While Establishing SSL between IBM MQ and JMS client,recieving "com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed" error

Question

I'm trying to enable two way SSL encryption between JMS client and IBM MQ using a server conn channel called "KAU.CONN" , I have already generated client certificate and queue manager certificates using two different self signers. below are the steps I used to generate certificate and key stored in both side. when the MQ channels SSLCAUTH option set to OPTIONAL connectivity works fine. Appreciate any leads for the possible cause.

IBM MQ version = 9.2 (trial version) JDK( jms client ) = 1.8

Error in eclipse:

Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=KAU.CONN]
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4464)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:3199)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1274)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:895)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:416)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:312)
    at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:146)
    at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1761)
    ... 61 more

SSL inplementation

QUEUE MANAGER

Commands used to create CA's certificate

runmqckm -keydb -create -db myCA.kdb -type cms  -pw mycakeypassword -stash
runmqckm -cert -create -db myCA.kdb -type cms -label "myCAcertificate" -dn "CN=demmoCA,O=DemmoOrg,OU=DemmoDepartment,L=DemmoLocation,C=UK" -expire 1000 -size 1024
runmqckm -cert -extract -db myCA.kdb -type cms -label "myCAcertificate" -target myCAcertfile.cer -format ascii -stashed

Issuing a certificate to a queue manager

runmqckm -keydb -create -db myqmgr.kdb -type cms -pw kautstpassword -stash
runmqckm -certreq -create -db myqmgr.kdb -type cms -dn "CN=KAU.TST,O=IBM,OU=WMQ,L=Hursley,C=UK" -label "ibmwebspheremqmyqmgr" -file kauqmgercsr.req -stashed
runmqckm -cert -sign -db myCA.kdb -label "myCAcertificate" -expire 365 -format ascii -file kauqmgercsr.req  -target kauqmgr.cer -stashed
runmqckm -cert -receive -db myqmgr.kdb -type cms -file kauqmgr.cer -stashed

JMS CLIENT SIDE

Adding the queue manager's certificate(generated above) to client's keystore (after creating client's keystore)

keytool -keystore kautstclient.jks -genkey -alias winclientcert -storepass clientpassword
keytool -import -keystore kautstclient.jks -file myCAcertfile.cer -alias  myCAcertificate

creating a another CA's keys,certificate for jms client

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

generating certificate for client

keytool -certreq -v -alias winclientcert -file kauclient.csr -keypass clientpassword -storepass clientpassword -keystore kautstclient.jks
openssl x509 -req -in kauclient.csr -CA cert.pem -CAkey key.pem -CAcreateserial -out kauclientown.crt
keytool -import -v -alias kauclientowncert -file kauclientown.crt -keystore kautstclient.jks -keypass clientpassword -storepass clientpassword

Finally Adding client certificate's signer certificate to the queue manager's kdb

runmqckm -cert -add -db  myqmgr.kdb -file cert.pem -label kauclientsignercertificate

These are my JMS client's SSL property settings

System.setProperty("javax.net.ssl.trustStorePassword", "clientpassword" );
System.setProperty("javax.net.ssl.keyStorePassword", "clientpassword" );
System.setProperty("javax.net.ssl.keyStore", "D:\\mq-message-handler-1.0\\ssl\\kautstclient.jks" );
                    
System.setProperty("com.ibm.mq.cfg.useIBMCipherMappings", "false" );
System.setProperty("jdk.security.allowNonCaAnchor","true");
System.setProperty("javax.net.ssl.trustStore","D:\\mq-message-handler-1.0\\ssl\\kautstclient.jks");
cf.setStringProperty(WMQConstants.WMQ_SSL_CIPHER_SUITE, "TLS_RSA_WITH_AES_256_GCM_SHA384");

Certificate details in client's keystore and qmgr's keystore

• please note my jms client is running in windows but I have used linux server to generate key/cert files and I'm more familiar with linux commands.

Certificates in database /tmp/client/kautstclient.jks: 
   winclientcert
   kauclientowncert
   mycacertificate


Certificates in database /var/mqm/qmgrs/KAU!TST/ssl/myqmgr.kdb:
   ibmwebspheremqmyqmgr
   "CN=demmoCA, O=DemmoOrg, OU=DemmoDepartment, L=DemmoLocation, C=UK"
   kauclientsignercertificate


[mqm@192 ssl]$ runmqakm -cert -list -db myqmgr.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!       "CN=demmoCA, O=DemmoOrg, OU=DemmoDepartment, L=DemmoLocation, C=UK"
!       kauclientsignercertificate
-       ibmwebspheremqmyqmgr

Answer 1

Perhaps it is not finding your trustStore.

Apparently, you can check whether the JVM is using the configured trustStore by using the following property: -Djavax.net.debug=all , which will turn on a debug message.

After the app starts, it will print out a message like:

javax.net.ssl|DEBUG|11|parallel-1|2021-04-17 21:25:13.827 CST|TrustStoreManager.java:112|trustStore is: C:/path/to/the/trustStore