The MQ Agent fails to connect to the MQ Server when using SSL set to Required Client Authentication.
When the SSL channel is configured for non-required client authentication, it allows full connectivity, but when the channel is set to required client authentication the connection fails.
Note that the functionality works even when not using SSL.
When SHA or MD5 is configured on channel APM.SSL.SVRCONN, the Client/MQ server connection negotiation throws a JSSE exception. This occurs even when the MQ server certificate has been added to the client and the client certificate has been added to the server.
The following messages are logged in the Agent Log:
ERROR] [com.wily.powerpack.websphereMQ.agent.MQMonitor.TracerDriverThread] MQMonitor: For configuration instance <user@host> and the drivers(namelist,cluster) an error occurred in sending query to MQ. The target MQ (host:port#) may be down. Reason code 2397 MQRC_JSSE_ERROR
$ openssl s_client -connect <host> :port# -prexit CONNECTED(00000003)
14815:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188
The root problem is due to the following two factors:
1) The keystore contains extraneous private keys: one from a Local CA, and another from an OpenSSL CA generated by the MQ Admin.
To resolve this issue, the truststore was reduced to a single trustedCertEntry and the keystore was reduced to a single PrivateKeyEntry.
The Local CA key was selected instead of the required OpenSSL CA private key required by the MQ server. The key required by the MQ server must be used.
2) The keystore has password '<password1>' and the internal key (alias <key_name>) has a different password, '<password2>'.
This results in unable to recover key errors when the agent starts up and tries to negotiate the MQ SSL connection.
Resolution:
Use a single private key in the keystore and ensure that the keystore password and imported private key password are identical to the value in MQMonitor.properties keystore.password.