Emir Gaza (Consulting IT Specialist, Hursley Software Lab Services) and I are currently putting together a list of SSL gotchas based on our personal experiences and, of course, those of our customers. Our list covers many problems and solutions already well documented in the manuals (e.g. Error messages), but what we’re trying to do is compile a single list containing both common problems and those with sometimes cryptic solutions.
We aim to expand this list in future with more items and more detail, but for now, here’s the list we have compiled… Comments most welcome…
1.1 CSQX630E Channel requires SSL
Platform: z/OS
Problem description
This may happen when you start an SSL channel, and there are no SSL tasks running.
Solution
To start SSL tasks use ALTER QMGR( ) SSLTASKS(n) and restart the channel initiator.
1.2 CSQX642E No SSL certificate for channel name
Platform: z/OS
Problem description
You attempt to start an SSL channel with mutual authentication (receiver has SSLCAUTH(REQUIRED)) and you get this error message.
If you change SSLCAUTH to OPTIONAL the channel starts!
This may happen when the SSL certificates do not have the correct Key Usage attributes.
Solution
Key Usage must be:
- Either blank, or
- If not blank, it must include HANDSHAKE
A certificate with this Key Usage will not work:
Key Usage: DATAENCRYPT
This will work:
Key Usage: HANDSHAKE, DATAENCRYPT
1.3 Certificate not signed
Platform: z/OS
Problem description
You sent a certificate for signature by the Certification Authority, but, when you list the certificate, you find that Subject and Issuer are the same. This means that the certificate is not signed.
Solution
The most probable cause is that you did not ADD the certificate to the RACF database.
1.4 CSQX686E SSL private key error
Platform: z/OS
Problem description
If you list the certificate that gives you this error, you will see that it has Private Key = NONE.
Most probably you sent a certificate for signature and then added the signed certificate with the wrong label.
For example, you sent a certificate with label ibmWebSphereMQCSQ2 and added the signed certificate with label ibmWebSphereMQCSQ1. The latter will not have a private key.
Solution
Add the signed certificate with the same label of the original, self-signed certificate sent for signature.
1.5 CSQX632I SSL certificate has no associated user ID
Platform: z/OS
Problem description
MQ cannot find a userid from the certificate. The channel will run under the CHINIT userid (this may be a security exposure).
Solution
There are two solutions:
1.5.1 Install the peer certificates
Extract the peer certificates and install them in the RACF database. The label must match z/OS requirements (that is, ibmWebSphereMQ<qmgr>, not ibmwebspheremq<qmgr>). The certificate must be in the queue manager’s key ring.
1.5.2 Create a RACF MAP
This JCL maps a certificate to a userid:
RACDCERT ID(EMIR) DELMAP (LABEL(’MQMAP’))
RACDCERT ID(EMIR) MAP +
IDNFILTER(’CN=MQCA.O=IBM.C=GB’) WITHLABEL(’MQMAP’) TRUST
SETROPTS RACLIST(DIGTNMAP) REFRESH
RACDCERT ID(EMIR) LISTMAP (LABEL(’MQMAP’))
1.6 Certificate corrupted after FTP to z/OS
Platform: z/OS
Problem description
When transferring certificates to z/OS from distributed platforms, the certificates are corrupted.
Solution
The files must be received on z/OS with RECFM=VB.
Use the FTP command quote site recfm=vb
1.7 No need to restart the CHINIT
Platform: z/OS
Tip
If you change a certificate or key repository on MQ for z/OS V6, you can use REFRESH SECURITY TYPE(SSL) to pick up the updates.
This saves restarting the CHINIT.
Note this will not work if there are no SSL tasks already running. No SSL channels will run until at least 2 SSL tasks are started. To change the number of SSL tasks, you have to restart the CHINIT.
1.8 Key repository not found
Platform: Clients
Problem description
You write a client application and use the MQSCO.KeyRepository field to specify the key repository. The program fails because it cannot find the key repository.
Solution
The most probable cause, if the file name is correct, is that the file extension (for example, .kdb) has been specified. It must not be specified
1.9 Wrong type of key repository
Platform: Clients
Problem description
Your MQ Java or JMS application cannot access the key repository.
Solution
For Java client programs (either MQ classes or JMS), you must use a key repository of type JKS. Non-java components must use key repositories of type CMS. There are tools (available on the web) to convert between the two, but the process is not trivial.
1.10 CSQX631E/AMQ9631 CipherSpecs do not match
Platform: All
Problem description
You attempted to start a channel or client application connection. The start failed and found the CSQX631E (z/OS) or AMQ9631 (other platforms) in the error logs. This is caused because the CipherSpecs on each end of a channel do not match.
