MQRC_KEY_REPOSITORY_ERROR [2381]

[villabachris]

Hello,

We use ibmmq in nodejs and we face an issue of MQRC_KEY_REPOSITORY_ERROR [2381] we follow the sample of amqsconntls.js

the error was: [error]: Failed to connect to MQ CONNX: MQCC = MQCC_FAILED [2] MQRC = MQRC_KEY_REPOSITORY_ERROR [2381] [error]: Error in MQ operation CONNX: MQCC = MQCC_FAILED [2] MQRC = MQRC_KEY_REPOSITORY_ERROR [2381]

Here's the code: `const mq = require('ibmmq');

const cno = new mq.MQCNO(); // Connection options const cd = new mq.MQCD(); // Connection descriptor const sco = new mq.MQSCO(); // SSL options const csp = new mq.MQCSP(); // Security parameters

csp.UserId = 'userID'; // Set your user ID csp.Password = 'password'; cno.SecurityParms = csp;

cno.Options |= mq.MQCNO_CLIENT_BINDING;

cd.ChannelName = mqDetails.Channel; // Specify the channel name cd.ConnectionName = ${mqDetails.HOST}(${mqDetails.port}); // Hostname and port cd.SSLCipherSpec = 'TLS_RSA_WITH_AES_256_GCM_SHA384';

cno.ClientConn = cd; // Set the client connection options

sco.KeyRepository = './mqCert'; cno.SSLConfig = sco;

mq.Connx('QDTSQ00', cno, (err, conn) => { if (err) { console.error('Connection failed:', err); } else { console.log('Connected successfully!'); mq.Disc(conn, (err) => { if (err) console.error('Error disconnecting:', err); }); } });`

and the ./mqCerts path contains .kdb, .sth, and .rdb /mqCerts ---cdpass.kdb ---cdpass.sth ---cdpassrdb

Do I miss something in my code or in my key repository?

Thanks in Advance!

[villabachris]

here's the error in AMQERR01.LOG

10/28/24 09:41:29 - Process(32.1) User(1002500000) Program(node) Host(cdp-ingestion-web-service-1-9k8f9) Installation(MQNI94L24060501P) VRMF(9.4.0.0) Time(2024-10-28T01:41:29.157Z) ArithInsert1(408) CommentInsert1(QDTSQ00.CL.CDPAASOCP) CommentInsert2(gsk_environment_init)

AMQ9660E: SSL key repository: password incorrect or, stash file absent or unusable.

EXPLANATION: The SSL key repository cannot be used as MQ is unable to access it. Reasons giving rise to this error include: (a) the key repository is not present in the location specified or the userid under which MQ is running does not have permission to read it, (b) the key repository password set in MQ is incorrect (c) If using a stash file, it is not present in the location configured for the key repository or the userid under which MQ is running does not have permission to read it, (d) one or both of the files are corrupt.

The channel is 'QDTSQ00.CL.CDPAASOCP'; in some cases its name cannot be determined and so is shown as '????'. The channel did not start. ACTION: Ensure that the key repository variable is set to where the key database file is.

Supplying both a key repository password and stash file is not recommended. If both are supplied the key repository password takes precedence. If supplying a key repository password, ensure that it is correct. If using a password stash file, ensure that a password stash file has been associated with the key database file in the same directory, and that the userid under which MQ is running has read access to both files.

If none of the actions above resolve the issue, it is possible that the key repository file has become corrupted. Try recreating it. If using a stash file then recreate it too. Restart the channel. ----- amqccisa.c : 8488 -------------------------------------------------------

[ibmmqmet]

You appear to be pointing at a directory, not the actual keystore. It should be something like

sco.KeyRepository = './mqCerts/cdpass';

[villabachris]

I already tried that but I got the same error.

[chughts]

What is the client platform / OS ?

