Search code examples
python-3.xibm-mqpymqi

Can not connect to the public queue using SSL via pymqi version for python 3

I’ve managed to establish a connection to a public queue with the older pymqi version for Python2 using the following python code:

import logging

import pymqi

logging.basicConfig(level=logging.INFO)

queue_manager = 'QM1'
channel = 'BZU.UAT.CHNL'
host = '245.274.46.56'
port = '1416'
queue_name = 'BZU.UAT.QUEUE'
conn_info = '%s(%s)' % (host, port)
ssl_cipher_spec = 'TLS_RSA_WITH_3DES_EDE_CBC_SHA'
key_repo_location = 'D:\\App\\BZU\\keydb\\key'
message = 'Hello from Python!'

cd = pymqi.CD()
cd.ChannelName = channel
cd.ConnectionName = conn_info
cd.ChannelType = pymqi.CMQC.MQCHT_CLNTCONN
cd.TransportType = pymqi.CMQC.MQXPT_TCP
cd.SSLCipherSpec = ssl_cipher_spec
cd.UserIdentifier = 'BZU'
cd.Password = ''

sco = pymqi.SCO()
sco.KeyRepository = key_repo_location

qmgr = pymqi.QueueManager(None)
qmgr.connect_with_options(queue_manager, cd, sco)

put_queue = pymqi.Queue(qmgr, queue_name)
put_queue.put(message)

get_queue = pymqi.Queue(qmgr, queue_name)
logging.info('Here is the message again: [%s]' % get_queue.get())

put_queue.close()
get_queue.close()
qmgr.disconnect()

Unfortunately, this code doesn’t work with pymqi version 1.9.3 for Python 3. In this case, I get the following error message:

Traceback (most recent call last):
  File ".\mq_conn_with_ssl.py", line 33, in <module>
    qmgr.connect_with_options(queue_manager, cd, sco)
  File "D:\App\BZU\arn-basis-common\py\pymqi\__init__.py", line 1347, in connect_with_options
    raise MQMIError(rv[1], rv[2])
pymqi.MQMIError: MQI Error. Comp: 2, Reason 2393: FAILED: MQRC_SSL_INITIALIZATION_ERROR

I had to convert all strings in this code to bytes, since the program demanded all strings as bytes . Example:

queue_manager = b'QM1'

In the comments you stated you found the following error in the AMQERR01.LOG file:

AMQ9716: Remote SSL certificate revocation status check failed for channel 'BZU.UAT.CHNL'.
Solution

  • Compare the mqclient.ini file on your working server and on the non-working server for differences in the SSL: stanza that would account for the OCSP check failing.

    The location of the mqclient.ini file can be found in the IBM MQ Knowledge center page IBM MQ>Configuring>Configuring connections between the server and clients>Configuring a client using a configuration file>Location of the client configuration file. See the summary is below:

    1. The location specified by the environment variable MQCLNTCF.
    2. A file called mqclient.ini in the present working directory of the application.
    3. A file called mqclient.ini in the IBM MQ data directory for Windows, UNIX and Linux systems.
    4. A file called mqclient.ini in a standard directory appropriate to the platform, and accessible to users:

    The documentation on the SSL stanza of the mqclient.ini can be found in the IBM MQ Knowledge center page IBM MQ>Configuring>Configuring connections between the server and clients>Configuring a client using a configuration file>SSL stanza of the client configuration file. See the summary is below:

    OCSPAuthentication = OPTIONAL | REQUIRED | WARN

    OCSPCheckExtensions = YES | NO

    SSLHTTPProxyName = string