What certificate Name to use for IBM MQ .Net client installed on application server?

Question

I am using IBM MQ WebSphere client v 7.5 installed on an application server.

To securely connect to the MQ queue manager I have to pass certificate whose Name should be ibmwebspheremq + "userid" . I put my code on the APP SERVER to test the MQ connectivity. If I specify domain user id it works fine for me but not for other domain users. So what certificate name should be used so that it works for all domain users??

Certificate Label : ibmwebspeheremq.kdb located on the local path

certificate Name: using strmqikm.exe, open above certificate and check the name As of now this CN is "ibmwebspheremq" + 111111(domain userid) and it works fine for the domain user 111111 ,but for domain user 222222 it is throwing SSL errors.

PS Security must be maintained

Update from OP comments on 11 Sept 2015
I am using the .NET Application and done code through the help of IBM.WMQ interface provided with the dll amqmdnet . I have KDB certificates and I have just provided the local certificate's path in the configuration. I am able to access the MQ Server for the particular user on APP Server (where MQ client resides) but if I want to access for all users then how to? because in my case certificate label name (using strmqikm.exe) should be like ibmwebspheremq + userid. For individual users I am able to access the certificate by doing individual login to app server but not for all users at a time. There is only one certificate and as mentioned earlier it is non-JAVA application.

Answer 1

The MQ client either uses IBM's C code or it uses Java and the JRE's JSSE provider. Each of these have different behaviors and requirements.

The Java EE App Server will use the JSSE Provider and its rules for selecting a personal cert from the JKS. That may or may not include searching for a particular label. Anything using IBM's compiled C code API will require a specific label for the personal certificate in the KDB. Furthermore, the behavior has changed from version to version, as explained in IBM's Technote Specifying the userid in the SSL certificate label for an MQ client .

As explained in the Technote, the Java client uses standard Java methods for finding the personal certificate and is not dependent on the label at all. That requirement is only for the non-Java client. The App server uses a JKS and the non-Java clients use a KDB. Since you did not mention converting certificates between JKS and KDB, I will assume that your testers are not using the C client or a KDB.

Presumably then, your testers are using the same JKS as the app server. If they have the right path and the password to access it, and if it has a personal cert, they will be able to find and present the personal cert. If it has more than one personal cert, MQ has no control over how it selects which one it will present. That's a Java thing. If this is the problem the answer is simple - either use one personal cert and one keystore, or else each tester has their own JKS, each with its own personal cert.

Security must be maintained

In that case, the latter approach is preferred. Each tester should have their own JKS and their own personal cert.

The other possibility is that you have a variety of certs, each of which is being found by the client and properly presented to the server, but that there's a cert exchange problem. If each developer has their own cert and those are all self-signed, the public portion must be in the QMgr's KDB to be accepted.

If you want a more precise answer, you will need to provide a lot more detail such as what code, keystore, and certificate the testers are using to test with, whether these are self-signed certs, whether the testers are using the same app channel and testing from the same node, whether you are using SSLCAUTH , etc. I would also recommend using the debugging procedure I outlined in this answer .

Answer 2

MQ v7.5 C# client internally calls MQ C client to establish secure connections to queue manager. Logged in user id is used to make ibmwebspheremq<userid> certificate label and pick the correct client certificate from a KDB. Hence for @Dirty Developer, the application is getting connected when a user logs in for whom a certificate with a label that has his/her userid suffixed exists in KDB.

From MQ v8, there is no need to have a certificate label always suffixed with userid. MQ v8 provides a CertificateLabel property using which applications can specify any certificate label. MQ client will use the certificate label to locate a personal certificate that is sent during the SSL handshake. In MQ v8 .NET client, this property is named MQEnvironment.CertificateLabel . Here is more on Certificate Label in MQ v8.

Answer 3

After all this time I have spend in research finally I have an answer !!!

1) It is not possible to change certificate name for every user who want to use MQ on server at everytime. 2)We have to find certificate name such as it will work for all users( this is my question?:) ) and methodology to incorporate this changes.

Actual procedure :
3) I have developed a code to connect to MQ in WCF service and hosted the service on IIS
4)For IIS user on server I had SERVICE ACCOUNT which I binded with certificate label ie ibmwebspheremq +
5) All the clients who want to connect have to call the service that I've deployed on IIS server and volla !!!!!! it worked.
6)you must have that service account to be binded with your role/domain user id
7) Note : on server you must have to provide access to IBM folder for service account.