IBM MQ XMS.NET - 2059 Error when connecting

Question

I'm updating an app to connect to IBM MQ over TLS. The current error I'm seeing is a 2059 reason code. The trace log doesn't appear to include more info. Does anyone have suggestions as to what to check?

I've already done the following:

• Established a signed cert and self-signed cert that's been imported onto the client and server

• Enabled the Windows Group Policy as described on this blog - SSL Cipher Suite Order

• Added the properties to specify the cipher spec in the application code:

  factory.SetStringProperty(XMSC.WMQ_CHANNEL, channel);
  factory.SetIntProperty(XMSC.WMQ_CONNECTION_MODE, connectionMode);
  factory.SetStringProperty(XMSC.WMQ_QUEUE_MANAGER, "");
  factory.SetIntProperty(XMSC.WMQ_BROKER_VERSION, brokerVersion);
  factory.SetIntProperty(XMSC.WMQ_CLIENT_RECONNECT_OPTIONS, XMSC.WMQ_CLIENT_RECONNECT);
  factory.SetStringProperty(XMSC.WMQ_SSL_KEY_REPOSITORY, "*SYSTEM");
  factory.SetStringProperty(XMSC.WMQ_SSL_CIPHER_SPEC, "TLS_RSA_WITH_AES_256_CBC_SHA256");
  factory.SetBooleanProperty(XMSC.WMQ_SSL_CERT_REVOCATION_CHECK, false);
  

See the linked exception for more information.

at IBM.XMS.Client.WMQ.Factories.WmqConnectionFactory.CreateV7ProviderConnection(XmsPropertyContext connectionProps)
at IBM.XMS.Client.WMQ.Factories.WmqConnectionFactory.CreateProviderConnection(XmsPropertyContext connectionProps)

Linked Exception : CompCode: 2, Reason: 2059
[23/02/2021 22:52:18:792930 Pacific Standard Time] 00000006 < UOW= source=IBM.XMS.Client.WMQ.Factories.WmqConnectionFactory method=CreateProviderConnection(XmsPropertyContext) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:792930 Pacific Standard Time] 00000006 < UOW= source=IBM.XMS.Client.Impl.XmsConnectionFactoryImpl method=CreateConnection(Stirng,String) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:792930 Pacific Standard Time] 00000006 < UOW= source=IBM.XMS.Client.Impl.XmsConnectionFactoryImpl method=CreateConnection() [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[2/23/2021 10:52:18 PM ] [                 ] Error       : IBM.XMS.XMSException: CWSMQ0006E: An exception was received during the call to the method ConnectionFactory.CreateConnection: CompCode: 2, Reason: 2059.
During execution of the specified method an exception was thrown by another component.
See the linked exception for more information.
   at IBM.XMS.Client.WMQ.Factories.WmqConnectionFactory.CreateProviderConnection(XmsPropertyContext connectionProps)
   at IBM.XMS.Client.Impl.XmsConnectionFactoryImpl.CreateConnection(String userID, String password)
   at IBM.XMS.Client.Impl.XmsConnectionFactoryImpl.CreateConnection()

Trace showing SSL Auth:

[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
TLS12 supported - True
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Setting SslProtol as Tls12
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Starting SSL Authentication
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 > UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
entry
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Client callback has been invoked to find client certificate
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 > UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
entry
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Client callback has been invoked to find client certificate
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=FixClientCertificate(Object,String,X509CertificateCollection,X509Certificate,String[]) rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 > UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
entry
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Client did not specify a SSLPEERNAME, hence SSLPeerNameMatching not done
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=ClientValidatingServerCertificate(Object,X509Certificate,X509Chain,SslPolicyErrors) rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[23/02/2021 22:52:18:777298 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
SSL Authentication completed

Server Log

AMQ9631E: The CipherSpec negotiated during the SSL handshake does not match the
required CipherSpec for channel 'MQEXPLORER.CHL'.