[villabachris]

its linux, deployed via Red Hat Openshift

[villabachris]

this was the updated code and got the same error `const mq = require('ibmmq');

const cno = new mq.MQCNO(); // Connection options const cd = new mq.MQCD(); // Connection descriptor const sco = new mq.MQSCO(); // SSL options const csp = new mq.MQCSP(); // Security parameters

csp.UserId = 'cdp_mq'; // Set your user ID csp.Password = '3Kr7As3NEHC6'; cno.SecurityParms = csp;

cno.Options |= mq.MQCNO_CLIENT_BINDING;

cd.ChannelName = 'QDTSQ00.CL.CDPAASOCP'; // Specify the channel name cd.ConnectionName = 'mqd00.sq.com.sg(1416)'; // Hostname and port cd.SSLCipherSpec = 'TLS_RSA_WITH_AES_256_GCM_SHA384'; cd.SSLClientAuth = mq.MQSCA_OPTIONAL;

cno.ClientConn = cd; // Set the client connection options

sco.KeyRepository = './mqCerts/cdpass'; cno.SSLConfig = sco;

mq.Connx('QDTSQ00', cno, (err, conn) => { if (err) { console.error('Connection failed:', err); } else { console.log('Connected successfully!'); mq.Disc(conn, (err) => { if (err) console.error('Error disconnecting:', err); }); } });`

Is the Certificate not valid?

[villabachris]

I am still encountering the error. I hope you could help me on this. Thank you.

[chughts]

If you are getting the same error regardless of setting:

sco.KeyRepository = './mqCerts/cdpass';

or

sco.KeyRepository = './mqCerts';

then you are likely facing the same error. As the error suggests:

AMQ9660E: SSL key repository: password incorrect or, stash file absent or
unusable.

It's not able to find / process the key repository. This could be because:

• The relative path is wrong. The path should be relative to the path you run Node.js from, not where your node module is. ie. if you are running node ./some_source_dir/myapp and the certificate store / stash is in ./some_source_dir/mqCerts, then the setting should be sco.KeyRepository = './some_source_dir/mqCerts/cdpass';
• The keystore isn't being deployed, so is missing. You could check by running and logging some fs commands to check if the directory / files are there.
• The keystore hasn't been created correctly.

If access to the Queue Manager is reachable from your development machine, I recommend you run the app from your development machine. That way you can verify that if the store / stash is present, in the right place, and correctly created, the application works. If it does then the deployment step is somehow breaking the application.

[villabachris]

the path is correctly point the files

[chughts]

Are you able to list the certificates in the keystone?

runmqakm -cert -list -db <keyfile.kdb> -pw <password>

If that works, then you are down to

 If using a stash file, it is not present in the location configured for the
key repository or the userid under which MQ is running does not have
permission to read it,

In which case, does the app work when run on your development machine?

[villabachris]

the command is not supported

[chughts]

How did you create them?

[villabachris]

we have an admin in our org that create the .kdb file . The origin of the kdb file is from a jks file that convert into kdb.

[villabachris]

I tried this in the deployed machine `node -e " const mq = require('ibmmq'); const fs = require('fs').promises;

async function readDirectory(path) { try { const files = await fs.readdir(path); console.log('Directory contents:', files); } catch (err) { console.error('Error reading directory:', err); } }

readDirectory('app/etc/ssl'); const cno = new mq.MQCNO(); // Connection options const cd = new mq.MQCD(); // Connection descriptor const sco = new mq.MQSCO(); // SSL options const csp = new mq.MQCSP(); // Security parameters

csp.UserId = 'cdp_mq'; // Set your user ID csp.Password = '3Kr7As3NEHC6'; cno.SecurityParms = csp;

cno.Options |= mq.MQCNO_CLIENT_BINDING;

cd.ChannelName = 'QDTSQ00.CL.CDPAASOCP'; // Specify the channel name cd.ConnectionName = 'mqd00.sq.com.sg(1416)'; // Hostname and port cd.SSLCipherSpec = 'TLS_RSA_WITH_AES_256_GCM_SHA384';

cno.ClientConn = cd; // Set the client connection options

sco.KeyRepository = 'app/etc/ssl/cdpass'; cno.SSLConfig = sco;

mq.Connx('QDTSQ00', cno, (err, conn) => { if (err) { console.error('Connection failed:', err); } else { console.log('Connected successfully!'); mq.Disc(conn, (err) => { if (err) console.error('Error disconnecting:', err); }); } }); "` that include the reading of keystore directory and I got the same error

[chughts]

What are the posix permissions for the keystore and stash files?

