Facing SSL_INITIALIZATION_ERROR when updating Key Repository and creating connection with updated Key Repository for each new account

[prashanthmadduri]

Please include the following information in your ticket.

• mq-mqi-nodejs version(s): ibmmq@0.9.17

• Below is the scenario for error:

  1. Creating key repository.
  2. Importing root CA certificate as suggested here
  3. Adding the key repository created above in the application.
  4. Now for every new connection to queue a. Take user personal certificate and import it into key repository using below command gsk8capicmd_64 -cert -import -target key.kdb -db <<path to personal certficate>> -target_type cms -type pkcs12 -label <<label>> -target_pw <<key repo password>> -pw <<cert password>> b. Create connection to queue of Queue Manager named OM_QMGR c. Store the connection for future use for same user account

  We are getting SSL_INITIALIZATION_ERROR between two connections when HOST is different and remaining all other connection parameters like PORT, CHANNEL, QMGR, CIPHER are same.

• A small code sample that demonstrates the issue.

  
  // And then fill in relevant fields for the MQCD
  let cd = new mq.MQCD();
  
  cd.ConnectionName = `${MQDetails.HOST}(${MQDetails.PORT})`;
  cd.ChannelName = MQDetails.CHANNEL;
  debug_info('Connection is ', cd.ConnectionName);
  console.log('Connection is ', cd.ConnectionName);
  
  if (MQDetails.KEY_REPOSITORY) {
    debug_info('Will be running in TLS Mode');
    console.log('Will be running in TLS Mode');
  
    cd.SSLCipherSpec = MQDetails.CIPHER;
    //cd.SSLClientAuth = MQC.MQSCA_OPTIONAL;
    cd.SSLClientAuth=MQC.MQSCA_REQUIRED;
  }
  
  // Make the MQCNO refer to the MQCD
  cno.ClientConn = cd;

---

if (MQDetails.KEY_REPOSITORY) { debug_info('SCO object to locate key repository for TLS'); console.log('SCO object to locate key repository for TLS'); // For TLS let sco = new mq.MQSCO();

sco.KeyRepository = MQDetails.KEY_REPOSITORY;
sco.CertificateLabel = {{$Certificate Label}};

// And make the CNO refer to the SSL Connection Options
cno.SSLConfig = sco;

}

//below is the connection creation mq.Connx(MQDetails.QMGR, cno, function(err, hConn) { if (err) { debug_warn('Error Detected making Connection', err); } else { debug_info("MQCONN to %s successful ", MQDetails.QMGR); } });

Below is the error we are getting:

{"message":"CONNX: MQCC = MQCC_FAILED [2] MQRC = MQRC_SSL_INITIALIZATION_ERROR [2393]","stack":"MQError: CONNX: MQCC = MQCC_FAILED [2] MQRC = MQRC_SSL_INITIALIZATION_ERROR [2393]\n at /root/node_modules/ibmmq/lib/mqi.js:776:17\n at Object. (/root/node_modules/ffi-napi/lib/_foreign_function.js:115:9)","name":"MQError","mqcc":2,"mqccstr":"MQCC_FAILED","mqrc":2393,"mqrcstr":"MQRC_SSL_INITIALIZATION_ERROR","version":"0.9.17","verb":"CONNX"}

[ibmmqmet]

See the MQ documentation about this return code. The underlying MQ client layer (and the TLS package underpinning that) has a process-wide TLS stack. Once initialised, the keystore configuration cannot be changed until all existing connections have been ended.

There's unfortunately nothing that can be done at the level of this package's NodeJS wrapper to override that.

An RFE was recently raised that asks for changes in this area but I am not optimistic that it would be implemented any time soon.

[ibmmqmet]

Closing this as it's not something that can be dealt with in this package.