I noticed strange MQ SVRCONN channel behavior. Channel is enabled for SSL encryption and SSL client certificate is enforced.
The client certificate's public keys are stored in RACF. The channel parameters are:
       TRPTYPE(TCP) +
       DESCR('MQ SVRCONN chl for users') +
       QSGDISP(QMGR) +
       PUTAUT(DEF) +
       MAXMSGL(104857600) +
       MCAUSER(' ') +
       RCVDATA(' ') +
       RCVEXIT(' ') +
       SCYDATA(' ') +
       SCYEXIT(' ') +
       SENDDATA(' ') +
       SENDEXIT(' ') +
       SSLPEER(' ') +
       KAINT(AUTO) +

From RACF I have removed a public certificate user and got the following message:

+CSQX632I +MQ1 CSQXRESP SSL certificate has no associated user ID, 315
 remote channel ????
 - channel initiator user ID used
+CSQX500I +MQ1 CSQXRESP Channel MQCHANN1 started

So, the certificate could not be located, so the CHINIT user id was used. But my understanding is that this connection should fail (because of the parameter
SSLCAUTH(REQUIRED)). The PUTAUT(DEF) parameter is left blank intentionally because many users with different userIDs are using the same channel.

Any suggestions? Is this normal behavior? What should I do in order to enforce SSL authentication?

Best Regards, Peter

Peter Geršak
3Gen d.o.o., Tržaška 21, 1000 Ljubljana
M: +386 31 332 787
T: +386 1 42 10 475

Reply via email to