Trying to access MQ 7.5 server through java client but getting error,has created SYSTEM.SSL.SVRCONN

Question

Without SSL i am able to connect but with SSL it throws below error in MQ log

AMQ9660: SSL key repository: password stash file absent or unusable.

EXPLANATION:
The SSL key repository cannot be used because MQ cannot obtain a password to
access it. Reasons giving rise to this error include: 
(a) the key database file and password stash file are not present in the
  location configured for the key repository, 
(b) the key database file exists in the correct place but that no password
  stash file has been created for it, 
(c) the files are present in the correct place but the userid under which MQ is
  running does not have permission to read them, 
(d) one or both of the files are corrupt. 

The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.
ACTION:
Ensure that the key repository variable is set to where the key database file
is. Ensure that a password stash file has been associated with the key database
file in the same directory, and that the userid under which MQ is running has
read access to both files. If both are already present and readable in the
correct place, delete and recreate them. Restart the channel. 
----- amqccisa.c : 5577 -------------------------------------------------------
6/30/2015 12:15:33 - Process(14120.5) User(locahost) Program(amqrmppa.exe)
                      Host(localhost) Installation(Installation1)
                      VRMF(7.5.0.2) QMgr(QM1)

AMQ9492: The TCP/IP responder program encountered an error.

Here is the code which produces the error:

import javax.jms.JMSException;
import javax.jms.Session;

import com.ibm.mq.*;
import com.ibm.jms.JMSMessage;
import com.ibm.jms.JMSTextMessage;
import com.ibm.mq.jms.JMSC;
import com.ibm.mq.jms.MQQueue;
import com.ibm.mq.jms.MQQueueConnection;
import com.ibm.mq.jms.MQQueueConnectionFactory;
import com.ibm.mq.jms.MQQueueReceiver;
import com.ibm.mq.jms.MQQueueSender;
import com.ibm.mq.jms.MQQueueSession;

import java.io.*;

import javax.net.ssl.*;

import java.net.ServerSocket;
import java.net.Socket;
import java.security.KeyStore;
/**
 * simple testcase for Point-to-point messaging .
 */
public class MQTEST {
  /**
   * Main method
   *
   * @param args
   */
  public static void main(String[] args) {
    try {
        SSLContext context = SSLContext.getDefault();
        System.setProperty("javax.net.ssl.trustStore","D:\\IBM\\CERT\\truststore.jks");
         System.setProperty("javax.net.ssl.keyStore","D:\\IBM\\Websphere\\Qmgrs\\QM1\\ssl\\key.kdb");
       System.setProperty("javax.net.ssl.keyStorePassword","password");





      MQQueueConnectionFactory cf = new MQQueueConnectionFactory();

      // Config
      cf.setHostName("localhost");
      cf.setPort(1414);
      cf.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
      cf.setQueueManager("QM1");
     cf.setChannel("SYSTEM.SSL.SVRCONN");
    // cf.setChannel("SYSTEM.DEF.SVRCONN");

     cf.setSSLCipherSuite("TLS_RSA_WITH_AES_128_CBC_SHA");



      MQQueueConnection connection = (MQQueueConnection) cf.createQueueConnection();


      MQQueueSession session = (MQQueueSession) connection.createQueueSession(false, Session.CLIENT_ACKNOWLEDGE);
      MQQueue queue = (MQQueue) session.createQueue("queue:///LQ1");
      MQQueueSender sender =  (MQQueueSender) session.createSender(queue);

Answer 1

The error log format and wording of the question suggest that it is the queue manager which is unable to access its KDB keystore.

(Note: When providing an error log, please let us know if you got it from the QMgr or the client! "MQ log" could go either way.)

With this in mind, you should run through the setup procedure for provisioning the queue manager's certificate. This includes:

1. Generate an empty KDB file specifying the "stash password" option
2. Generate a self-signed certifiate or Cert Signing Request (CSR)

If this is for a CA-signed certificate...

3. Get the CSR signed
4. Import the Certificate Authority's signer certs into the QMgr's KDB and client keystore
5. Receive the signed CSR into the keystore

If this is for self-signed certificate...

3. Extract the public portion of the self-signed cert
4. Import the self-signed cert into the client's keystore

If you omitted any of these steps, pick up where you left off.

If you forgot to stash the password or the stash file is damaged, recreate it using the iKeyman GUI or the appropriate option of the runmqakm command.

Note that if the KDB is completely absent the QMgr still throws the error above. This is because the very first thing it does is to try to open the stash file. If it cannot find it the password stash file absent or unusable error is thrown. This is true even when no KDB has ever been created.

Answer 2

It's possible that the stash file of the key repository used by the queue manager is corrupt. What I do in such cases is:

1) Delete the stash file.

2) Open the key repository in IBM Key Management Utility.

3) Create a new stash file again using Key Database File/Stash Password menu.

Then try connecting again.

Your client application code is using .kdb type key repository for javax.net.ssl.keyStore . As far as I know MQ Java client will use only .jks type of key store. The .kdb type key store is used by queue manager and non-Java clients like C/C#

HTH