How to connect to IBM MQ from a Camel route with SSL connection?

Question

I could successfully connect to IBM MQ from a camel route and initialize the connection factory bean but now I want to connect with SSL.

1. I create the key store on the server side for the queue manager and create the certificate and add it to it.
2. I create a trust store on the client side and add the certificate to it.
3. And now I want the MQ connection factory to refer to the trust store while connecting to the server.

Here is what I tried:

<bean id="MyConnectionFactory" class="com.ibm.mq.jms.MQQueueConnectionFactory">
        <property name="transportType" value="${queue.transportType}" />
        <property name="channel" value="${queue.channel}" />
        <property name="hostName" value="${queue.hostName}" />
        <property name="port" value="${queue.port}" />
        <property name="queueManager" value="${queue.manager}" />
        <property name="sSLCipherSuite" value="SSL_RSA_WITH_NULL_MD5" />
        <property name="sSLCertStores" value="file:C:/Servers/TrustStore/truststore.jks" />
    </bean>

But this doesn't work. The following exception was returned:

JMSWMQ0018: Failed to connect to queue manager 'QM_TEST_SSL' 
       with connection mode 'Client' and host name '10.3.13.161(1415)'.; 
       nested exception is com.ibm.mq.MQException: JMSCMQ0001: 
       WebSphere MQ call failed with compcode '2' ('MQCC_FAILED')
       reason '2397' ('MQRC_JSSE_ERROR').

Can anyone please help to direct me how to do that?

Answer 1

From a security standpoint the Client should only receive generic error messages which could relate to a number of problems. The best place to find out exactly why you client was rejected is the Queue Manager logs. I would suggest looking there to see if there are any errors that help you further determine the problem. From the info given i can think of 3 problems it could be:

1. The Queue Manager channel is set with an attribute of SSLCAUTH(REQUIRED) however from the description you've given here the client doesn't appear to be using it's own certificate to connect. SSLCAUTH(REQUIRED) will mean that the Queue Manager will only accept connections on the particular channel where the client is connecting with a certificate it trusts. Check the channel definition and set SSLCAUTH(OPTIONAL)

2. Depending on your version of IBM MQ the CipherSpec you have used (SSL_RSA_WITH_NULL_MD5) is considered weak and will not be accepted by default. You can reenable these deprecated CipherSpecs and the instructions on how to do so can be found on the following Knowledge Center page

3. The truststore "C:/Servers/TrustStore/truststore.jks" is not being picked up by the client and so the client cannot trust the Queue Manager's certificate. Double check the path you have supplied and remove the "file:" you have added to the path (unless you were specifically instructed to include it).