235)"
cd.SSLCipherSpec = "TLS_RSA_WITH_AES_256_CBC_SHA256"
cd.SSLClientAuth = ibmmq.MQSCA_REQUIRED
cd.CertificateLabel = "qmgrcert"
cno.ClientConn = cd
var csp = ibmmq.NewMQCSP()
csp.AuthenticationType = ibmmq.MQCSP_AUTH_USER_ID_AND_PWD
csp.UserId = "johnapp"
csp.Password = "xyz"
cno.SecurityParms = csp
var sco = ibmmq.NewMQSCO()
sco.KeyRepository = "C:\\work\\bin\\ssl\\key"
sco.CertificateLabel = "qmgrcert"
cno.SSLConfig = sco
var err error
var qmgr ibmmq.MQQueueManager
qmgr, err = ibmmq.Connx("QM1", cno)
if err != nil {
return nil, err
}
return &qmgr, nil
}You appear to be trying to use the same certificate both to identify the qmgr and the client, which would be - to say the least - unusual. You don't say which end of the connection that error log entry comes from. It does seem fairly specific that a cert has not been provided. Since you have specified MQSCA_REQUIRED, then both ends must have certificates, and both ends must have appropriate signer certs in their keystores to validate the other end.
Do you have any mq-golang samples for TLS connection? I am getting error MQCONNX: MQCC = MQCC_FAILED [2] MQRC = MQRC_SSL_INITIALIZATION_ERROR [2393]