Connecting to IBM MQ over SSL via .net client

Question

I am trying to connect to a MQ server queue via a .NET client. I need to use the certificate for secured communication. Here is the code that I have:

MQEnvironment.SSLKeyRepository = "*SYSTEM";
MQEnvironment.ConnectionName = connectionName;
MQEnvironment.Channel = channelName;
MQEnvironment.properties.Add(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_MANAGED);
MQEnvironment.SSLCipherSpec = "TLS_RSA_WITH_AES_256_CBC_SHA"; 

queueManager = new MQQueueManager(queueManagerName, channelName, connectionName);

queue = queueManager.AccessQueue(SendQueueName,MQC.MQOO_OUTPUT + MQC.MQOO_FAIL_IF_QUIESCING);
queueMessage = new MQMessage();
queueMessage.WriteString(message);
queueMessage.Format = MQC.MQFMT_STRING;
queue.Put(queueMessage, new MQPutMessageOptions());

Every time I try to put the message on the queue, I get this error message

Reason Code: 2059
MQexp.Message: MQRC_Q_MGR_NOT_AVAILABLE

I have checked my variables for the queue manager name, queue name etc and they are correct. I was also able to connect to a different queue without SSL, I believe that my code is not furnishing enough information to establish a successful connection.

Any help on this would be appreciated.

Thanks, Kunal

Answer 1

I had the same problem and error message. After enabling tracing I was able to isolate the problem. I always wondered, how the client is selecting the correct client certificate from the store. The trace output revealed following:

000001B2 15:53:46.828145   20776.10    Created an instance of SSLStreams
000001B3 15:53:46.828145   20776.10    Setting current certificate store as 'Computer'
000001B4 15:53:46.828145   20776.10    Created store object to access certificates
000001B5 15:53:46.834145   20776.10    Opened store
000001B6 15:53:46.834145   20776.10    Accessing certificate - ibmwebspheremqmyusername
000001B7 15:53:46.835145   20776.10    TLS12 supported - True
000001B8 15:53:46.837145   20776.10    Setting SslProtol as Tls
000001B9 15:53:46.837145   20776.10    Starting SSL Authentication

In my case, I had to set the friendly name of the client certificate to ibmwebspheremq myusername (replace "myusername" with your userid) and set the label in the code aswell:

properties.Add(MQC.MQCA_CERT_LABEL, "ibmwebspheremqmyusername");  

To enable tracing, add following to your app.config/web.config where the path points to a location that contains a file named mqtrace.config :

<appSettings>
    <add key="MQTRACECONFIGFILEPATH" value="C:\MQTRACECONFIG" />
</appSettings>

Sample content of mqtrace.config (specified directories must exist in advance):

<?xml version="1.0" encoding="utf-8"?>
<traceSettings>
  <MQTRACELEVEL>2</MQTRACELEVEL>
  <MQTRACEPATH>C:\MQTRACEPATH</MQTRACEPATH>
  <MQERRORPATH>C:\MQERRORLOGPATH</MQERRORPATH>
</traceSettings>

Here are some links for more detail:

Tracing:
https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q123550_.htm Why label:
http://www-01.ibm.com/support/docview.wss?uid=swg21245474