How to connect to a queue manager with ssl enabled server connection channel when authentication is required.

Question

I am trying to write a java application connecting to server connection channel with SSL enabled.

So far, I have been successfully connected to the channel by setting authentication to 'optional'. However, when I set it to be 'required', the connection fails.

Here is what I did:

1. Create key db for queue manager and keystore for the java client user.
2. Create key/self-signed certificates for the queue manager and the client user, with names prefixed ibmwebspheremq.
3. Export, exchange and import certificates for the queue manager and the client. (I did answered 'yes' when being asked whether I trust the queue manager cert).
4. The location and password to the truststore and keystore are set to point to the same keystore at the client side, where the orgininal created client user key and the imported queue manager key are.

With other settings being the same, if I switch back to 'optional' authentication, the connection works.

I think there is something I understand incorrectly about this ssl authenticaion but cannot figure out what.

Could someone kindly help me?

Answer 1

I beat my head against that wall for a couple of weeks. IBM L2 Support eventually clued me in. My issue here was that keytool will use DSA algorithm unless you specify RSA. This results in keys of length 1022 instead of 1024, which WMQ doesn't like. The fix was to specify -sigalg RSA when generating the certificate and everything works.

I've asked the IBM WMQ team and WMQ FTE team to add this to their Infocenter documentation.