.net - 2538 error on MQ for SSL channel connection

Question

I am using IBM WebSphere MQ 8.0 version.

I have configured one of my channels with "TLS_RSA_WITH_AES_256_CBC_SHA256" Cipher Spec encryption along with valid certificates installed and mapped to key store path correctly.

My .NET client code is not able to connect with this secured channel. It gives 2538 error continuously. I have another channel configured without encryption (unsecured). The client code can connect to this channel without any errors.

This is my .NET client code:

        Hashtable queueProperties = new Hashtable();
        queueProperties[MQC.HOST_NAME_PROPERTY] = host; // IP address
        queueProperties[MQC.PORT_PROPERTY] = 1541
        queueProperties[MQC.CHANNEL_PROPERTY] = channel; // channel name
        queueProperties[MQC.TRANSPORT_PROPERTY] = MQC.TRANSPORT_MQSERIES_MANAGED;
        queueProperties[MQC.SSL_CERT_STORE_PROPERTY] = "*USER";
        queueProperties[MQC.SSL_CIPHER_SPEC_PROPERTY] = "TLS_RSA_WITH_AES_256_CBC_SHA256";
        queueProperties[MQC.SSL_PEER_NAME_PROPERTY] = "CN=FXCMTST1,O=IBM,C=US";
        queueProperties["CertificateLabel"] = "ibmwebspheremqfxcmtst1";
        queueProperties[MQC.KEY_RESET_COUNT] = 0;
        MQEnvironment.SSLCertRevocationCheck = true;
        queueProperties[MQC.USER_ID_PROPERTY] = user; // variable
        queueProperties[MQC.PASSWORD_PROPERTY] = pwd; // variable
        try
        {
            // Attempt the connection
            queueManager = new MQQueueManager(qmgr, queueProperties);
            strReturn = "Connected Successfully";
        }

I have also set the MCA User to the valid user with all required access rights.

The above code works fine for the unsecured channel when I remove these lines and replace the channel name with that of unsecured one.

    queueProperties[MQC.TRANSPORT_PROPERTY] = MQC.TRANSPORT_MQSERIES_MANAGED;
    queueProperties[MQC.SSL_CERT_STORE_PROPERTY] = "*USER";
    queueProperties[MQC.SSL_CIPHER_SPEC_PROPERTY] = "TLS_RSA_WITH_AES_256_CBC_SHA256";
    queueProperties[MQC.SSL_PEER_NAME_PROPERTY] = "CN=FXCMTST1,O=IBM,C=US";
    queueProperties["CertificateLabel"] = "ibmwebspheremqfxcmtst1";
    queueProperties[MQC.KEY_RESET_COUNT] = 0;
    MQEnvironment.SSLCertRevocationCheck = true;

Am I missing anything in the code or MQ configuration?

UPDATE 1: I found that the error was due to incorrect path to key database. I had mentioned the path till folder name where the certificates were placed. However it was expected to be the folder name followed by the name of kdb file without extention.

After doing this change, the 2538 error is gone. But now I am getting 2059 error with below error message in log.

"The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel..."

My Channel is configured to have"TLS_RSA_WITH_AES_256_CBC_SHA256" as I have set in the MQ Explorer. The client code is also sending the same cipher spec. Still it gives 2059 error.

UPDATE 2: As suggested by @JoshMc, I set the group policy and it resolved above error. Then I started getting error "Channel is lacking certificate".

UPDATE 3: This error is gone after I changed the SSLCAUTH to OPTIONAL. Earlier it was set to REQUIRED. Thanks to @JoshMc for pointing out.

Answer 1

Originally in your question you had the following line of code:

queueProperties[MQC.SSL_PEER_NAME_PROPERTY] = "ibmwebspheremqtestqueue";

I advised: The SSL_PEER_NAME_PROPERTY is meant to validate a portion or all of the DN value of the queue manager cert, so it would be in a format like CN=x.domain.com,OU=Y,O=Company Inc, what you have looks like a cert label.

Can you see what errors are generated if any on the queue managers AMQERR01.LOG? What about in the local client AMQERR01.LOG?

You responded with an error from the queue manager:

AMQ9660: SSL key repository: password stash file absent or unusable.

And you found the error per your update:

UPDATE: I found that the error was due to incorrect path to key database. I had mentioned the path till folder name where the certificates were placed. However it was expected to be the folder name followed by the name of kdb file without extention.

Now you moved on to getting the following error:

The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel...

I advised: Managed .net does not use the cipher you specify it is picked up from a Windows policy. This question and answer should help "IBM MQ.Net CertificateLabel, CipherSpec".

You advised you fixed the group policy and then moved on to getting the following error when you set SSLCAUTH(REQUIRED) on the SVRCONN channel:

channel is lacking a certificate

SSLCAUTH(REQUIRED) tells the queue manager that you are requiring the client to have a certificate. The client will always require the queue manager to have a certificate no matter what SSLCAUTH is set to.

Assuming you have the queue manager configured to perform CONNAUTH to validate the user and password you are sending and you have set ADOPTCTX(YES) on the CONNAUTH's AUTHINFO object, then having SSLCAUTH(OPTIONAL) is a reasonable setting as this means all the data between the client and queue manager will be encrypted and the connection is authenticated by the id/pw. Even if you have SSLCAUTH(REQUIRED), unless you also configure the SVRCONN to match on a specific DN value via either the channel's SSLPEER property or a CHLAUTH TYPE(SSLPEERMAP) rule's SSLPEER property it is not providing any form of authentication.