Working with SSL certificates about mq-mqi-nodejs HOT 4 CLOSED

The environment variable to use is MQSSLKEYR. See docs here

MQS_KEYSTORE_CONF is used for Advanced Message Security configuration. It's a config file that in turn points at keystores and other values.

The gskit libraries underpinning this package only deal with KDB formats. Some of the command line tools will process JKS stores for convenience, but it's not been enabled for the C library runtime.

from mq-mqi-nodejs.

Thanks @ibmmqmet, I'm using the MQSSLKEYR to refer to the KDB path in the correct manner (defining the path without extension). I have both the kdb and sth files in the same directory and using the same base file name. I'm getting an error message saying MQRC_KEY_REPOSITORY_ERROR [2381] even though I'm able to use the mq client cli tools to connect successfully using these files.

I'm wondering if this has something to do with the KeyRepository configuration as it mentions it in the documentation. Is there an example on how to set this value using this module?

EDIT:

After a bit of digging, I've tried to:

var sco = new mq.MQSCO();
sco.KeyRepository = "/my/path/to/kdb";

var cno = new mq.MQCNO();
cno.SSLConfig = sco;

...

mq.Connx(qMgr, cno, function(err, hConn) {
...
});

But I'm still getting the same error message.

from mq-mqi-nodejs.

Assuming you have mykey.kdb, .rdb and .sth along with the CCDT, then you should be able to run with no code changes at all. The kdb must include the signing information for the qmgrs cert to validate that, and - if the SSLCAUTH setting on the svrconn requires it - the client's certificate with an appropriate label. See here for a lot more detail on that.

And of course make sure the CLNTCONN definition matches the SVRCONN definition for cipherspec.

Error log entries from both the queue manager and the client can give much more information than the simple MQRC value.

I do have a sample that I need to tidy up for doing TLS completely programmatically where the CD, SCO and CNO structures are involved but you don't need that when you use the CCDT.

export MQ_CONNECT_TYPE=CLIENT  # This may not be needed but it forces client connections
export MQSSLKEYR=`pwd`/mykey # Assume things are all in current directory
export MQCHLLIB=`pwd`
export MQCHLTAB=AMQCLCHL.TAB

node amqsput

I will often run programs under strace just to check that the correct files are being successfully opened; it's the quickest way to verify some of the environment variables are taking effect. And MQ trace would be more detailed debug.

from mq-mqi-nodejs.

The latest update (0.8.0) includes a new sample amqsconntls to show how to programmatically work with TLS configurations.

from mq-mqi-nodejs.