ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » SSL & key.kdb problems

Post new topic  Reply to topic
 SSL & key.kdb problems « View previous topic :: View next topic » 
Author Message
PhiliB
PostPosted: Thu Jun 21, 2007 3:00 am    Post subject: SSL & key.kdb problems Reply with quote

Novice

Joined: 16 Sep 2004
Posts: 21
Location: Portsmouth

Morning all

Im having some issues with SSL. A few days ago we had a working env with SSL applied to the channels connecting 3 queue managers. 2 of the certs expired.
I created new certs using the gsk7cmd -create options extracted the .arm files, deleted the expired certs and added the newly created ones.
I then got a number of AMQ errors the main one that concerns me is the AMQ9633 which advised the certs werent created properly.

One of the certs hadnt expired but i still had the arm file handy. So just to be sure & after backing up the current set i deleted the key.kdb and accompanying files hoping to clear out any possible clashes.

However .. and this is my main question .. when i went to readd the .arm file that hadnt expired, to the new key database, it said there was already one there
"A duplicate certificate already exists in the database." ??

Could anyone advise where this might be cached and how it can be cleared. Ive tried the refresh security option and the refresh cluster option as well. If a new db was created where was it getting the info about the original cert ?

For ref this is my list of commands that give me SSL cert errors each time, so im clearly missing something here .. ive tried all the manuals i can find and searched this forum.

AIX 5.3 fixpack 12
create db
gsk7cmd -keydb -create -db key.kdb -pw xxxxxx -type cms -expire 7000 -stash

create cert
gsk7cmd -cert -create -db key.kdb -pw xxxxxx -label ibmwebspheremqg06ap103 -dn "CN=G06AP103,O=SDCEMEA,C=GB" -size 1024 -x509version 3 -expire 365

extracting the cert
gsk7cmd -cert -extract -db key.kdb -pw xxxxxx - type cms -label ibmwebspheremqg06ap103 -target g06ap103.arm -format ascii

adding the cert to other qmgrs
gsk7cmd -cert -add -db key.kdb -pw xxxxxx -label ibmwebspheremqg06ap103 -file g06ap103.arm -format ascii

The most recent error of which i have had many !! is the AMQ9637 - Channel is lacking a certificate , fairly self explaintory but buggered if i can see what im missing here

Any help or points in the right direction would be much appreciated

Cheers

Phil
Back to top
View user's profile Send private message
marcin.kasinski
PostPosted: Thu Jun 21, 2007 3:06 am    Post subject: Re: SSL & key.kdb problems Reply with quote

Sentinel

Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw

What is name of QMGR which shows this error ?
Can you list all certs from keystore o fthis QMGR?
Did you refresh security after updating keystore ?
_________________
Marcin
Back to top
View user's profile Send private message Visit poster's website
PhiliB
PostPosted: Thu Jun 21, 2007 3:10 am    Post subject: Reply with quote

Novice

Joined: 16 Sep 2004
Posts: 21
Location: Portsmouth

Hi Marcin

I listed the certs in the keystore but the one that it said already existed didnt appear which was odd
And yes ive refresh security each time ive done anything to the keystore.
Id really rather not recycle the qmgr if possible as this is a production issue. Its all currently working just without the SSL setting applied to the channels anymore. If however a recycle is def needed im sure it could be arranged

Cheers

Phil
Back to top
View user's profile Send private message
PhiliB
PostPosted: Tue Jun 26, 2007 6:08 am    Post subject: Reply with quote

Novice

Joined: 16 Sep 2004
Posts: 21
Location: Portsmouth

Hi
Ive been able to prove the certs and the keystores are fine as i have set up a quick SDR/RCVR channel set across the 2 queue managers.

However the problem is that the CLUSTER Channels will not accept the connections. One side complains (QM1 to QM2) AMQ9642 which is seen in both Error logs however the other side complain about AMQ9633 but this is only seen in QM2 error log.

Is there a command needed to be run against the cluster for these channels to have the key file updated or acessed correctly.
I have searched and cant find anything obvious unless the RESET command will help.
I have recycled the qmgr and run the refresh security(*) whenever i could.
Help !!

Rgds
Phil
Back to top
View user's profile Send private message
PhiliB
PostPosted: Tue Jun 26, 2007 6:27 am    Post subject: Reply with quote

Novice

Joined: 16 Sep 2004
Posts: 21
Location: Portsmouth

Hi
Ive been able to prove the certs and the keystores are fine as i have set up a quick SDR/RCVR channel set across the 2 queue managers.

