IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this forum will no longer be available. More details available on our FAQ.
Topic
  • 1 reply
  • Latest Post - ‏2017-10-19T12:54:35Z by fjb_saper
rohitbborse
rohitbborse
1 Post

Pinned topic MQ 2393 while connecting to SSL enabled QM from some client system.

‏2017-07-30T08:15:09Z | mq.net mq7.5 webspheremq

Hi All,

I am getting MQRC_SSL_INITIALIZATION_ERROR. While checking further down in the AMQERROR logs, one of the two certificate throws AMQ9633 error - 575010 No certificate chain was built for one certificate. Another certificate throws error regarding extensions - Authority Information Access or CRL Distribution Points.

 

Same SSL certs are working on other Wondows OS system with same configurations of that . I have checked system environment variables as well as amqmdnet.dll versions on both systems and they looks good. Websphere MQ Client 7.5 is installed on both Windos OS.

 

My MQ guy suggested there are plenty of variables we have to set on client application/system. But I am not sure which are those variables. Can you please suggest what other variables on the system I have to check to get this working.



 

Somewhere in the blog, I read that there was difference in SSL/TLS version client application/system was sending to server which caused these errors. I am not able to check that as I dont know how I can trace/monitor.

 

Please help.

  • fjb_saper
    fjb_saper
    243 Posts

    Re: MQ 2393 while connecting to SSL enabled QM from some client system.

    ‏2017-10-19T12:54:35Z  

    This looks to me like the problem is with the client certificate i.e. the application's certificate. There are 3 things that will be of paramount importance:

    • The certificate's algorithm as it will dictate the cipher specs that can be used (example elliptic curve cipherspecs)
    • The certificate's signer chain. All of the signer certs of the client certificate need to be in the qmgr's truststore
    • The bits that were set when the certificate was created / requested as to the cert's fitness of purpose. A cert that is O.K. for signing code may not be suitable for TLS conversation encryption.

    Hope this helps