Solution
Alter the channel definitions and/or client application so that each end of the channel specifies the same CipherSpec. See here for more information: http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.csqzaj.doc/sc12320_.htm
1.11 Corrupted certificates
Platform: All
Problem description
You attempt to import, add or use a certificate, which has been transmitted (e.g. via FTP) or copied using a text editor, and encounter errors.
Solution
The following types of certificate must be FTPed in ASCII:
- PEM (privacy-enhanced mail)
- Base64 encoded X.509
The following types of certificate must be FTPed in binary:
- DER encoded binary X.509
- PKCS #7 (CA certificates)
- PKCS #12 (personal certificates)
Also, you should only processed in text editors that do not strip trailing blanks or perform other character changes (i.e. use NOTEPAD, not Wordpad).
1.12 Expired certificates
Platform: All
Problem description
You encounter errors when using certificates as they have expired. You can view the expiry of a certificate using RACDCERT commands (z/OS) or GSKit (other platforms).
Solution
You should have processes in place that replace/renew certificates before they expire.
1.13 Duplicate certificate serial numbers
Platform: All
Problem description
You encounter errors when processing certificates that have been signed using GSkit because more than one certificate has the same serial number.
This can occur, for instance, if you generate more than one certificate request using RACF (z/OS) and then sign them using GSKit (i.e. using the gsk7cmd command on Windows or Unix). By default GSKit can give multiple certificates the same serial number, meaning that only one of the signed certificates will be accepted by RACF - which validly treats all the signed certificates with the same serial number as the same certificate.
Solution
GSKit was never intended as a PKI substitute so you should manage serial numbers manually for the certificates you sign or alternatively sign your certificates using another SSL signing system (e.g. OpenSSL or RACF).
To manually set serial numbers use the ‘–sernum’ runmqckm option, as follows :
runmqckm -cert -sign -file <certreq file> -db <db file> -pw <password> -label <label> -target <cert file> -format ASCII -expire <expire days> -sernum <serial number>
Having to manually set serial numbers implies that you need a serial number authority (most likely the certificate authority itself) which uses a number naming convention.
1.14 GSKit GUI and command line differences
Platform: Windows + Unix
Problem description
You have problems administering certificates using the command line (gsk7cmd), when the GUI (gsk7ikm) works fine.
Solution
Be aware that different options are available in the GSKIT GUI and command line. For instance, both the distinguished name attribute ‘PC’ can be specified and expired key database passwords changed in the GUI, but neither of these features are available using the command line.
1.15 Add or receive?
Platform: Windows and Unix
Problem description
You are not sure whether to use ‘add’ or ‘receive’ when trying to import a certificate to a key database.
Solution
Use ‘receive’ for queue manager certificates and ‘add’ for CA certificates.
1.16 AMQ9660 or AMQ9657
Platform: Unix
Problem description
You see channel errors when starting channels, as they attempt to access a key database.
Solution
Ensure that the key database file permissions are set so that the MQ channel process can read from it. Note: There are other solutions to these error messages (see the error message documentation).
1.17 Problems using makecert
Platform: Windows
Problem description
You see unexpected errors returned from makecert commands.
Solution
There have been problems with some versions of makecert. Use V5.131.3617.0 or the latest version recommended by IBM service.
1.18 gsk6cmd, gsk7cmd or runmqckm?
Platform: Windows + Unix
Problem description
You are not sure which command line tool to use.
Solution
Although gsk6cmd, gsk7cmd and runmqckm are very similar, there are slight differences between them in terms of parameters and behaviour. Use the documented command relevant to the release of WebSphere MQ you are using, unless instructed differently by IBM service.
1.19 Problems migrating from V5.3 to V6.0 on Windows
Platform: Windows
Problem description
You encounter problems with SSL certificates and channels after migrating from WebSphere MQ V5.3 for Windows to WebSphere MQ V6.0 for Windows.
Solution
The SSL implementation differs between these two releases so migration of key repositories is required. Read the V6 SSL migration documentation (http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/topic/com.ibm.mq.csqzao.doc/wmqm1000.htm) as early as possible because steps can be taken when implementing V5.3 SSL that will make a later migration to V6.0 easier.
1.20 Password not stashed
Platform: Windows + Unix
Problem description
You use the GSKit GUI (gsk7ikm) and subsequently encounter problems using the key database, possibly seeing errors related to passwords or stash files.
Solution
Ensure that you close the GUI using the close menu (i.e. ‘Key Database File -> Close’) the password isn’t stashed. To fix the problem start the GUI, select ‘Key Database File -> Open’, open the key database, select ‘Key Database File -> Stash Password’ and then close the GUI using ‘Key Database File -> Close’.
