none
BizTalk Server 2016 CU5 & Host Integration Server 2016 CU2 - Microsoft MQ Client Not Working with SSL RRS feed

  • Question

  • Hi,

    We successfully configured BizTalk 2016 to use the Microsoft MQ Client when connecting to our queue manager based on IBM MQ 9.0.3.0.

    We have not installed the IBM MQ Client as we wish to use the standalone Microsoft MQ Client.

    However as soon as we have tried to enable SSL we have experienced a number of issues...

    Issue #1:-

    We were forced to change the SSL Cipher Specification defined on the MQ channel as we encountered the following error on the MQ server.

    The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel <CHANNEL>


    This was in spite of the fact both the MQ channel itself and the SSL Cipher Specification property on our MQSC receive location Transport Properties were set to use 'TLS_RSA_WITH_AES_256_CBC_SHA'. We had to change the MQ channel definition to use 'TLS_RSA_WITH_AES_128_CBC_SHA256' - the property on the BizTalk side appears to be ignored. This is not ideal as we wish to retain the original cipher specification which is standard to our organisation.

    Issue #2:-

    The following actions were performed as per our understanding of the Microsoft and IBM documentation:

    Client Side

    • Generated a client certificate store using IBM key manager tool
    • Added our CA certificates as trusted
    • Generated personal client certificate with correct label of ibmwebspheremq<userid> signed by above CA

    Server Side

    • Generated a server certificate store using IBM key manager tool
    • Added our CA certificates as trusted
    • Generated a queue manager server certificate with correct label of ibmwebspheremq<queuemanager> signed by above CA
    • Enabled and verified SSL on queue manager and server-connection channel

    Client Side

    • SSL Key Repository Location property on our MQSC receive location Transport Properties correctly set to path of client certificate store (e.g. KDB) with the file extension not provided as advised
    • Above path granted full control to BizTalk service account

    However upon enabling the MQSC receive location we encounter the following error on the BizTalk side which results in the entire host instance crashing and going into a Stopped state as a result:

    Automaton 'QueueManager' Processing Failed. Description: State: HandshakeFailed, Event: StatusData - Exception: unknown status data type.
    
    Application: BTSNTSvc64.exe
    Framework Version: v4.0.30319
    Description: The process was terminated due to an unhandled exception.
    Exception Info: System.InvalidOperationException
       at Microsoft.HostIntegration.MqClient.Automatons.AutomatonQueueManagerStateHandshakeFailed.ActionSetStatusDataRc()
       at Microsoft.HostIntegration.MqClient.Automatons.AutomatonQueueManagerStateHandshakeFailed.Process(Int32 ByRef)
    
    Exception Info: System.InvalidProgramException
       at Microsoft.HostIntegration.MqClient.Automatons.AutomatonQueueManagerStateHandshakeFailed.Process(Int32 ByRef)
       at Microsoft.HostIntegration.Automaton.AutomatonDriverAsCode.ProcessEvent(Int32, Int32)
    
    Exception Info: System.InvalidProgramException
       at Microsoft.HostIntegration.Automaton.AutomatonDriverAsCode.ProcessEvent(Int32, Int32)
       at Microsoft.HostIntegration.MqClient.Automatons.AutomatonQueueManager.ProcessMessageFromTcp(Microsoft.HostIntegration.Automaton.AsynchronousConnectionMessage)
       at Microsoft.HostIntegration.Automaton.ConnectionLocation.ProcessAnyReceivedMessages()
       at Microsoft.HostIntegration.Automaton.AutomatonDriver.ProcessAnyReceivedMessages()
       at Microsoft.HostIntegration.Automaton.AutomatonDriver.ReceiveMessagesThreadProc(System.Object)
       at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
       at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
       at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
       at System.Threading.ThreadHelper.ThreadStart(System.Object)

    As a result the following error is captured on the MQ server side:

    Channel is lacking a certificate.  

    Due to the lack of public documentation for the Microsoft MQ Client, we are finding troubleshooting incredibly difficult. The error messages above also don't provide a lot of information to go on! Any pointers greatly appreciated!

    Regards,

    DB

    Monday, January 7, 2019 2:42 PM

All replies

  • Some further observations in relation to the second point...it appears the issue occurs for two-way SSL authentication, i.e. when the MQ channel has its SSL Client Authentication (SSLCAUTH) property set to Required.

