Connecting with MQ Explorer via SSL

[andrescolodrero]

Hi, I haven been trying to use the same helm chart example for OPenShiftNativeHA. In the end i have 2 routes: web and qm route.

Connecting to the cluster using a nodePort (non SSL), works fine.

Now i want to try out the connection via SSL, but i always get SSL errors and i dont reach the MQ LOgs (yet).

I got "application.jks" file into a folder and configure MQ Explorer to use "application.jks".

qm: mqdev chanel: MTLSQMCHL mq route: https://mqdev-ibm-mq-qm-mqdev.apps mq web route: https://mqdev-ibm-mq-web-mqdev.apps

Queue manager mqdev is not available for client connection due to an SSL configuration error. (AMQ4199) Queue manager mqdev is not available for client connection due to an SSL configuration error. (AMQ4199) Severity: 30 (Severe Error) Explanation: The user is trying to connect to a remote queue manager using a secure connection. Response: Check the SSL configuration of the target queue manager and the local SSL trust store.

{ "channel": [ { "name": "MTLSQMCHL", "clientConnection": { "connection": [ { "host": "mqdev-ibm-mq-qm-mqdev.apps", "port": 443 } ], "queueManager": "mqdev" }, "transmissionSecurity": { "cipherSpecification": "ANY_TLS12_OR_HIGHER" }, "type": "clientConnection" } ] }

An again, im not see any logs on. ONly if i go to a brownser and do: https://mqdev-ibm-mq-qm-mqdev.apps

The data received from host '10.131.0.2' on channel '????' is not valid. [CommentInsert1(10.131.0.2), CommentInsert2(TCP/IP), CommentInsert3(????)] 2023-02-23T14:58:20.900Z AMQ9999E: Channel '????' to host '10.131.0.2' ended abnormally. [CommentInsert1(????), CommentInsert2(688), CommentInsert3(10.131.0.2)]

[callumpjackson]

Hi - I think the issue is due to the OpenShift SNI routing of TLS communication and the default behavior of the MQ Explorer. It would be interesting to understand if you get the same problem when running the sample test programs within the readme. If the samples connect I've written up the consideration around OpenShift Routes and MQ's SNI usage here, and you may need to create a new OpenShift Route for the MQ Explorer communication.

[andrescolodrero]

HI, From the ./sendMessage.sh i always get the same error: Starting amqsphac mqdev Sample AMQSPHAC start MQCONNX ended with reason code 2393 Sample AMQSPHAC end

Client is a linux machine. mqclient.ini in the same folder directory than sendMessage.sh has:

SSL: OutboundSNI=HOSTNAME

also tried:

SSL: OutboundSNI=mqdev-ibm-mq-qm-mqdev.apps

Unfortunatelly i cant see any log errors on both client and server.

[callumpjackson]

Can you confirm what version of the IBM MQ client you have installed on your machine?

[andrescolodrero]

This is the version im using: 9.2.0.7-IBM-MQC-Redist-LinuxX64.tar.gz

Name: IBM MQ Version: 9.2.0.7 Level: p920-007-221118 BuildType: IKAP - (Production) Platform: IBM MQ for Linux (x86-64 platform) Mode: 64-bit O/S: Linux 5.15.79.1-microsoft-standard-WSL2 O/S Details: Ubuntu 20.04.4 LTS (Focal Fossa) InstName: MQNI92L22111800P InstDesc: IBM MQ V9.2.0.7 (Redistributable) Primary: N/A

[callumpjackson]

I think that’s the issue, your client version is 9.2.0.7 and you need at least 9.2.1. Could you upgrade the MQ version - maybe to 9.3.x then hopefully when you try the sample it will work.

[andrescolodrero]

Thanks, but still not working when i upgrade it: ame: IBM MQ Version: 9.3.2.0 Level: p932-L230207 BuildType: IKAP - (Production) Platform: IBM MQ for Linux (x86-64 platform)

What do you mean with "you may need to create a new OpenShift Route for the MQ Explorer communication.?". is there any specifications for a route used for MQ?

ALl works for me, except SSL communciation.

[callumpjackson]

Let me explain the previous comments about the OpenShift Route.

If you are using the sample programs sendMessage.sh and getMessage.sh that should now be working (it’s unclear if your above comment is for the sample or MQ explorer). If things are not working can you send the content of the mqclient.ini file, MQ client error log, yaml used to deploy the helm chart, the steps you are following to test and I’ll take a look to see if there is anything obviously wrong.

