IBM MQ SSL Error - pymqi.MQMIError: MQI Error. Comp: 2, Reason 2393: FAILED: MQRC_SSL_INITIALIZATION_ERROR

Question

I am trying to connect to my local queue using SSL. I am getting pymqi.MQMIError: MQI Error. Comp: 2, Reason 2393: FAILED: MQRC_SSL_INITIALIZATION_ERROR error.

The AMQERR01.LOG says AMQ9660E: SSL key repository: password stash file absent or unusable. But the corresponding .sth file is available in the directory.

Required assistance to solve the error.

Below is the code

queue_manager = 'QM1'
channel = b'DEV.APP.SVRCONN'
host = '127.0.0.1'
port = '1414'
queue_name = 'DEV.QUEUE.1'
conn_info = f'{host}({port})'
conn_info = conn_info.encode('utf-8')
ssl_cipher_spec = 'TLS_RSA_WITH_AES_256_CBC_SHA256'.encode('utf-8')
key_repo_location = b'/var/mqm/qmgrs/QM1/ssl/key_1'
key_repo_location_env = '/var/mqm/qmgrs/QM1/ssl/key_1'
certificate_label = b'cert_1'
user = 'app'
password = 'qwerty'
message = 'Hello from Python!'
os.environ['MQSSLKEYR'] = key_repo_location_env
cd = pymqi.CD()
cd.ChannelName = channel
cd.ConnectionName = conn_info
cd.ChannelType = pymqi.CMQC.MQCHT_CLNTCONN
cd.TransportType = pymqi.CMQC.MQXPT_TCP
cd.SSLCipherSpec = ssl_cipher_spec
cd.CertificateLabel = certificate_label
sco = pymqi.SCO()
sco.KeyRepository = key_repo_location
sco.CertificateLabel = certificate_label
qmgr = pymqi.QueueManager(None)
qmgr.connect_with_options(queue_manager, cd, sco)
put_queue = pymqi.Queue(qmgr, queue_name)
put_queue.put(message)

Answer 1

I think the key here is the id that you are running your application as.

On the surface what your are attempting should work, although it's highly unusual.

It looks like you are running your python application on the queue manager's machine albeit in client mode. You are either re-using the queue manager's key store / stash as your applications' key store / stash or you have put it in the same location as your queue manager's key store / stash. I am guessing that you haven't replaced or modified the queue manager's key store.

So, although not recommended, provided you have the stash correct, it should work.

Your code looks similar to the TLS sample in the pymqi documentation.

That leads me to think that your error is down to the userid running the program, not having permission to read the keystore files. Basically an OS POSIX permissions restriction.

Re: This explanation of why you may see that error.

Answer 2

This issue is solved. In my case, the '.kdb' was generated from '.p12'. While generating the new key it was missing the root certificate which was causing issues to get the right SSL object.