I have

-rw-r--r--

[villabachris]

here is the permissions

[chughts]

Some observations:

• The path is app/etc/ssl not mqCerts/cdpass
• The posix settings are ok, though over generous.
• Odd to see default/root as a user / group.
• The stash file size looks ok, but the kdb looks about 1k shy of what it should be.

Could you ask your admin to run

runmqakm -cert -list -db <keyfile.kdb> -pw <password>

or an equivalent command that lists the certificates pointing at the kdb, and requiring a stash password.

[chughts]

The openssl equivalent is

openssl pkcs12 -info -in keystore_file

[ibmmqmet]

Your application code refers to cdpass and the files shown in the ls -l output are called cdpaas

[villabachris]

Some observations:

• The path is app/etc/ssl not mqCerts/cdpass
• The posix settings are ok, though over generous.
• Odd to see default/root as a user / group.
• The stash file size looks ok, but the kdb looks about 1k shy of what it should be.

Could you ask your admin to run

runmqakm -cert -list -db <keyfile.kdb> -pw <password>

or an equivalent command that lists the certificates pointing at the kdb, and requiring a stash password.

sorry for the confusion on here. I moved the certificates in app/etc/ssl

[chughts]

I think @ibmmqmet has it - change your code to

sco.KeyRepository = './mqCerts/cdpaas';

🤦 Should have spotted that with your fs logs.

[villabachris]

is there a difference when the files are moved to another directory? Because in that case, I stored the certificate in the configmap whic is the app/etc/ssl.

[villabachris]

