Python Application is unable to connect to IBM MQ Qmgr using ssl - Using pymqi library

Question

Note: I am running my python script on the same MQ Server. I am able to connect to Qmgr with one way ssl.

cd = pymqi.CD()
cd.ChannelName = channel
cd.ConnectionName = conn_info
cd.ChannelType = pymqi.CMQC.MQCHT_CLNTCONN
cd.TransportType = pymqi.CMQC.MQXPT_TCP
cd.SSLCipherSpec = ssl_cipher_spec
sco = pymqi.SCO()
sco.KeyRepository = key_repo_location
qmgr = pymqi.QueueManager(None)
qmgr.connect_with_options(queue_manager, cd, sco)
queue = pymqi.Queue(qmgr, queue_name)

I am running IBM MQ on a server, Configured Qmgr with ssl and able to connect to it using IBM Explorer. I am trying to connect python application using pymqi library to MQ Qmgr with ssl connection. Using ssl am unable to connect to the Qmgr.

runmqakm -cert -list -db client.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!   ibmwebspheremqqm1
*-  ibmwebspheremqapp

runmqakm -cert -list -db key.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!   "cn=signer-cert"
!   ibmwebspheremqapp
-   ibmwebspheremqqm1

key.kdb --> Qmgr key db
client.kdb --> python application client key db

Steps performed: Created a client.kdb key db and created a certificate using runmqakm utility extracted qmgr public certificate and added to the client.kdb key db and extracted client pub cert and added to the qmgr key db.

MQ version - v9.2 Python version - 3.6 OS - RHELinux

Error on python Script: Traceback (most recent call last): File "ssl-mq.py", line 32, in qmgr.connect_with_options(queue_manager, cd, sco) File "/root/.local/lib/python3.6/site-packages/pymqi-1.12.10-py3.6-linux-x86_64.egg/pymqi/init.py", line 1747, in connect_with_options raise MQMIError(rv[1], rv[2]) pymqi.MQMIError: MQI Error. Comp: 2, Reason 2393: FAILED: MQRC_SSL_INITIALIZATION_ERROR

I understand that python code is not sending a certificate to MQ Qmgr and thats the reason it is failing. Within pymqi library am not sure where do i send my client cert?

AMQ9633E: Bad SSL certificate for channel 'TEST1'.

The details of the certificate which could not be validated are '[Class=]GSKVALMethod::X509 The certificate validation error was 575010

ACTION: Check which of the possible causes applies on your system. Correct the error, and restart the channel. This error might indicate that the remote end of the channel is configured to send the wrong certificate. Check the certificate label configuration at the remote end of the channel and ensure that the local key repository contains all of the necessary CA certificates.

Answer 1

The issue was client.kdb was missing the root certificate. When i have imported the cert into client.kdb i have validated that it has the entire certificate chain but for some reason mq cannot read it. I had to extract the root cert(signing authority cert) and import it to the client key db. Once that is done python application was able to connect to the Qmgr with mutual tls authentication.

Answer 2

You mentioned in the comments that you were getting a AMQ9633E: Bad SSL certificate for channel 'TEST1'. error with The certificate validation error was 575010.

The 575010 error means "No certificate chain was built". This normally means that you cert is not trusted because it's missing a signer cert.

Troubleshoot this error by running the following command against both the client and queue manager key store:

runmqakm -cert -list -db key.kdb -stashed

1. Make sure the each has a personal certificate denoted by the hyphen in the first column.
2. If the cert is signed by a CA make sure you have the root ca added to the other key store.
3. If the cert is self signed make sure you have the public key of the cert added to the other key store.

In your case you are missing the cn=signer-cert that signed your queue manager cert in the client.kdb.