WSO2 EI is not sending client certificate with IBM MQ mutual SSL communication

[VinothChandran]

Hi, I am doing a IBM MQ (9.2) integration from WSO2 EI (6.6.0) by referring EI documentation and its working fine with one way ssl authentication. and then I tried with mutual authentication and getting SSL handshake exception. After analysed the SSL logs, I found out when server is request client certificate, but WSO2 is not presenting the certificate. It is sending empty cert list and its failing in IBM MQ side with the error (AMQ9637E: During handshake, the remote partner sent no certificate.).
Below configuration I did it in WSO2 side.

• Imported server public cert to client wso2 trust store and esb public cert to Server trust store
• Put the below section in axis2.xml file in passthrough SSL Sender

<profile>
<servers>server ip address:1414</servers>
<KeyStore>
<Location>repository/resources/security/eikeystore.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
<KeyPassword>wso2carbon</KeyPassword>
</KeyStore>
<TrustStore>
<Location>repository/resources/security/eiclient-truststore.jks</Location>
<Type>JKS</Type>
<Password>wso2carbon</Password>
</TrustStore>
</profile>

WSO2 is not sending the certificate during handshake getting below

[javax.net](http://javax.net/).ssl|ALL|E5|PassThroughMessageProcessor-1|2022-02-16 06:35:25.852 EST|X509Authentication.java:190|No X.509 cert selected for RSASSA-PSS
[javax.net](http://javax.net/).ssl|WARNING|E5|PassThroughMessageProcessor-1|2022-02-16 06:35:25.853 EST|CertificateMessage.java:1059|Unavailable authentication scheme: rsa_pss_pss_sha512
[javax.net](http://javax.net/).ssl|ALL|E5|PassThroughMessageProcessor-1|2022-02-16 06:35:25.853 EST|X509Authentication.java:190|No X.509 cert selected for RSA
[javax.net](http://javax.net/).ssl|WARNING|E5|PassThroughMessageProcessor-1|2022-02-16 06:35:25.853 EST|CertificateMessage.java:1059|Unavailable authentication scheme: rsa_pkcs1_sha1
[javax.net](http://javax.net/).ssl|ALL|E5|PassThroughMessageProcessor-1|2022-02-16 06:35:25.853 EST|X509Authentication.java:190|No X.509 cert selected for EC
[javax.net](http://javax.net/).ssl|WARNING|E5|PassThroughMessageProcessor-1|2022-02-16 06:35:25.853 EST|CertificateMessage.java:1059|Unavailable authentication scheme: ecdsa_sha1
[javax.net](http://javax.net/).ssl|WARNING|E5|PassThroughMessageProcessor-1|2022-02-16 06:35:25.854 EST|CertificateMessage.java:1069|No available authentication scheme
[javax.net](http://javax.net/).ssl|DEBUG|E5|PassThroughMessageProcessor-1|2022-02-16 06:35:25.854 EST|CertificateMessage.java:1081|No available client authentication scheme
[javax.net](http://javax.net/).ssl|DEBUG|E5|PassThroughMessageProcessor-1|2022-02-16 06:35:25.854 EST|CertificateMessage.java:1116|Produced client Certificate message (
"Certificate": {
 "certificate_request_context": "",
 "certificate_list": [  
]
}
)

Note: If I set explicitly key store like below while starting the WSO2 integrator, then its working. but this setting is JVM level right. so all https call from wso2 will use the keystore

-Djavax.net](http://djavax.net/).ssl.keyStore=customkeystore.jks
-Djavax.net](http://djavax.net/).ssl.keyStorePassword=password
Affected product: WSO2 EI 6.6.0

please let me know if I missed any other configuration in WSO2