here it now the details of kdb file

MAC: sha1, Iteration 1024 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024 Certificate bag Bag Attributes friendlyName: cemjboss7-1point-ams.sq.com.sg localKeyID: 03 82 01 01 00 6C 75 51 E6 A8 39 B7 06 13 D8 5E 98 D2 92 1A 4D 65 9A 52 40 AA 19 3C 73 BD 04 13 75 98 2A 38 A4 D8 F4 B6 55 DF A6 CA 7B C3 90 98 AE 6C A6 D5 7C 40 A0 F9 16 8E 0B CE 9E 80 8F 42 DA DD 61 AB 44 3C 3B 2E 9D B5 C8 CA 36 06 78 60 98 FD 03 3B 8C 77 1E E3 A1 C5 36 DF C6 4A 4E 49 29 99 74 42 6B B9 19 37 44 27 C9 58 A6 5A 01 36 BC FA 2B 8D EF 04 A1 08 E5 13 CC 96 0A 55 FD C3 77 CC F9 2D 93 98 B9 4F B5 73 87 B2 BF 4A 9E C5 95 CB 64 08 78 D1 C8 A9 12 E3 3F C5 D2 C5 CF 79 A2 0B 37 EE DF AE 81 65 4C D8 CC AF F6 E1 CC 66 F3 69 20 0F 3A 91 F1 90 67 50 2A 34 E5 35 5A E2 43 40 AC FD 75 BD 1C 4E CC F4 1F 8E 44 3F 4B 03 52 7F E1 C7 ED CA 83 7B 62 3F 28 33 4C 9A 6D 30 91 21 D3 5D 26 48 AD B2 D7 2F 61 68 6A E2 D1 35 AD D6 4E B7 FE 05 7C 49 A3 B9 60 F1 39 20 42 C5 BE 81 59 8F 65 2.16.840.1.113894.746875.1.1: <Unsupported tag 6> subject=CN = cemjboss7-1point-ams.sq.com.sg issuer=C = SG, O = Singapore Airlines Limited, OU = ITD, ST = Singapore, CN = sq.com.sg, L = Singapore -----BEGIN CERTIFICATE----- MIIEOjCCAyKgAwIBAgIQTfnZkJN4oHn9jdUXmvUC3jANBgkqhkiG9w0BAQsFADB8 MQswCQYDVQQGEwJTRzEjMCEGA1UECgwaU2luZ2Fwb3JlIEFpcmxpbmVzIExpbWl0 ZWQxDDAKBgNVBAsMA0lURDESMBAGA1UECAwJU2luZ2Fwb3JlMRIwEAYDVQQDDAlz cS5jb20uc2cxEjAQBgNVBAcMCVNpbmdhcG9yZTAeFw0yNDA3MTUwNTAyNDdaFw0y NTA4MTQwNjAyNDdaMCkxJzAlBgNVBAMMHmNlbWpib3NzNy0xcG9pbnQtYW1zLnNx LmNvbS5zZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqZNSSUwuRA d/Z4YK1DNjO6l7uVDz78Ib4DhcL9OJHthH07sbhU9yWIG3F6kIupU5s8mYKsOOrI ufnz40J7MGMynxqa7Uz/SRQgbn5Y83i2jhWbyuG2ICN8LXE0e5e+6UUQm5qL9mRu MpO63Md2VpzV+lVFYOVFATOhhbnLz2XAUxuISIe8W58uUM4dxjd1z4yAzn3j4XUw qPqhDPVpng0ydoY9H/dbjjveZZtiXpp4lX8cx4t0cXDH6EbN/lnV7gUAfzl91VCM QSQL2vsVq6AMlaker6A2E6qh3pynXi/ajcsGP/VTybJjKj3ZvxbroFHcqPl5QnjN J8TS68aMEIECAwEAAaOCAQkwggEFMCkGA1UdEQQiMCCCHmNlbWpib3NzNy0xcG9p bnQtYW1zLnNxLmNvbS5zZzAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFDMhcvxeWlBz nLBK2alEXoll6l5KMB0GA1UdDgQWBBS98tuxfIGYRgfnEV6OYV9fIDmS1zAOBgNV HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMF4GA1Ud HwRXMFUwU6BRoE+GTWh0dHA6Ly9hY21wY2EtY2VydHMuYzAuc3EuY29tLnNnL2Ny bC84M2UyZmFkMy1jYWE0LTRhMjItOTYwMC0zN2Q4NmRiMDA5MTAuY3JsMA0GCSqG SIb3DQEBCwUAA4IBAQBsdVHmqDm3BhPYXpjSkhpNZZpSQKoZPHO9BBN1mCo4pNj0 tlXfpsp7w5CYrmym1XxAoPkWjgvOnoCPQtrdYatEPDsunbXIyjYGeGCY/QM7jHce 46HFNt/GSk5JKZl0Qmu5GTdEJ8lYploBNrz6K43vBKEI5RPMlgpV/cN3zPktk5i5 T7Vzh7K/Sp7FlctkCHjRyKkS4z/F0sXPeaILN+7froFlTNjMr/bhzGbzaSAPOpHx kGdQKjTlNVriQ0Cs/XW9HE7M9B+ORD9LA1J/4cftyoN7Yj8oM0yabTCRIdNdJkit stcvYWhq4tE1rdZOt/4FfEmjuWDxOSBCxb6BWY9l -----END CERTIFICATE----- Certificate bag Bag Attributes friendlyName: mykey localKeyID: 03 82 01 01 00 65 9E 7C B5 17 43 57 83 76 78 56 42 E5 94 A1 2A 28 1B C1 08 75 E9 64 8B 0B 31 15 77 82 7E 80 04 C9 FE 18 76 D4 8D 63 5E E9 66 30 84 54 96 2D B0 D5 04 CC C1 2F F0 0C 8D F8 A2 FD 3E 0D 80 63 C2 1B AB 3E FB 1F D3 32 4A 02 86 85 A9 22 D8 A4 50 FB 43 0F 3A 79 05 D6 A9 59 4B 73 0A B1 C2 06 AC 3D BC C1 0D 39 CE 86 75 0B 2F B8 D6 CE AA 12 99 81 40 E1 39 FE EB 8A 98 79 5D 6A AC 3B F9 ED 5D E6 60 52 04 B6 2A BC A5 49 5E CF C7 3A AD 64 55 30 AE DC 26 02 7E 77 D5 C1 AD 6E 80 F5 6A 67 25 74 AD AA 4D 35 39 A0 C4 1B BA 55 57 71 0A 11 56 23 6E DE EC E7 88 3A 0D E3 50 E9 66 17 49 A2 5F 66 68 70 C0 A9 72 A9 5D D2 C2 DD E1 D1 DE 82 1D B9 84 79 C3 00 97 2F EB A9 C7 01 3C A0 2B 17 EC 71 E8 45 37 16 4B 14 D2 86 A3 1B C4 DB 32 5E F8 5C 49 F4 17 31 E3 D7 E6 26 AA 8D 8A 3A 0B 03 EB 2.16.840.1.113894.746875.1.1: <Unsupported tag 6> subject=C = SG, O = Singapore Airlines Limited, OU = ITD, ST = Singapore, CN = sq.com.sg, L = Singapore issuer=C = SG, O = Singapore Airlines Limited, OU = ITD, ST = Singapore, CN = sq.com.sg, L = Singapore -----BEGIN CERTIFICATE----- MIIESzCCAzOgAwIBAgIRAJoj2hCKtBK4r7PZ9xlLlKEwDQYJKoZIhvcNAQELBQAw fDELMAkGA1UEBhMCU0cxIzAhBgNVBAoMGlNpbmdhcG9yZSBBaXJsaW5lcyBMaW1p dGVkMQwwCgYDVQQLDANJVEQxEjAQBgNVBAgMCVNpbmdhcG9yZTESMBAGA1UEAwwJ c3EuY29tLnNnMRIwEAYDVQQHDAlTaW5nYXBvcmUwHhcNMjQwNDI1MDIzNDMwWhcN MzAwNjIzMDMzNDMwWjB8MQswCQYDVQQGEwJTRzEjMCEGA1UECgwaU2luZ2Fwb3Jl IEFpcmxpbmVzIExpbWl0ZWQxDDAKBgNVBAsMA0lURDESMBAGA1UECAwJU2luZ2Fw b3JlMRIwEAYDVQQDDAlzcS5jb20uc2cxEjAQBgNVBAcMCVNpbmdhcG9yZTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhIvAxs7qtAO8ETLzB5bIhBok9N QSxevHmEV3dHixBaJ3pM6miGH2A/xz8wilwG63bdSZMgjH0Fn4GjfC4MqBi8oOzx XLG6ER5O8Nc77a6C7L5EkrypIm3p18DF6d66NB4Q7io/ELtbieLub5rK/OvW6Hxt 8dPZ8v0qN7hTH2jl8wZ19lGm92ior/JD4uhnM8xqhMZ6Z7qpNtEK89hZjCrzd6yQ Nw4owFqRA/cqrX3SvXKCI++45/IjHABK9MzkcaHsCGuyUCPI6xyQBpQLPygQhMG5 xm9q4geyotI0lrWeQhuL0flOYwZ6NSalKB7AUq6ceV9jcdef+3btsi3coakCAwEA AaOBxzCBxDASBgNVHRMBAf8ECDAGAQH/AgEAMB8GA1UdIwQYMBaAFOvRmdZTq1UQ ZxX94l9OpyMQpDPnMB0GA1UdDgQWBBQzIXL8XlpQc5ywStmpRF6JZepeSjAOBgNV HQ8BAf8EBAMCAYYwXgYDVR0fBFcwVTBToFGgT4ZNaHR0cDovL2FjbXBjYS1jZXJ0 cy5jMC5zcS5jb20uc2cvY3JsLzBlZTlkYjQ1LWZkYzgtNDg2MS1iNzJlLWJkOTA5 MjU2NzBkNi5jcmwwDQYJKoZIhvcNAQELBQADggEBAGWefLUXQ1eDdnhWQuWUoSoo G8EIdelkiwsxFXeCfoAEyf4YdtSNY17pZjCEVJYtsNUEzMEv8AyN+KL9Pg2AY8Ib qz77H9MySgKGhaki2KRQ+0MPOnkF1qlZS3MKscIGrD28wQ05zoZ1Cy+41s6qEpmB QOE5/uuKmHldaqw7+e1d5mBSBLYqvKVJXs/HOq1kVTCu3CYCfnfVwa1ugPVqZyV0 rapNNTmgxBu6VVdxChFWI27e7OeIOg3jUOlmF0miX2ZocMCpcqld0sLd4dHegh25 hHnDAJcv66nHATygKxfscehFNxZLFNKGoxvE2zJe+FxJ9Bcx49fmJqqNijoLA+s= -----END CERTIFICATE-----