With MQ Explorer it will always be sending the default SNI header which is built based on the logic here: https://www.ibm.com/support/pages/ibm-websphere-mq-how-does-mq-provide-multiple-certificates-certlabl-capability And referenced in the document I previously mentioned. To get MQ Explorer working you will need to define another OpenShift Route to allow the communication through, but before we look at that let’s get the sample program working.

[andrescolodrero]

HI, i could send you the files but: mqclient.ini is the one of the "test" folder. yaml, queues, etc are the same than your example.

One thing, i dont think the client is getting the config of mqclient.ini. I edit the file with an unexisteng key "SSLxxx:" and the ./sendMessage.sh didnt fail.

I would say the problem is from client using SNI. mqclient.ini (allocated on OpenShiftNativaHA/test)

`#***#

Notes :

1) This file defines the configuration of a client

***

SSL: OutboundSNI=HOSTNAME`

ccdt file: { "channel": [ { "name": "MTLSQMCHL", "clientConnection": { "connection": [ { "host": "mqdev-ibm-mq-qm-mqdev.apps", "port": 443 } ], "queueManager": "mqdev" }, "transmissionSecurity": { "cipherSpecification": "ANY_TLS12_OR_HIGHER", "certificateLabel": "aceclient" }, "type": "clientConnection" } ] }

To avoid problems with environment, etc, i move all the certs to the "test" folder, so ./sendMessage.sh looks like:

` export MQCCDTURL="ccdt_generated.json" export MQSSLKEYR="application" export MQCLNTCF=/mnt/c/Temp/mq-helm-main/samples/OpenShiftNativeHA-Development/test

echo "Starting amqsphac" mqdev /opt/mqm/samp/bin/amqsphac APPQ mqdev ` Errors on the mq client are empty: root@MIS3749:/var/mqm/errors# ls -l total 0 -rw-rw-r-- 1 mqm mqm 0 Jan 12 14:40 AMQERR01.LOG -rw-rw-r-- 1 mqm mqm 0 Jan 12 14:40 AMQERR02.LOG -rw-rw-r-- 1 mqm mqm 0 Jan 12 14:40 AMQERR03.LOG

Something i dont understand is when you do in the test: export MQCCDTURL="${DIR}/ccdt_generated.json" export MQSSLKEYR="${DIR}/../../genericresources/createcerts/application"

what file are you pointing? all of them? only kdb?

[callumpjackson]

Hi - let me try and answer your questions above:

1. The MQ client logic for searching for a mqclient.ini file is document here. As you can see the second check will be A file called mqclient.ini in the present working directory of the application. Assuming you are running the script while within the test directory it should be picked up. One possible issue could be if you are setting the MQCLNTCF environment variable as shown above. As mentioned in the link this should be an absolute file location, and it appears to be pointing to a directory instead of a file.
2. The MQCCDTURL points to the CCDT file that is generated by the script file, details of this property can be found here. As the URL is environment dependant the sendMessage.sh generates this file automatically for you.
3. The MQSSLKEYR points to the key store. As outline here you don't add the .kdb extension, this is completed for you automatically. Placing this in a different directory may be causing some of the issues.

Hope the above helps

[andrescolodrero]

I think the problem im having is with my own network and certificate inspection. So let me understand what certs i need and how to use them:

1. Internal CA . So i can communicate to LDAP (added to /etc/pki/trust )
2. Native HA Certificate: Server.key and server.crt
3. Certificate for web route (issued with our internal pki): example: web.mqdev-ibm-mq-qm-mqdev.apps
4. certificate for qm route: qm.mqdev-ibm-mq-qm-mqdev.apps
5. App certificate, should be issued to our intenal pki, i guess.

can i just add all those certs like this?

pki: keys:

• name: default secret: secretName: helmsecure items:
  • tls.key
  • tls.crt
  • mqweb.key
  • mqweb.crt trust:
• name: default secret: secretName: user-ca-bundle items:
  • user-ca-bundle.crt
  • app.crt

Note: the Route for "web console" is taking the cert "tls.crt", which is issued for the example "mq queuemanager")

[callumpjackson]

If I'm understanding correctly you want different certificates for:

• LDAP communication
• Internal NativeHA communication
• MQ Web console
• MQ Data traffic

If I understand correctly, then that configuration will not do what you hope. Also did you get the basics working? This appears to be a slightly different issue than originally mentioned.

[andrescolodrero]

we can close this, one i believe the problems to connect via TLS is due to proxy/certificate inspection. the rest works fine on my setup using helm chart (LDAP, internal native HA, etc).

Anyhow, some documentation or steos to perform this will be appreciated, but I will post on MQ dedicated forum