All geek questions in one place

Implement two-way SSL authentication with WebSphere MQ

I am using a Java client using JMS/JNDI . The connection works when using one-way SSL authentication SSLCAUTH(OPTIONAL) . The first step I took was to export the client’s public certificate:

 keytool -export -keystore keystore -storepass storepass -alias CLIENT -file client.cer

Then I added this certificate to the MQ key repository.

 gsk7cmd -cert -add -db keydb.kdb -pw password -label ibmwebspheremqclient -file client.cer -format binary

And I finally switched to SSLCAUTH(REQUIRED) mode.

I get the following error log. The message is pretty clear, it cannot find my client certificate. I read that my client certificate should have the ibmwebspheremq<client_user_id> label. What is this user ID, since I'm connecting through Java?

 AMQ9637: Channel is lacking a certificate.
+4
source share
1 answer

According to Technote Specifying a user ID on the SSL certificate label for the MQ client, Java and JMS clients cannot find their certificate based on the sticker.

Often the problem is an incorrect match between the trust store and the keystore. I often saw two problems.

  • The application indicates a trust store, but not a key store. This works fine for anonymous (one-way) SSL, but not for mutual authenticated SSL. The application must specify both a keystore and a trust store for mutual authorization.
  • Sometimes an application specifies a trust store file, but private certificates are stored in a key store. Or the application points to the same file for both the trust store and the key store, and personal certificates are actually located in a separate trust store file.

Does this solve the problem? If not, please update the question with keytool -cert -list for the keystore and trust store, as well as for the command line part or code that sets up the keystore / trust store.

+2
source

Source: https://habr.com/ru/post/1439360/

More articles:


All Articles