    Having enabled HIS tracing for the MQ Client we can see a connection is established but the SSL handshake appears to fail:

    QueueManager Connect being called
    Port returns <removed>
    Host returns <removed>
    UseSsl returns True
    ChannelName returns <removed>
    Name returns <removed>
    ConnectAs returns 
    AuthorizationUser returns 
    AuthorizationPassword returns a value
    Using User: '<removed>', Channel: 'All'
    Generating new HostToHostConnections instance for UserName: '<removed>'
    Generating new HostConnection instance for UserName: '<removed>', Server: '<removed>'
    Generating new PortConnection instance for UserName: '<removed>', Server: '<removed>', Port: <removed>
    Generating new ChannelQueueManagerCollection instance for UserName: 'ID:<removed>', Server: '<removed>', Port: <removed>, Channel: 'All'
    Generating new ChannelQueueManager instance for UserName: 'ID:<removed>', Server: '<removed>', Port: <removed>, Channel: 'All'
    TCP connection is to Server: <removed>, Port: <removed>
    Connecting
    State: UnConnected, Evt: Connect, Act: ConnectSocket, Post: SucceededSsl, State: DoSslHandshake, Evt: StartHandshake
    State: DoSslHandshake, Evt: StartHandshake, Act: GetSslAndAuthenticate, Post: Succeeded, Evt: Connected
    State: DoSslHandshake, Evt: Connected, Act: SetWaitConnectEvent, State: DataTransferSsl, Evt: StartTransfer
    State: DataTransferSsl, Evt: StartTransfer, Act: SetUpReceive8, Post: ReceiveSucceeded, Stop
    Finished processing Event
    Connect Succeeded
    ChannelQueueManager Share Count: 1
    ChannelQueueManager Automaton QM Count: 1
    Generating new NameQueueManager instance for QM Name: '<removed>'
    Generating new WrappedPooledQueueManager instance for QM Name: '<removed>'
    Queue Manager Name: <removed>, via Channel: <removed>
    Connecting new WrappedPooledQueueManager
    Connecting
    Automaton: QueueManager, Connecting to: Tcp, with Determinant: 1
    Automaton: Tcp, Connected from: QueueManager, Determinant: 1
    State: UnConnected, Evt: Connect, Pre: FirstConversation, Act: ConnectTcp, State: ConnectingTcp, Stop
    Finished processing Event
    State: DataTransferSsl, Evt: QmAttach, Act: Attached, Stop
    Finished processing Event
    State: ConnectingTcp, Evt: Attached, State: Handshake, Evt: Start
    Sending Initial Data
    State: Handshake, Evt: Start, Act: SendFirstInitialData, Stop
    Finished processing Event
    Sending 236 bytes:
    State: DataTransferSsl, Evt: DataToSend, Act: SendDataMarkTime, Post: SendSucceeded, Stop
    Finished processing Event
    Received 28 bytes:
    State: DataTransferSsl, Evt: DataReceived, Pre: ReceiveSucceeded8, Act: ReadSegmentMarkTime, Post: ReceiveSucceeded, Evt: SendToQm
    State: DataTransferSsl, Evt: SendToQm, Act: SendToQueueManager, Post: QmFound, Stop
    Finished processing Event
    Received 0 bytes
    State: DataTransferSsl, Evt: DataReceived, Evt: TcpFailed
    State: DataTransferSsl, Evt: TcpFailed, Act: CloseClientStop, State: FailedData, Evt: TcpFailed
    Failing a connection
    State: FailedData, Evt: TcpFailed, Act: TcpDisconnected, Stop
    Finished processing Event
    State: Handshake, Evt: ServerData, Act: ExtractInitialData, Post: IsStatusData, State: HandshakeFailed, Evt: StatusData
    State: HandshakeFailed, Event: StatusData - Exception: unknown status data type
    unknown status data type
    State: HandshakeFailed, Event: StatusData - Exception: unknown status data type
    unknown status data type
    

    Can someone confirm that the Microsoft MQ Client currently supports two-way SSL please? Previously we have seen two-way SSL work successfully when using the IBM MQ Client in our environment.

    Regards,

    DB

    Monday, January 14, 2019 9:04 AM