I had lots of problems trying to get a client using TLS to connect to the queue manager, from set up errors, to unclear documentation. It took me days to get my first channel set up.
IBM does not provide a program on midrange to format the GSKIT trace. Someone suggested I use Wireshark network packet analyser to monitor the traffic on the network. I’ve given some examples of the handshake for TLS 12, TLS 13.
Below are some things you can do to check your set up is as you expect.
Review the error log
This is in /var/mqm/errors/AMQERR01.LOG
It does not provide all the information needed to identify the parameters used in the handshake, so you need to use the trace.
Turn on the MQ client trace
strmqtrc -e
start your program
endmqtrc -e
Format the trace
The client trace files are in /var/mqm/trace
- cd /var/mqm/trace
- dspmqtrc *.TRC
This will create several *.FMT files
Find the trace file for the connection
grep -F PeerName *.FMT
will list the file with the trace entries in it. My file was AMQ7232.0.FMT .
Check the channel name.
From the output of the grep -F PeerName *.FMT above, check the Channel Name: is what you expect? Check the remote IP address and port. If you are using a CCDT it will take the first channel name which matches the queue manager. This may not be the channel name you were expecting. I had channels QMACLIENT and QMACLIENTTLS in the CCDT. QMACLIENT was chosen instead of QMACLIENTTLS.
Check the mqclient.ini being used
grep -F mqclient.ini AMQ7232.0.FMT |grep -F FileName
Check the CCDT, (Channel Definition File) being used
grep -F ChannelDefinition AMQ7232.0.FMT
Adding stanza (ChannelDefinitionDirectory) length (19) Adding stanza (ChannelDefinitionFile) length (10) ChannelDefinitionDirectory = '/home/colinpaice/mq' ChannelDefinitionFile = 'COLIN2.TAB' Adding stanza (ChannelDefinitionFile) length (10) Using ChannelDefinitionDirectory / MQCHLLIB value of /home/colinpaice/mq Using ChannelDefinitionFile / MQCHLTAB value of RE.TAB Adding stanza (ChannelDefinitionDirectory) length (19) Adding stanza (ChannelDefinitionFile) length (10) Using ChannelDefinitionDirectory / MQCHLLIB value of /home/colinpaice/mq Using ChannelDefinitionFile / MQCHLTAB value of RE.TAB
The last entries show what was used.
Check the keystore being used
grep -Fi SSLKeyR *.FMT
Display the certlabl.
grep -Fi CertificateLabel *.FMT
It will display many records. They key ones are
- MQCD CertificateLabel ‘rsaca256_client’
- Saved CertificateLabel ‘rsaca256_client’
If these are missing certlabl has not been specified.
Display the channel definiton
Edit or browse the file and locate “CD “.
This will locate the MQCD (see the MQ documentation).
Interesting offsets in the CD are
- 0x0000 Client channel name
- 0x0060 Queue manager name
- 0x00c0 IP address
- 0x0698 Cipher Spec
- 0x0780 TLSCertificate alias name in the client’s keystore.
Display Client Hello
You may have information about the TLS handshake. This is called Client_hello, and Server_Hello.
Locate <client_hello> if found, it will have data like (some data removed).
client_version TLSV12 random ... session_id ... cipher_suites tls_ri_scsv,tls_rsa_with_aes_128_cbc_sha256 compression_methods ... . Extensions... signature_algorithms 13 rsa:sha512,rsa:sha384,rsa:sha256,rsa:sha224,... server_name qmaqclienttls.chl.mq.ibm.com End of GSKit TLS Handshake Transcript
You need to understand the TLS handshake to fully understand this.
- TLSV12 minimum level of TLS supported
- cipher_suites these are what the client like
- signature_algorithms these are what the client will accept
- server_name is “sni” information identifying the channel
What is my client connected to?
On a queue manager you an issue the DIS CHS(..) all and get
SECPROT(TLSV12)
SSLCERTI(CN=SSCA256,OU=CA,O=SSS,C=GB)
SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA256)
SSLPEER(SERIALNUMBER=01:79,CN=rsaca256,O=cpwebuser,C=GB,…)
I could not find a command to display the same information for the clients perspective.
You can look in the trace file for SSLCERTI for example
SSLCERTI(‘CN=SS,O=SSS,C=GB’)
SSLPEER(‘SERIALNUMBER=73:CB:2B:…,CN=SS,O=SSS,C=GB’)
This gives the server’s DN and Certificate issuer, and peer=subject. As the peer has the same DN as the SSLCERTI this shows it is a self signed certificate.
Is it worth adding a step to grep your mqclient.ini file for ChannelDef? Looks like you’re showing that your mqclient.ini file contains multiple entries? This presumably would be easier to do than taking trace to discover the same problem?
LikeLike
Good idea … but the problem I had was which takes precedent MQCHLTAB environment variable or the ChannelDefinition* mqclient.ini file. The doc does not say
LikeLike
I believe it is always the case that environment variables take precedence over the mqclient.ini file, but I can’t find it documented anywhere either. Some individual environment variables details that they specifically take precedence over their equivalent.
LikeLike
I might change my other posts to say explicitly set or unset all environment variables so you do not get surprises
LikeLike
Good idea 🙂
LikeLike
Is there a way to get more logging from the MQ client side? In my case, I don’t control the queue manager server, only the client connecting.
LikeLike
Mitch,
There is always the client trace,
To enable MQ client tracing, use /opt/mqm/bin/strmqtrc -e
Run the session.
End the trace
/opt/mqm/bin/endmqtrc -e
/opt/mqm/bin/dspmqtrc /var/mqm/trace/xxx.TRC
LikeLike