[chughts]

The store / stash looks ok, but please remove your last post from this thread.

The reason you are getting the error, is that you have a typo in your code, and the mistyped store / stash doesn't exist.

You have

sco.KeyRepository = './mqCerts/cdpass';

but it should be

sco.KeyRepository = './mqCerts/cdpaas';

[villabachris]

sorry for the typo mistake. I got this error now 10/30/24 00:06:19 - Process(72.1) User(1011410000) Program(node) Host(cdp-ingestion-web-service-1-vbc56) Installation(MQNI94L24060501P) VRMF(9.4.0.0) Time(2024-10-29T16:06:19.517Z) RemoteHost(192.168.134.47) ArithInsert1(414) ArithInsert2(575010) CommentInsert1(QDTSQ00.CL.CDPAASOCP) CommentInsert2([Class=]GSKVALMethod::X509[Issuer=]L=Singapore,CN=sq.com.sg,ST=Singapore,OU=ITD,O=Singapore Airlines Limited,C=SG[#=]00c801a90cd150f6cb33dc2af06d0957e2[Subject=]CN=qdtsq00.sq.com.sg[Class=]GSKVALMethod::PKIX[Issuer=]L=Singapore,CN=sq.com.sg,ST=Singapore,O) CommentInsert3(mqd00 (192.168.134.47)(1416))

AMQ9633E: Bad SSL certificate for channel 'QDTSQ00.CL.CDPAASOCP'.

EXPLANATION: A certificate encountered during SSL handshaking is regarded as bad for one of the following reasons: (a) it was formatted incorrectly and could not be validated (b) it was formatted correctly but failed validation against the Certification Authority (CA) root and other certificates held on the local system (c) it was found in a Certification Revocation List (CRL) on an LDAP server (d) a CRL was specified but the CRL could not be found on the LDAP server (e) an OCSP responder has indicated that it is revoked (f) The keysize of the certificate is too small for the configured limit. (MinimumRSAKeySize)

The channel is 'QDTSQ00.CL.CDPAASOCP'; in some cases its name cannot be determined and so is shown as '????'. The remote host is 'mqd00 (192.168.134.47)(1416)'. The channel did not start.

The details of the certificate which could not be validated are '[Class=]GSKVALMethod::X509[Issuer=]L=Singapore,CN=sq.com.sg,ST=Singapore,OU=ITD,O=Singapore Airlines Limited,C=SG[#=]00c801a90cd150f6cb33dc2af06d0957e2[Subject=]CN=qdtsq00.sq.com.sg[Class=]GSKVALMethod::PKIX[Issuer=]L=Singapore,CN=sq.com.sg,ST=Singapore,O'.

The certificate validation error was 575010. ACTION: Check which of the possible causes applies on your system. Correct the error, and restart the channel.

This error might indicate that the remote end of the channel is configured to send the wrong certificate. Check the certificate label configuration at the remote end of the channel and ensure that the local key repository contains all of the necessary CA certificates. ----- amqccisa.c : 10245 ------------------------------------------------------

[chughts]

The code is now finding the key store and stash, but with the error

AMQ9633E: Bad SSL certificate for channel 'QDTSQ00.CL.CDPAASOCP'.

something isn't right with the certificate that is in the store. My guess based on https://colinpaice.blog/amq9633e-bad-ssl-certificate-for-channel/

is that the issuer of the servers certificate isn't trusted, because it isn't in the client keystone, most probably because it is self signed. That, however, is only my guess.

To figure out what the issue is, you will need to widen the scope of experts to ask. Best place to ask this question is the MQ Community discussion forum -

https://community.ibm.com/community/user/integration/communities/community-home/digestviewer?communitykey=183ec850-4947-49c8-9a2e-8e7c7fc46c64