MQ - AMQ9637: Channel is lacking a certificate
DaveHay 100000GC6F Comments (5) Visits (28880)
In the context of configuring encrypted connections between WebSphere / IBM MQ and WebSphere Application Server, I'm currently building a scripted process to set up the infrastructure end-to-end, which I'm testing on a VM. For the record, I'm using IBM MQ 18.104.22.168 and WebSphere Application Server (WAS) 22.214.171.124.
Whilst I've not yet completed my build, I did hit an issue yesterday that caught me out for a wee while. Specifically, I've configured a Channel within MQ that is encrypted using Transport Layer Security (TLS) v1.2 using a specific cipher - TLS_
and here's the code that I used to configure the Queue Manager to use a keystore:
Finally, I needed to create a self-signed certificate, which (I thought) was nice and easy:
runmqckm -keydb -create -db $MQKS/$MQKDB.kdb -pw $MQKSPASSWORD -stash
So far, so good. I then needed to configure WAS to connect to MQ, so I started by attempting to retrieve the Signer Certificate from MQ, by connecting to port 1420. To start with, I needed to create a SSL Configuration and configure a Dynamic Outbound Endpoint SSL Configuration. This is required to ensure that WAS only connects to the target MQ box using TLS 1.2 and a specific TLS cipher. Here's the snippet of Jython code that I used:
Having created the SSL Configuration and the Dynamic Outbound Endpoint SSL Configuration, I then proceeded to retrieve the MQ certificate from port 1420:
At this point, I hit an issue. Instead of a happy message, I saw:
More importantly, this is what I saw in the Queue Manager's log:
----- amqrmrsa.c : 930 ----
The remote host is '????'.
The channel did not start.
As ever, search came to my rescue with these IBM Technotes:
To paraphrase the first Technote:
The label name for the personal certificate must be in the form of ibmw
and, from the second Technote:
The personal certificate label name must be folded to lower case including the queue manager name.
Yes, you've guessed it. I hadn't explicitly labeled my certificate in the correct format, when I first created it. Instead, I'd used a label of bpm856.uk.ibm.com which is the host upon which MQ is running. So this is what I had:
whereas what I should have used is:
The first variable assignment uses a Bash function to take the Queue Manager name (TESTQM) and turn it into lower case, then appending it to the string ibmwebspheremq. Once I removed the old certificate:
runmqckm -cert -delete -db /var
and recreated it:
runmqckm -cert -create -db $MQKS/$MQKDB.kdb -pw $MQKSPASSWORD -expire $KDBEXPIRE -dn $MQDNAME -label $LABEL
I was able to happily retrieve MQ's signer certificate into the WAS cell-default trust store:
'Signer Certificate Successfully added to keyStore.'
so that I could save/sync:
Right, time to go and create the rest of the WAS configuration, including a JMS Queue, a JMS Activation Specification and a Message Driven Bean...