I am trying to connect to a remote IBM MQ server (v.8.0) and am receiving the error below. I'm using .Net 4.5.2 on Windows 10.
I have modified the SimplePut.exe program that ships with the client install. I think I may be missing something to do with the client certificate I was issued and have installed following their instructions. Possibly the CertificateLabel setting? I am very new to IBM MQ so any help is much appreciated.
-h <host> -p 1434 -s TLS_RSA_WITH_AES_256_CBC_SHA256 -q INS -l connection -k *SYSTEM
The error shown at the queue manager when I run the program is as follows:
Cause . . . . . :
There is a mismatch between the CipherSpecs on the local and remote ends of
channel ''. The channel will not run until this mismatch is resolved.
The local CipherSpec is 'TLS_RSA_WITH_AES_256_CBC_SHA256' and the remote
CipherSpec is 'TLS_RSA_WITH_AES_128_CBC_SHA256'.
Recovery . . . :
Change the channel definition for '' so that both ends have matching
CipherSpecs and restart the channel.
MQ v8.0 Knowledge Center page "Configuring SSL for managed IBM MQ .NET" states the following:
c. If needed, edit the Windows Group Policy to set the CipherSpec, then, for the Windows Group Policy updates to take effect, restart the computer.
and
a. Set the MQEnvironment or the SSLCipherSpec value to denote the connection as a secured connection. The value that you specify is used to identify the SSL protocol being used (SSL or TLS) and must match with any preference that you have specified in the Windows Group Policy.
MQ v8.0 Knowledge Center page "CipherSpec support for the managed .NET client" goes into some more detail:
For the IBM MQ.NET managed client, the SSL settings are for the Microsoft.NET SSLStream class. For SSLStream, a CipherSpec, or a preference list of CipherSpecs, can be set only in the Windows group policy, which is a computer-wide setting. SSLStream then uses the specified CipherSpec or preference list during the handshake with the server. In case of other IBM MQ clients, the CipherSpec property can be set in the application on the IBM MQ channel definition and the same setting is used for SSL negotiation. As a result of this restriction, the SSL/TLS handshake might negotiate any supported CipherSpec regardless of what is specified in the IBM MQ channel configuration. Therefore, it is likely that this will result in error AMQ9631 on the queue manager. To avoid this error, set the same CipherSpec as the one that you have set in the application as the SSL configuration in the Windows group policy.
Windows group policy
When a CipherSpec is set on the Windows group policy, the same CipherSpec must be set for the SSLCipherSpec property value on the SVRCONN channel and in the application. If the Windows group policy is set to the default, that is the group policy is not enabled/edited for CipherSpec setting, applications must set the same default value of the CipherSpec from the Windows group policy SSL configuration in the MQEnvironment class or in the MQQueueManager constructor hashtable properties.
UPDATE on specifying cert label with Managed .NET
MQ v8.0 Knowledge Center page "Using certificates for the managed .NET client" goes into detail of the two options to allow MQ to find the cert:
Matching certificates by certificate label
If you set the certificate label, the IBM MQ managed .NET client searches the Windows certificate store with the given label name to identify the client certificate. It loads all matching certificates and uses the first certificate on the list. There are two options for setting the certificate label:
- The certificate label can set on the MQEnvironment class accessing MQEnvironment.CertificateLabel.
- The certificate label can also be set in a hash table properties, supplied as input parameter with MQQueueManager constructor as shown in the following example.
Hashtable properties = new Hashtable();
properties.Add("CertificateLabel", "mycert");
The name("CertificateLabel") and the value are case sensitive.
Matching certificates by string
If certificate label is not set, then the certificate that matches the string "ibmwebspheremq" and the current logged on user (in lower case) is searched for and used.
UPDATE with additional helpful blog post
@renz found the IBM developerWorks MQdev Blog posted by Sudhanshu Pant "
MQ v8: SSL connection in Managed MQ .NET" which also has good information with screen shots.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 爷的心禁止访问 的文章《IBM MQ.Net CertificateLabel, CipherSpec》','https://www.manongdao.com/article-275478.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}