Ive been playing with the MQ Web (MQWEB) console on z/OS in MQ901 and had a few problems getting digital certificates to work.
Below are the definitions I used, and some hints on getting it working.
The MQ Console is a web based tool for administering queue managers that runs in a version of WebSpshere Liberty Profile that is shipped with MQ.
I created a file ssl.xml to hold the configuration and put <include location="ssl.xml" optional="true"/> in the mqwebuser.xml file.
The ssl.xml file has
<?xml version="1.0" encoding="UTF-8"?>
Where the two mqDefaultSSLConfig and defaultKeyStore match up.
The keyring is SCENSTC.RING for userid SCENSTC.
The certificate to use to send to the web clients is serverKeyAlias="MVSCA"
I set up SSL port 9444 ( the default)
<httpEndpoint id="defaultHttpEndpoint" host="WINMVSCA" httpsPort="9444">
Create the certificates
The MQ Console was running on domain 'winmvsca.Hursley.ibm.com' which is specified in the altname below.
For the certificate with label MVSCA
RACDCERT ID(SCENSTC) GENCERT -
SUBJECTSDN(CN('....') O('CONSOLE') -
NOTBEFORE( DATE(2017-01-01) ) -
NOTAFTER( DATE(2018-12-22) ) -
SIGNWITH(CERTAUTH LABEL('....') )-
KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) -
For my end user certificate ( downloaded to my redhat machine)
RACDCERT ID(SCENSTC ) GENCERT -
SUBJECTSDN(CN('CONSOLEID') O('CONSOLE3') C('GB')) -
SIGNWITH(CERTAUTH LABEL('SCENCA')) -
KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN)
RACDCERT ID(SCENSTC) EXPORT(LABEL('CONSOLE3) -
This puts the certificate in PAICE.CERT.OUT. If you browse it is in binary.
I used FTP in binary mode to download PAICE.CERT.OUT as paice.p12
In Chrome settings I used
search settings -> ssl
Clicked on Manage certificates
Clicked on Your certificates, import and used the file just unloaded.
Enter the password you specified in the EXPORT statement above (MYPASSWORD)
The certificates will be under org-... from the gencert statement. In my case under CONSOLE3
When I connected chrome to https://winmvsca.hursley.ibm.com:9444/ibmmq/console I got
which is the my web browsers certificate ( which originated fom z/OS). This was expected.
During my testing I got
Your connection is not private
Attackers might be trying to steal your information from winmvsca.hursley.ibm.com (for example, passwords, messages, or credit cards).
and on Firefox I got
Your connection is not secure
The owner of winmvsca.hursley.ibm.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
winmvsca.hursley.ibm.com:9444 uses an invalid security certificate.
The certificate is only valid for SCENSTDEFAULTOU
Error code: SSL_ERROR_BAD_CERT_DOMAIN
As part of the handshake the Liberty sends down the certificate identified with the label serverKeyAlias="MVSCA" above.
Browsers now check that the information passed in the ALTNAME of this certificates matches the site you are trying to access.
To resolve this I had to add the
to the MVSCA certificate (as described above)
I recreated the certificate, and connected it to the keyring.
During this testing I got messages in //STDERR like
CWPKI0024E: The certificate alias MVSCA specified by the property com.ibm.ssl.keyStoreServerAlias is not found in KeyStore safkeyring://SCENSTC/SCENSTC.RING.
and FFDCs with
Stack Dump = java.io.IOException: The private key of PAICE2 is not available or no authority to access the private key
The CWPKI0024E: The certificate alias MVSCA.... is a side-effect of the PAICE2 problem
I used the uss java command
keytool -list -v -storetype JCERACFKS -keystore safkeyring://SCENSTC/SCENSTC.RING -J-Djava.protocol.handler.pkgs=com.ibm.crypto.provider
to use the java code used in the Web Server, to display the RACF keystore and got
java.io.IOException: The private key of PAICE2 is not available or no authority to access the private key as above
This is all saying that my userid, PAICE, and SCENSTC were not able to access the certificate for userid PAICE2 - even though they were on the keyring.
My z/OS has been set up with RACF class RDATALIB active.
See here for more information about the RACF set up for this.
I had to set up a RACF profile
RDEFINE RDATALIB SCENSTC.SCENSTC.RING
.LST CLASS(RDATALIB) ID(PAICE,SCENSTC) ACCESS(CONTROL)
SETROPTS CLASSACT(RDATALIB) RACLIST(RDATALIB)
ACCESS(READ) enables retrieving one's own private key, ACCESS(UPDATE)enables enables retrieving the private key from other ids.
All this took more than a day to sort out!
I got CWWKO0801E: Unable to initialize SSL connection. javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection.
Using Chrome worked fine. Using Firefox produced the error. After some head scratching, and trying various things, suddenly the browser popped up a window asking which certificate to use. I selected my certificate and it worked.
it might be worth restarting the browser if you get the same problem.
Some other mistakes
BPXM047I BPXBATCH FAILED BECAUSE SPAWN (BPX1SPN) OF ... bbgzsrv FAILED WITH RETURN CODE 00000081 REASON CODE 0594003D.
bpxmtext 0594003D gave me
JRDirNotFound: A directory in the pathname was not found
Action: One of the directories specified was not found. Verify that the name
specified is spelled correctly.