If you enable this option in the qm.ini or mqclient.ini, it can have problems which are hard to diagnose.
This option restricts
- the key size of certificates with a type of RSA
- the key size of any CA certificates with a type of RSA, used to sign a certificate (whether the certificate is RSA or not).
For example with MinimumRSAKeySize=2048 you cannot use a certificate or CA generated with openssl genpkey -out $name.key.pem -algorithm RSA -pkeyopt rsa_keygen_bits:1024.
On the client machine in /var/mqm/errors/*01* I got AMQ9633E: Bad SSL certificate for channel ….
On z/OS I got CSQX620E … CSQXRESP System SSL error, channel … connection … function ‘gsk_secure_socket_init’ RC=541. Code 451 means “bad certificate” was received from the remote end.
How do I check?
There is no easy way of displaying the details of all of the certificates in a key store.
You can use the following command to list the labels all of the certificates
runmqakm -cert -list all -db zzclient.kdb -type cms -stashed -v
Then use the following command to display the details of each label in turn (zosca in the example)
runmqakm -cert -details -db zzclient.kdb -type cms -stashed -label zosca
This displays information like the example below for a CA certificate of type RSA and key size 1024.
Label : zosca Key Size : 1024 Version : X509 V3 Serial : 00 Issuer : "CN=z/OSCertification Authority,OU=TEST,O=ADCD" Subject : "CN=z/OSCertification Authority,OU=TEST,O=ADCD" Not Before : 7 July 2020 00:00:00 GMT+01:00 Not After : 7 July 2021 23:59:59 GMT+01:00 Public Key ... Public Key Type : RSA (1.2.840.113522.214.171.124)
or for an Elliptic certificate with key size 256.
Label : ca256 Key Size : 256 Version : X509 V3 Serial : ... Issuer : CN=SSCA256,OU=CA,O=SSS,C=GB Subject : CN=SSCA256,OU=CA,O=SSS,C=GB Not Before : 7 February 2021 11:24:56 GMT Not After : 7 February 2024 11:24:56 GMT Public Key ... Public Key Type : EC_ecPublicKey
You can only check the certificates that are in your key store, not certificates that are sent as part of the handshake.
The listring command displays the contents of the ring (owner and label).
RACDCERT LISTRING(MQRING) ID(START1)
The list command displays the details of a certificate.
RACDCERT certauth LIST(label(‘ADCD-CA’))
displays information like, for the RSA certificate with a small key size,
Label: ADCD-CA Certificate ID: 2QiJmZmDhZmjgcHEw8Rgw8FA Status: TRUST Start Date: 2020/07/06 23:00:00 End Date: 2021/07/07 22:59:59 Serial Number: ... Issuer's Name: >CN=z/OSCertification Authority.OU=TEST.O=ADCD< Subject's Name: >CN=z/OSCertification Authority.OU=TEST.O=ADCD< Signing Algorithm: sha1RSA Key Usage: CERTSIGN Key Type: RSA Key Size: 1024
Certificates signed by this CA would not work if MinimumRSAKeySize=2048 was specified.
One thought on “I’m thinking of using MQ MinimumRSAKeySize. What do I need to plan for?”