Colin’s comments at the bottom.
AMQ9633E: Bad SSL certificate for channel ‘QMAQCLIENTTLS’.
Process(7877.1) User(colinpaice) Program(amqsgetc)
Host(colinpaice) Installation(Installation1)
VRMF(9.2.1.0)
Time(2021-02-08T14:31:18.169Z)
RemoteHost(127.0.0.1)
ArithInsert1(414) ArithInsert2(575010)
CommentInsert1(QMAQCLIENTTLS)
CommentInsert2(
[Class=]GSKVALMethod::X509
[Issuer=]CN=SS,O=SSS,C=GB [#=]73cb2...
[Subject=]CN=SS,O=SSS,C=GB
[Class=]GSKVALMethod::PKIX
[Issuer=]CN=SS,O=SSS,C=GB[#=]73cb2...
[Subject=]CN=SS,O=SSS,C=GB)
CommentInsert3(localhost (127.0.0.1)(1414))
EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system
(c) it was found in a Certification Revocation List (CRL) on an LDAP server
(d) a CRL was specified but the CRL could not be found on the LDAP server
(e) an OCSP responder has indicated that it is revoked
The channel is ‘QMAQCLIENTTLS’; in some cases its name cannot be determined and so is shown as ‘????’. The remote host is ‘localhost (127.0.0.1)(1414)’. The channel did not start.
The details of the certificate which could not be validated are
‘[Class=]GSKVALMethod::X509[Issuer=]CN=SS,O=SSS,C=GB[#=]73cb2b49d0e56bbeaa95ec8ea01fccc549a97ba8[Subject=]CN=SS,O=SSS,C=GB[Class=]GSKVALMethod::PKIX[Issuer=]CN=SS,O=SSS,C=GB[#=]73cb2b49d0e56bbeaa95ec8ea01fccc549a97ba8[Subject=]CN=SS,O=SSS,C=GB’.
The certificate validation error was 575010.
ACTION:
Check which of the possible causes applies on your system. Correct the error, and restart the channel.
This error might indicate that the remote end of the channel is configured to send the wrong certificate. Check the certificate label configuration at the remote end of the channel and ensure that the local key repository contains all of the necessary CA certificates.
Colin’s comments
The certificate sent from the server to the client could not be authenticated.
In this case the certificate is self signed, as the Issuer [Issuer=]CN=SS,O=SSS,C=GB is the same as the subject [Subject=]CN=SS,O=SSS,C=GB.
The issuer needs to be in the clients keystore. If the certificate is self signed it needs to be in the keystore. If the certificate is signed, then a certificate in the certificate chain needs to be in the keystore.
If the AMQ9633 message has
The details of the certificate which could not be validated are
‘[Class=]GSKVALMethod::X509
[Issuer=]CN=…,OU=…,O=…
[Subject=]CN=CSQ9…OU=…,O=…
[Class=]GSKVALMethod::PKIX
The certificate validation error was 575010
It cannot find the Issuer’s certicate.
Use the runmqakm -cert -list all -db ….kdb -type cms -stashed -v command for the client keystore. The -v flag lists the DN of the subject and the Issuer. For example my server’s keystore gives
Certificates found * default, - personal, ! trusted, # secret key ! ca256 CN=SSCA256,OU=CA,O=SSS,C=GB CN=SSCA256,OU=CA,O=SSS,C=GB - ECEC_SERVER CN=ecec,O=cpwebuser,C=GB CN=SSCA256,OU=CA,O=SSS,C=GB - SS_SERVER CN=SS,O=SSS,C=GB CN=SS,O=SSS,C=GB - RSA_SERVER CN=rsaca256,O=cpwebuser,C=GB CN=SSCA256,OU=CA,O=SSS,C=GB
The certificate needs to be added to the client keystore, for example
runmqakm -cert -add -file ~/ssl/ssl2/ss.pem -type cms -stashed -db zzclient.kdb -label ss
After adding it to the client’s keystore a list of the client keystore gives
Certificates found * default, - personal, ! trusted, # secret key ! ca256 CN=SSCA256,OU=CA,O=SSS,C=GB CN=SSCA256,OU=CA,O=SSS,C=GB ! ss CN=SS,O=SSS,C=GB CN=SS,O=SSS,C=GB - rsaca256_client CN=rsaca256,O=cpwebuser,C=GB CN=SSCA256,OU=CA,O=SSS,C=GB
With the self signed certificate in the key store the request works.
If the AMQ9633 message has
CommentInsert1(ECRSA1024)
CommentInsert2(????)
CommentInsert3(127.0.0.1)
Where the cipher spec has ????, it means the request did not even reach MQ. Check the the RSA key size below.
RSA key size not supported on a certificate
In MQ 9.2 there is the mqclient.ini and qm.ini option
SSL:
MinimumRSAKeySize=4096
For a certificate sent to this machine, if the RSA key size is smaller than this value you get the error. You cannot tell the keysize from the message, only the keystore.
Use the command
runmqakm -cert -details -type cms -stashed -db …..kdb -label …
to display the key type and keys site.
- Change the mqclient.ini to remove the MinimumRSAKeySize value, until the problem is resolved, then reinstate it.
- Change the certificate to use a stronger key size, or use Elliptic.
RSA key size not supported on a CA certificate
A certificate sent to this client/server has been signed by a CA with type RSA. If the CA’s key size is too small, you get the AMQ9633 error. You cannot tell the keysize from the message, only the keystore.
At the sending end,
- use runmqakm -cert -details -type cms -stashed -db …..kdb -label … to display the certificate, and the Issuer.
- use runmqakm -cert -list -type cms -stashed -db …..kdb -label … to display the list of certificates in the keystore. Find the label for the Issuer DN.
- use runmqakm -cert -details -type cms -stashed -db …..kdb -label … to display the CA certificate.
- Change the CA to have a larger key size, or change it to Elliptic.
- Change the mqclient.ini to remove the MinimumRSAKeySize value, until the problem is resolved, then reinstate it.
Re-issue any certificates the CA has signed.
Reissue the CA to all systems and update the key stores
ColinPaice 