EXPLANATION: IBM MQ failed to determine the revocation status of the remote SSL certificate
for one of the following reasons:
(a) The channel was unable to contact any of the CRL servers or OCSP responders for the certificate.
(b) None of the OCSP responders contacted knows the revocation status of the certificate.
(c) An OCSP response was received, but the digital signature of the response could not be verified.
Colin’s comments
- The channel definition did not have a CERTLABEL(…) specified.
- The keystore on the client end did not have the certificate label in it.
- The wrong keystore was used, for example environment MQSSLKEYR was set to the wrong keystore. Or the SSL stanza SSLKeyRepository was set to the wrong keystore.
See Debugging MQ client connection problems:keystore for some hints on finding the keystore
See Debugging MQ client connection problems:certlabel for some hints on finding the certificate label name.
We use internal certificates. How would I turn off the OCSP checking for the QM Client side?
LikeLike
I would check to see if the certificates have OCSP defined. If they do not have OCSP, then there will be no OCSP checking.
If they have OCSP defined, then this is harder. I do not know if it can be turned off. It might be easier to reissue the certificate without OCSP parameters defined in it.
LikeLike
Update to mqclient.ini to turn off OCSP solved my issue.
cat mqclient.ini
#****************************************************************************************#
#* Module name : mqclient.ini #
# Type : IBM MQ client configuration file #
# Function : Define the client configuration #
# *#
#****************************************************************************************#
SSL:
OCSPAuthentication=OPTIONAL
OCSPCheckExtensions=NO
CDPCheckExtensions=NO
AllowTLSV13=TRUE
ClientExitPath:
ExitsDefaultPath=/var/mqm/exits
ExitsDefaultPath64=/var/mqm/exits64
Thanks Frank
LikeLike
Thanks for the info on how to solve it!
Colin
LikeLike