SSL authentication has still happened.

The client-connection channel still has a copy of it's personal certificate
on the client machine even though you removed it from the server-connection
machine. The client will still send over this certificate. The fact that
the channel has started means that you must have the CA certificate that
signed the client's certificate in your queue manager key ring.

The message you are seeing tells you that neither a copy of the certificate
(since you removed it), nor a Certifiate Name Filter (CNF) was found
matching the DN of the certificate, so no user could be mapped to it. The
default behaviour when no mapped user ID is found is to use the CHINIT user
ID. This is described in the z/OS System Set-up Guide. This message is an
informational message to let you know a user ID mapping could not be made
(because otherwise it would very difficult to spot mapping failures if you
were trying to use CNF's) it does not indicate that SSL authentication


Morag Hughson
WebSphere MQ for z/OS Development
Telephone: +44 (0) 1962 816900

             Peter Gersak                                                  
             <[EMAIL PROTECTED]                                             
             N.SI>                                                      To 
             Sent by: MQSeries         [EMAIL PROTECTED]             
             List                                                       cc 
             <[EMAIL PROTECTED]                                             
             N.AC.AT>                                              Subject 
                                       MQ on z/OS security (SSL) question. 
             23/11/2004 10:16                                              
             Please respond to                                             
               MQSeries List                                               

I noticed strange MQ SVRCONN channel behavior. Channel is enabled for SSL
encryption and SSL client certificate is enforced.
The client certificate's public keys are stored in RACF. The channel
parameters are:
       TRPTYPE(TCP) +
       DESCR('MQ SVRCONN chl for users') +
       QSGDISP(QMGR) +
       PUTAUT(DEF) +
       MAXMSGL(104857600) +
       MCAUSER(' ') +
       RCVDATA(' ') +
       RCVEXIT(' ') +
       SCYDATA(' ') +
       SCYEXIT(' ') +
       SENDDATA(' ') +
       SENDEXIT(' ') +
       SSLPEER(' ') +
       KAINT(AUTO) +

From RACF I have removed a public certificate user and got the following

+CSQX632I +MQ1 CSQXRESP SSL certificate has no associated user ID, 315
 remote channel ????
 - channel initiator user ID used
+CSQX500I +MQ1 CSQXRESP Channel MQCHANN1 started

So, the certificate could not be located, so the CHINIT user id was used.
But my understanding is that this connection should fail (because of the
parameter SSLCAUTH(REQUIRED)). The PUTAUT(DEF) parameter is left blank
intentionally because many users with different userIDs are using the same

Any suggestions? Is this normal behavior? What should I do in order to
enforce SSL authentication?

Best Regards, Peter

Peter GerÅak
3Gen d.o.o., TrÅaÅka 21, 1000 Ljubljana
M: +386 31 332 787
T: +386 1 42 10 475
E: [EMAIL PROTECTED]"{-®ç-Š‰ì~Šæjv Šx2¢êæj)bž   

Reply via email to