Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AMQ9716E: Remote SSL certificate revocation status check failed for channel XXXX #188

Open
VamsiNandanBR opened this issue Nov 15, 2024 · 0 comments
Open

AMQ9716E: Remote SSL certificate revocation status check failed for channel XXXX #188

VamsiNandanBR opened this issue Nov 15, 2024 · 0 comments

Comments

@VamsiNandanBR
Copy link

VamsiNandanBR commented Nov 15, 2024
edited
Loading

Hi , Can someone please help me w/ below problem?

Script Reference : https://github.com/ibm-messaging/mq-mqi-nodejs/blob/master/samples/amqsconntls.js

As mentioned in , The SSL/TLS key repository - IBM Documentation

Followed below, for key database creation and added the same certs to kdb file.

  • openssl x509 -inform PEM -in leafcert.cer -out leafcert.crt
  • openssl x509 -inform PEM -in root.cer -out root.crt
  • runmqakm -keydb -create -db certstore.kdb -pw Welcome1 -type pkcs12 -expire 1000 -stash
  • runmqakm -cert -add -label leafcert.cert -db certstore.kdb -pw Welcome1 -trust enable -file leafcert.crt
  • runmqakm -cert -add -label root.cert -db certstore.kdb -pw Welcome1 -trust enable -file root.crt

Imported ‘certstore.kdb’ into my script and used properties like below.

this.sco.KeyRepository = '<PATHOFSTH/KDB>';
//this.sco.KeyRepoPassword = 'Welcome1';  //This isn't used
//this.sco.CertificateLabel = 'leafcert.cert';  //This isn't used
this.connectionDefinition.SSLCipherSpec = 'ECDHE_RSA_AES_256_GCM_SHA384';
/** We arent providing Client SSL Certificate and terming it as optional */
this.connectionDefinition.SSLClientAuth = this.MQC.MQSCA_OPTIONAL;```

Despite of all above properties setup, still facingMQRC_SSL_INITIALIZATION_ERROR [2393]” error.

Checked in MQLibrary Logs and see below error:

----- amqccisa.c : 10130 ------------------------------------------------------
11/10/24 06:02:46 - Process(7444.1) User(userx) Program(node)
Host(asadasdas) Installation(MQNI93L24040400P)
VRMF(9.3.0.17)
Time(2024-11-10T06:02:46.268Z)
CommentInsert1([Class=]GSKVALMethod::X509[Issuer=]CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust, Inc. - for authorized use only,OU=See [www.entrust.net/legal-terms,O=Entrust](http://www.entrust.net/legal-terms,O=Entrust/), Inc.,C=US[#=]0ee94cc30000000051d37785[Subject=]CN=Entrust Certification Aut)
CommentInsert2(gsk_attribute_get_buffer - GSK_UNKNOWNREVOCATIONSTATUS_SUBJECT)
CommentInsert3(EXAMPLE.CHANNEL)

AMQ9716E: Remote SSL certificate revocation status check failed for channel
'EXAMPLE.CHANNEL'.

EXPLANATION:
IBM MQ failed to determine the revocation status of the remote SSL certificate
for one of the following reasons:
(a) The channel was unable to contact any of the CRL servers or OCSP responders
for the certificate.
(b) None of the OCSP responders contacted knows the revocation status of the
certificate.
(c) An OCSP response was received, but the digital signature of the response
could not be verified.

The details of the certificate in question are
'[Class=]GSKVALMethod::X509[Issuer=]CN=Entrust Root Certification Authority -
G2,OU=(c) 2009 Entrust, Inc. - for authorized use only,OU=See
[www.entrust.net/legal-terms,O=Entrust](http://www.entrust.net/legal-terms,O=Entrust/),
Inc.,C=US[#=]0ee94cc30000000051d37785[Subject=]CN=Entrust Certification Aut'.

The channel name is 'EXAMPLE.CHANNEL'. In some cases the channel name cannot be
determined and so is shown as '????'. The channel did not start.

IBM MQ does not allow the channel to start unless the certificate revocation
status can be determined.
ACTION:
If the certificate contains an AuthorityInfoAccess extension, ensure that the
OCSP server named in the certificate extension is available and is correctly
configured.

If the certificate contains a CrlDistributionPoint extension, ensure that the
CRL server named in the certificate extension is available and is correctly
configured.

If you have specified any CRL or OCSP servers to IBM MQ, check that those
servers are available and are correctly configured.

Ensure that the local key repository has the necessary SSL certificates to
verify the digital signature of the response from the OCSP server.
----- amqccisa.c : 10130 ------------------------------------------------------

 Name:        IBM MQ
Version:     9.3.0.17
Level:       p930-017-240404
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 4.18.0-553.27.1.el8_10.x86_64
O/S Details: Debian GNU/Linux 12 (bookworm)
InstName:    MQNI93L24040400P
InstDesc:    IBM MQ V9.3.0.17 (Redistributable)
Primary:     N/A
InstPath:    /opt/ibmmqc
DataPath:    /home/IBM/MQ/data
MaxCmdLevel: 930


Ibmmq Nodejs Module:
"dependencies": {
    "ibmmq": "^2.1.0",
    "postinstall": "*"
  }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VamsiNandanBR