22 comments
Comments feed for this article
July 4, 2007 at 1:38 am
Neil Casey
I am confused by 1.15
gsk7cmd says
bash>gsk7cmd -cert -help
-help is not a valid certificate action.
Object Action Description
—- —— ———————————————————
-cert -add Add a CA Certificate
-create Create a self-signed certificate
-delete Delete a certificate
-details Show the details of a specific certificate
-export Export a personal certificate and associated private key
into a PKCS12 file or a key database
-extract Extract a certificate from a key database
-getdefault Show the default personal certificate
-import Import a certificate from a key database or a PKCS12 file
-list List certificates in a key database
-modify Modify a certificate (NOTE: the only field that my be
modified is the trust field)
-receive Receive a certificate
-setdefault Set the default personal certificate
-sign Sign a certificate
So -add should be to add a CA certificate so that the signer is trusted, and -receive is used to receive a certificate signed by a CA. As I recall, the GUI controls this by forcing you to be on the right tab before the add or receive buttons are available.
Regards, Neil C.
August 22, 2007 at 2:45 pm
Steve Bate
Re: 1.2
- do you know is this is also the same on iSeries? I am getting same symptoms there
- how do I find/display the key usage attributes for a cert?
Many thanks,
Steve
August 28, 2007 at 2:32 pm
Brian Crabtree
Yeah 1.15 is wrong
August 29, 2007 at 9:52 am
Gary Wang
Dear Sir,
For the “CSQX686E SSL private key error”,
I also get the same problem as the situation you described in ” Re: MQ SSL and CA-Top Secret”
http://www.mail-archive.com/mqseries@listserv.meduniwien.ac.at/msg09343.html
I try to set up MQ channels with SSL mechanism between MQ servers on Windows 2003 srever and on z/OS. All my SSL settings, i.e. Certificate, KeyRing, the access right of channel initiator for IRR.**…etc, are looking good.
I confirm my QM personal certificate including private key,
—————————————————
,Digital certificate information for user MQADM3E:,
, ,
, Label: ibmWebSphereMQQ3E,
, Certificate ID: 2QfU2MHE1PPFiYKU5oWC4peIhZmF1NjY88VA,
, Status: TRUST,
, Start Date: 2007/08/22 00:00:00,
, End Date: 2008/08/22 23:59:59,
, Serial Number:,
, >00CN=Gary Wang.T=Software Engineer.OU=WBIFN.O=IBM.L=Taipei.C=TWCN=Gary Wang.T=Software Engineer.OU=WBIFN.O=IBM.L=Taipei.C=TWQ3ERING<,
—————————————————————-
But, when I start the sender channel for SSL negotiation, it always causes the CSQX686E error,
—————
CSQX686E <Q3E CSQXRCTL SSL private key error for channel Q3E.QM1
CSQ9023E <Q3E CSQXCRPS ‘ START CHANNEL’ ABNORMAL COMPLETION
—————
Can you give any advice about this problem? anyway, Thanks!
August 29, 2007 at 9:54 am
Gary Wang
Sorry sir,
I re-post my personal cetificate about my MQ server.
————
,Digital certificate information for user MQADM3E:,
, ,
, Label: ibmWebSphereMQQ3E,
, Certificate ID: 2QfU2MHE1PPFiYKU5oWC4peIhZmF1NjY88VA,
, Status: TRUST,
, Start Date: 2007/08/22 00:00:00,
, End Date: 2008/08/22 23:59:59,
, Serial Number:,
, >00CN=Gary Wang.T=Software Engineer.OU=WBIFN.O=IBM.L=Taipei.C=TWCN=Gary Wang.T=Software Engineer.OU=WBIFN.O=IBM.L=Taipei.C=TWQ3ERING<,
———————————–
Sorry and Thanks again!
Gary
August 29, 2007 at 9:55 am
Gary Wang
Sorry, some information about my private key in my cerficate lists below,
, Private Key Type: Non-ICSF,
, Private Key Size: 1024,
, Ring Associations:,
, Ring Owner: MQADM3E,
, Ring:,
, Q3ERING
September 3, 2007 at 11:30 am
ivanstone
Neil/Brian,
I’ve fixed 1.15.
(Apologies for taking so long to fix this one!)
September 7, 2007 at 8:31 am
Ian Vanstone
Steve,
Sorry, I am not familiar with iSeries/DCM. Does anyone else out there use iSeries and know how to find/display the key usage attributes for a cert?
