Hello,
I noticed strange MQ SVRCONN channel behavior. Channel is enabled for SSL encryption and SSL client certificate is enforced.
The client certificate's public keys are stored in RACF. The channel parameters are:
DEFINE CHANNEL ('CHLA') +
CHLTYPE(SVRCONN) +
TRPTYPE(TCP) +
DESCR('MQ SVRCONN chl for users') +
QSGDISP(QMGR) +
PUTAUT(DEF) +
MAXMSGL(104857600) +
MCAUSER(' ') +
RCVDATA(' ') +
RCVEXIT(' ') +
SCYDATA(' ') +
SCYEXIT(' ') +
SENDDATA(' ') +
SENDEXIT(' ') +
SSLCAUTH(REQUIRED) +
SSLCIPH('TRIPLE_DES_SHA_US') +
SSLPEER(' ') +
KAINT(AUTO) +
REPLACE
From RACF I have removed a public certificate user and got the following message:
+CSQX632I +MQ1 CSQXRESP SSL certificate has no associated user ID, 315
remote channel ????
- channel initiator user ID used
+CSQX500I +MQ1 CSQXRESP Channel MQCHANN1 started
So, the certificate could not be located, so the CHINIT user id was used. But my understanding is that this connection should fail (because of the parameter SSLCAUTH(REQUIRED)). The PUTAUT(DEF) parameter is left blank intentionally because many users with different userIDs are using the same channel.
Any suggestions? Is this normal behavior? What should I do in order to enforce SSL authentication?
Best Regards, Peter
Peter Geršak
3Gen d.o.o., Tržaška 21, 1000 Ljubljana
M: +386 31 332 787
T: +386 1 42 10 475
E: [EMAIL PROTECTED]
- Re: MQ on z/OS security (SSL) question. Peter Gersak
- Re: MQ on z/OS security (SSL) question. Morag Hughson
- Re: MQ on z/OS security (SSL) question. Bright, Frank
- Re: MQ on z/OS security (SSL) question. Bright, Frank