Unable to autheticate to IBM MQ C# with TLS-certificate
I managed to get it working by only installing one (CN=app_test
) of the three certificates from the .p12 file into my local user store.
The file contained:
CN=Root CA v2, DC=corp1, DC=ad1, DC=xxx, DC=net
CN=Appl Sub CA v2, DC=corp1, DC=ad1, DC=xxx, DC=net
CN=app_test
If i install the whole collection of those three certificates i get a failure with the code 2059 from MQ.
Websphere MQ access to SSL certificate when running inside IIS7 as DefaultAppPool?
For MQ clients the certificate label must have the user name who runs the client. In your case, for example ibmwebspheremqbs6mjb
. If the certificate label is something else, the MQ client (actually GSKit libraries) will not find the certificate to connect to queue manager. I think that's what is happening when you have the label as ibmwebspheremqdefaultapppool
.
This blog has interesting and useful details. You may want to check under what user IIS runs and create a certificate for that user and do the required SSL setup between client and MQ queue manager.
Issue with SSL connection to IBM WEB MQ
The errors in the AMQERR01.LOG files are telling you that the client side certificate is not being picked up. The label should be ibmwebspheremq<client-logged-on-user>
From your screen shots I can see that your certificate label is ibmwebspheremqclient
but from the screen shot of the command prompt it appears your logged on user ID might actually be herath
, in which case the MQ code will be looking for a certificate label ibmwebspheremqherath
, not finding it and so going anonymous.
Rename the label of your client side certificate to the appropriate label and see if it now picks it up.
Secure handshake failing during IBM.MQ MQQueueManager on Linux .net core
Thank you @JoshMc based on this question we successfully managed to finish the handshake.
I think this is a general solution for .net core on RHEL and IBM MQ Client libraries:
- Be sure that CA and Intermediate CA are stored in /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
- If your pfx contain certificates in certification path EXPORT ONLY private key and public cert
- Be sure to have Friendly Name set to some value.
- Add exported pfx to .net core key store
certificate-tool add
- Set CertificateLabel to match FriendlyName or set the friendly name to ibmwebspheremq<username_in_lowercase>
Related Topics
How to Abort a Task Like Aborting a Thread (Thread.Abort Method)
Deserialize JSON with Known and Unknown Fields
How to Use Reflection to Inspect the Code in a Method
How to Determine the Owner of a Process in C#
Easiest Way to Parse JSON Response
How to Read a File Even When Getting an "In Use by Another Process" Exception
Create Folder and File on Current User Profile, from Admin Profile
How Using Try Catch for Exception Handling Is Best Practice
How to Rethrow Innerexception Without Losing Stack Trace in C#
How to Change the Table Names When Using ASP.NET Identity
Keeping ASP.NET Session Open/Alive
"The Controls Collection Cannot Be Modified Because the Control Contains Code Blocks"
How to Access Session Variables from Any Class in ASP.NET
How to Get the Unix Timestamp in C#