Ian
September 7, 2007 at 8:45 am
Ian Vanstone
Gary,
I can’t explain why the private key is not being found on ibmWebSphereMQQ3E. Please raise a PMR.
Ian
October 15, 2007 at 12:57 pm
John Manning
Hello MQ gurus,
I am setting up an SSL channel between my qm (platform: Solaris, version 5.3) and a java client and am not sure what the signer certificate label should be while importing the client certificate into my key.kdb. I know that when setting up mq server to mq server connections, the label has to be ibmwbesphere but what label should I use for the client or doesn’t it matter?
Thanks,
John
October 15, 2007 at 7:26 pm
Dale Lane
For clients, the certificate label name should be “ibmwebspheremq”, with the name of the user who will run the client (converted to lower-case) appended.
October 16, 2007 at 5:30 am
John Manning
Dale,
That sounds good, but what if I have a value in the MCAUSER field, do I use that value or that of the actual user?
Thanks again, John
October 17, 2007 at 9:02 am
John Manning
Hello Dale,
I have imported the client cert. (label: “ibmwebspheremqfe03″
and have my channel SSL related items defined as follows:
SSLCIPH(NULL_MD5)
SSLCAUTH(REQUIRED)
MCAUSER(fe03) and I tried it with MCAUSER()
and am receiving the following error:
Any suggestions ? (maybe trace possibilities to see what is coming from the client…
10/17/07 10:55:00
AMQ9633: Bad SSL certificate for channel ‘????’.
EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated, or
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system, or
(c) it was found in a Certification Revocation List (CRL) on an LDAP server.
The channel is ‘????’; in some cases its name cannot be determined and so is
shown as ‘????’. The channel did not start.
ACTION:
Check which of the three possible causes applies on your system. Correct the
error, and restart the channel.
Thanks,
John
October 18, 2007 at 7:55 am
Anonymous
Hello Dale,
on the server and ‘SSL_RSA_WITH_NULL_MD5′ on the client
I have gotten a bit farther, but we still cannot complete the SSL connection. We have now attempted the following:
- Only certificate from the trusted CA and the private keys are in the respective client and server keystore/key.kdb
- The SSLCIPH(’NULL_MD5′
- When SSLCAUTH is set to OPTIONAL everything works, but when I set the server to REQUIRED then the channel doesn’t come up. In this case the server prints an error AMQ9637: Channel is lacking a cert.
Looking in the client trace I see the following (This is only a portion of the trace):
….
Client write key:
Server write key:
… no IV for cipher
main, WRITE: SSLv3 Change Cipher Spec, length = 1
*** Finished
verify_data: { 26, 164, 79, 80, 90, 89, 248, 61, 189, 198, 16, 5, 23, 147, 239, 230, 51, 157, 190, 97, 148, 4, 93, 71, 226, 200, 68, 3, 120, 12, 156, 41, 50, 41, 17, 160 }
***
main, WRITE: SSLv3 Handshake, length = 56
main, READ: SSLv3 Change Cipher Spec, length = 1
main, READ: SSLv3 Handshake, length = 56
*** Finished
verify_data: { 88, 156, 92, 65, 150, 135, 132, 120, 186, 44, 72, 91, 165, 156, 203, 157, 30, 82, 52, 111, 48, 39, 151, 25, 119, 45, 77, 200, 254, 193, 244, 136, 36, 135, 17, 189 }
***
%% Cached client session: [Session-1, SSL_RSA_WITH_NULL_MD5]
main, setSoTimeout(120000) called
main, WRITE: SSLv3 Application Data, length = 146
javax.jms.JMSException: MQJMS2005: Fehler beim Erstellen von MQQueueManager für ‘172.30.1.11:gcideva.queue.manager’
…
main, WRITE: SSLv3 Application Data, length = 44
main, called close()
main, called closeInternal(true)
main, SEND SSLv3 ALERT: warning, description = close_notify
main, WRITE: SSLv3 Alert, length = 18
end trace
We get the same error when we add the server public cert to the client and the client public cert to the server.
The problem appears to be at the client side, but what?
Thanks,
John
October 18, 2007 at 8:19 am
John Manning
Hello Dale,
We have progressed a bit, but are still having connection problems.