EXPLANATION:
There is a mismatch between the CipherSpecs on the local and remote ends of
channel 'MQEXPLORER.CHL'. The channel will not run until this mismatch is
resolved. The CipherSpec required in the local channel definition is
'TLS_RSA_WITH_AES_256_CBC_SHA256'. The name of the CipherSpec negotiated during
the SSL handshake is 'TLS_RSA_WITH_AES_128_CBC_SHA256'. A code is displayed if
the name of the negotiated CipherSpec cannot be determined.
ACTION:
Change the channel definitions for 'MQEXPLORER.CHL' so the two ends have
matching CipherSpecs and restart the channel. If the certificate in use by one
end of the channel is a Global Server Certificate, then the negotiated
CipherSpec may not match that specified on either end of the channel. This is
because the SSL protocol allows a Global Server Certificate to automatically
negotiate a higher level of encryption. In these cases specify a CipherSpec
which meets the requirements of the Global Server Certificate.
enter code here

Update Removing AES_128 from the Windows policy helped resolve the last error, but I'm still seeing a 2059 reason code. The server is saying the certificate wasn't specified but the client trace says otherwise.

Client Trace

[03/03/2021 09:23:51:063098 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
SSL Authentication completed
[03/03/2021 09:23:51:063098 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.Nmqi.MQEncryptedSocket method=MakeSecuredConnection() rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[03/03/2021 09:23:51:063098 Pacific Standard Time] 00000006 < UOW= source=IBM.WMQ.MQTCPConnection method=ConnectSocket(string,string,MQLONG) rc=OK [:] org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
exit
[03/03/2021 09:23:51:063098 Pacific Standard Time] 00000006 d UOW= source=IBM.WMQ.MQTCPConnection org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
Protocol connected..for this connection request.

....

[03/03/2021 09:23:51:078705 Pacific Standard Time] 00000006 X UOW= source=IBM.WMQ.MQFAP org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
CompCode: 2, Reason: 2059
[03/03/2021 09:23:51:078705 Pacific Standard Time] 00000006 d UOW= source= org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
New MQException CompCode: 2 Reason: 2059
[03/03/2021 09:23:51:078705 Pacific Standard Time] 00000006 d UOW= source= org=IBM prod=WebSphere component=Message Service Client for .NET thread=[1 : 0]
New NmqiException CompCode: 2 Reason: 2059

Server Log

AMQ9637E: During handshake, the remote partner sent no certificate.

EXPLANATION:
The conversation cannot begin because a certificate has not been supplied by
the remote partner.

The channel name is 'TST.CHL'.

If this error message is written on the receiving side of the channel, then the
channel attributes 'SSLCAUTH' caused the check to be made.
ACTION:
Look at the key repository on the remote side of this channel, and make sure
the appropriate certificates are present, with correct labels.
----- amqccisa.c : 8146 -------------------------------------------------------
03/03/21 09:23:51 - Process(140687.1923660) User(mqsystem) Program(amqrmppa)

AMQ9999E: Channel 'TST.CHL' to <host> ended abnormally.

EXPLANATION:
The channel program running under process ID 140687 for channel 'TST.CHL' ended
abnormally. The host name is '<>; in some cases the host name cannot
be determined and so is shown as '????'.

Answer 1

I'm assuming you are trying to connect in managed connection mode using stand alone client.

If so the only way I was able to use IBM MQ over TLS was by setting SSLKey repository and Cipher spec as environment variables rather than connection configuration.

Also make sure your certificate has correct label set

See docs for ref: https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.dev.doc/q120700_.html https://www.ibm.com/support/knowledgecenter/SSFKSJ_9.1.0/com.ibm.mq.pro.doc/q014220_.html

Answer 2

I faced the same problem and followed few IBM MQ support articles to resolve the problem.

Our C#.Net application was using IBM MQ .Net Client version 8 and queue manager was less than v9.2. One fine day server admins upgraded to 9.2 and our application started receiving:

AMQ9631E: The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel 'channel name'

Our application was connecting to a Channel over TLS1.2 and Cipher Spec was TLS_RSA_WITH_AES_128_CBC_SHA256.

We followed below two articles to solve our problem. Please note our application is hosted on Windows Server 2016 and the default TLS version is TLS 1.2.

1. https://www.ibm.com/support/pages/tls-cipher-specification-order-changed-mq-92
2. https://www.ibm.com/docs/en/ibm-mq/9.2?topic=cipherspecs-cipherspec-order-in-tls-handshake

Exact steps that we followed:

1. Server admins created a new channel with Cipher Spec TLS_RSA_WITH_AES_256_GCM_SHA384

2. Upgraded Client application to use IBMMQDotnetClient v9.3. and used standard for .NET Framework 4.8.