Can someone please help me w/ below problem?
Script Reference : https://github.com/ibm-messaging/mq-mqi-nodejs/blob/master/samples/amqsconntls.js
As mentioned in , The SSL/TLS key repository - IBM Documentation
Followed below, for key database creation and added the same certs to kdb file.
Raised a Github issue too : https://github.com/ibm-messaging/mq-mqi-nodejs/issues/188
openssl x509 -inform PEM -in leafcert.cer -out leafcert.crtopenssl x509 -inform PEM -in root.cer -out root.crtrunmqakm -keydb -create -db certstore.kdb -pw Welcome1 -type pkcs12 -expire 1000 -stashrunmqakm -cert -add -label leafcert.cert -db certstore.kdb -pw Welcome1 -trust enable -file leafcert.crtrunmqakm -cert -add -label root.cert -db certstore.kdb -pw Welcome1 -trust enable -file root.crtImported ‘certstore.kdb’ into my script and used properties like below.
this.sco.KeyRepository = '<PATHOFSTH/KDB>';//this.sco.KeyRepoPassword = 'Welcome1'; //This isn't used//this.sco.CertificateLabel = 'leafcert.cert'; //This isn't usedthis.connectionDefinition.SSLCipherSpec = 'ECDHE_RSA_AES_256_GCM_SHA384';/** We arent providing Client SSL Certificate and terming it as optional */this.connectionDefinition.SSLClientAuth = this.MQC.MQSCA_OPTIONAL;Despite of all above properties setup, still facing “MQRC_SSL_INITIALIZATION_ERROR [2393]” error.
Checked in MQLibrary Logs and see below error:
----- amqccisa.c : 10130 ------------------------------------------------------11/10/24 06:02:46 - Process(7444.1) User(userx) Program(node)Host(asadasdas) Installation(MQNI93L24040400P)VRMF(9.3.0.17)Time(2024-11-10T06:02:46.268Z)CommentInsert1([Class=]GSKVALMethod::X509[Issuer=]CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust, Inc. - for authorized use only,OU=See [www.entrust.net/legal-terms,O=Entrust](http://www.entrust.net/legal-terms,O=Entrust/), Inc.,C=US[#=]0ee94cc30000000051d37785[Subject=]CN=Entrust Certification Aut)CommentInsert2(gsk_attribute_get_buffer - GSK_UNKNOWNREVOCATIONSTATUS_SUBJECT)CommentInsert3(EXAMPLE.CHANNEL)AMQ9716E: Remote SSL certificate revocation status check failed for channel'EXAMPLE.CHANNEL'.EXPLANATION:IBM MQ failed to determine the revocation status of the remote SSL certificatefor one of the following reasons:(a) The channel was unable to contact any of the CRL servers or OCSP respondersfor the certificate.(b) None of the OCSP responders contacted knows the revocation status of thecertificate.(c) An OCSP response was received, but the digital signature of the responsecould not be verified.The details of the certificate in question are'[Class=]GSKVALMethod::X509[Issuer=]CN=Entrust Root Certification Authority -G2,OU=(c) 2009 Entrust, Inc. - for authorized use only,OU=See[www.entrust.net/legal-terms,O=Entrust](http://www.entrust.net/legal-terms,O=Entrust/),Inc.,C=US[#=]0ee94cc30000000051d37785[Subject=]CN=Entrust Certification Aut'.The channel name is 'EXAMPLE.CHANNEL'. In some cases the channel name cannot bedetermined and so is shown as '????'. The channel did not start.IBM MQ does not allow the channel to start unless the certificate revocationstatus can be determined.ACTION:If the certificate contains an AuthorityInfoAccess extension, ensure that theOCSP server named in the certificate extension is available and is correctlyconfigured.If the certificate contains a CrlDistributionPoint extension, ensure that theCRL server named in the certificate extension is available and is correctlyconfigured.If you have specified any CRL or OCSP servers to IBM MQ, check that thoseservers are available and are correctly configured.Ensure that the local key repository has the necessary SSL certificates toverify the digital signature of the response from the OCSP server.----- amqccisa.c : 10130 ------------------------------------------------------ Name: IBM MQVersion: 9.3.0.17Level: p930-017-240404BuildType: IKAP - (Production)Platform: IBM MQ for Linux (x86-64 platform)Mode: 64-bitO/S: Linux 4.18.0-553.27.1.el8_10.x86_64O/S Details: Debian GNU/Linux 12 (bookworm)InstName: MQNI93L24040400PInstDesc: IBM MQ V9.3.0.17 (Redistributable)Primary: N/AInstPath: /opt/ibmmqcDataPath: /home/IBM/MQ/dataMaxCmdLevel: 930Ibmmq Nodejs Module:"dependencies": {"ibmmq": "^2.1.0","postinstall": "*" }