We have now deleted all public certs (except for the trusted CA) from both client and server and now receive the following error on the server:
10/18/07 09:08:45
AMQ9637: Channel is lacking a certificate.
and a portion of the client trace looks as follows:
…
*** ClientHello, TLSv1
…
*** ServerHello, SSLv3
…
%% Created: [Session-1, SSL_RSA_WITH_NULL_MD5]
** SSL_RSA_WITH_NULL_MD5
*** Certificate chain
Found trusted certificate
…
*** CertificateRequest
… (All the certs are displayed include the trusted CA cert)
*** ServerHelloDone
main, SEND SSLv3 ALERT: warning, description = no_certificate
main, WRITE: SSLv3 Alert, length = 2
*** ClientKeyExchange, RSA PreMasterSecret, SSLv3
…
… no IV for cipher
main, WRITE: SSLv3 Change Cipher Spec, length = 1
*** Finished
***
main, WRITE: SSLv3 Handshake, length = 56
main, READ: SSLv3 Change Cipher Spec, length = 1
main, READ: SSLv3 Handshake, length = 56
*** Finished
verify_data:…
***
%% Cached client session: [Session-1, SSL_RSA_WITH_NULL_MD5]
main, setSoTimeout(120000) called
main, WRITE: SSLv3 Application Data, length = 146
javax.jms.JMSException: MQJMS2005:…
end trace
Everything works fine when the server sets the SSLCAUTH to OPTIONAL, but when REQUIRED is set, then this error occurs.
In addition, we have added the public certs to the respective systems and get the same error.
Thanks,
John
October 23, 2007 at 3:20 am
Josh
1.14: expired key database passwords changed in the GUI, but neither of these features are available using the command line.
The version of gsk6cmd that comes with WMQ 5.3 CSD12 (6.0.3.45 I think) can change expired key database passwords. Does this still work in gsk7cmd?
October 24, 2007 at 9:56 am
Ian Vanstone
John,
“AMQ9637: Channel is lacking a certificate.” means that the client is not sending a certificate.
When you set SSLCAUTH to OPTIONAL and the client sends a certificate, the SVRCONN attempts to authenticate the client certificate.
When you set SSLCAUTH to OPTIONAL and the client does not send a certificate, the SVRCONN does not attempt to authenticate the client certificate and continues starting the channel.
When you set SSLCAUTH to REQUIRED, the SVRCONN attempts to authenticate the client certificate.
So setting the SVRCONN SSLCAUTH to OPTIONAL means that the SVRCONN can start even though the client is not sending a certificate.
You should check that a client certificate exists labelled ‘ibmwebspheremq’ followed by your logon user ID folded to lower case, for example ibmwebspheremqmyuserid. If that exists, can the client even reach the key database?
Cheers,
Ian
October 30, 2007 at 1:49 pm
John Manning
Hello Ian and thanks for your input.
I had a look into the client keystore and noticed that the personal certificate was not available. –As it turns out, the cert. request was never terminated properly. I proceeded to terminate the cert. request and now everything is working properly.
Cheers,
John
February 18, 2008 at 1:56 pm
John Manning
Hello,
ALL )? –The client cert. has been issued by a trusted CA and has been imported…
Why is the SSLPEER field empty when a channel is running (dis chs(…
The QM is setup SSLCAUTH (REQUIRED) and if I do define SSLPEER(’CN=abcd’
in the channel, the dis chs(….) ALL returns the SSLPEER string I defined –I expected the QM to deny the connection if the CN doesn’t match.
Thanks, John
February 18, 2008 at 3:05 pm
Anonymous
Regardless of SSLPEER set on the channel definition, SSLPEER on channel status should be the Distinguished Name (DN) of the peer queue manager or client at the other end of the channel (i.e. the DN value from the certificate, not the SSLPEER channel attribute). If SSLPEER on the channel definition does not match the DN, the channel should not start (See here for matching rules: http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/topic/com.ibm.mq.csqzas.doc/sy12940_.htm). If SSL is enabled (and SSLCAUTH=REQUIRED) on the channel, the SSLPEER on channel status should not be blank. Have you restarted the channel since enabling SSL?
February 18, 2008 at 3:07 pm
ivanstone
Regardless of SSLPEER set on the channel definition, SSLPEER on channel status should be the Distinguished Name (DN) of the peer queue manager or client at the other end of the channel (i.e. the DN value from the certificate, not the SSLPEER channel attribute). If SSLPEER on the channel definition does not match the DN, the channel should not start (See here for matching rules: http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/topic/com.ibm.mq.csqzas.doc/sy12940_.htm). If SSL is enabled (and SSLCAUTH=REQUIRED) on the channel, the SSLPEER on channel status should not be blank. Have you restarted the channel since enabling SSL?
February 18, 2008 at 3:22 pm
John Manning
Yes I have refreshed the security (refresh security (*)) and the channel is only running when the client is active; therefore it has also been restarted… Just to answer the next possible question… I am running MQ ver. 6.0.2.3 and the client is connecting with a java implementation.