However the problem is that the CLUSTER Channels will not accept the connections. One side complains (QM1 to QM2) AMQ9642 which is seen in both Error logs however the other side complain about AMQ9633 but this is only seen in QM2 error log.

Is there a command needed to be run against the cluster for these channels to have the key file updated or acessed correctly.
I have searched and cant find anything obvious unless the RESET command will help.
I have recycled the qmgr and run the refresh security(*) whenever i could.
Help !!

Rgds
Phil
Back to top
View user's profile Send private message
marcin.kasinski
PostPosted: Tue Jun 26, 2007 6:31 am    Post subject: Reply with quote

Sentinel

Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw

Quote:

AMQ9633 Bad SSL certificate for channel '&3'.

Explanation: A certificate encountered during SSL handshaking is regarded as bad for one of the following reasons:
(a) it was formatted incorrectly and could not be validated, or
(b) it was formatted correctly but failed validation against the Certification Authority (CA) root and other certificates held on the local system, or
(c) it was found in a Certification Revocation List (CRL) on an LDAP server.
The channel is '&3'; in some cases its name cannot be determined and so is shown as '????'. The channel did not start.
User Response: Check which of the four possible causes applies on your system. Correct the error, and restart the channel.


Quote:
AMQ9642 No SSL certificate for channel '&3'.

Explanation: The channel '&3' did not supply a certificate to use during SSL handshaking, but a certificate is required by the remote queue manager. The channel did not start.
User Response: Ensure that the key repository of the local queue manager has an SSL certificate associated with it. Alternatively, if appropriate, change the remote channel definition so that its SSLCAUTH attribute is set to OPTIONAL.


Have you checked it ?
_________________
Marcin
Back to top
View user's profile Send private message Visit poster's website
PhiliB
PostPosted: Tue Jun 26, 2007 7:01 am    Post subject: Reply with quote

Novice

Joined: 16 Sep 2004
Posts: 21
Location: Portsmouth

Hi
Yes ive been through the checks many times .. however like i mentioned i have tested the validity of the certificates by creating a temp set of connections. The difference being the non working connections are CLUSTER channels.
I'm sure its probably something simple but what .. who knows

Rgds
Phil
Back to top
View user's profile Send private message
marcin.kasinski
PostPosted: Tue Jun 26, 2007 8:10 am    Post subject: Reply with quote

Sentinel

Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw

PhiliB wrote:
Hi
Yes ive been through the checks many times .. however like i mentioned i have tested the validity of the certificates by creating a temp set of connections. The difference being the non working connections are CLUSTER channels.
I'm sure its probably something simple but what .. who knows

Rgds
Phil


Please show definition of these channels and entire error messages.
_________________
Marcin
Back to top
View user's profile Send private message Visit poster's website
marcin.kasinski
PostPosted: Tue Jun 26, 2007 8:18 am    Post subject: Reply with quote

Sentinel

Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw

Hi,

Additional information you can find here:

http://www.ibm.com/developerworks/websphere/library/techarticles/0608_vanstone/0608_vanstone.html

Again,

We need entire context of your problem, logs and definition of channels of both machines.
_________________
Marcin
Back to top
View user's profile Send private message Visit poster's website
PhiliB
PostPosted: Wed Jun 27, 2007 1:11 am    Post subject: Reply with quote

Novice

Joined: 16 Sep 2004
Posts: 21
Location: Portsmouth

Hi Marcin
Appreciate your responses on this one .. this is what i have for the servers 103 and 203

103 Cluster channels
AMQ8441: Display Cluster Queue Manager details.
CLUSQMGR(G06AP103) CLUSTER(PRMWWEXT)
CHANNEL(TO.G06AP103)
CONNAME(g06papp103.crm.ahe.uk.ibm.com(1415))
QMID(G06AP103_2006-05-10_14.24.2 DESCR( )
CLUSTIME(16.55.53) CLUSDATE(2006-05-24)
ALTTIME(13.13.50) ALTDATE(2007-06-26)
TRPTYPE(TCP) DEFTYPE(CLUSRCVR)
QMTYPE(REPOS) MCANAME( )
MODENAME( ) TPNAME( )
BATCHSZ(50) DISCINT(6000)
SHORTRTY(10) SHORTTMR(60)
LONGRTY(999999999) LONGTMR(1200)
SCYEXIT( ) SCYDATA( )
SEQWRAP(999999999) MAXMSGL(4194304)
PUTAUT(DEF) CONVERT(NO)
MCAUSER( ) MCATYPE(THREAD)
MREXIT( ) MRDATA( )
MRRTY(10) MRTMR(1000)
HBINT(300) BATCHINT(0)
NPMSPEED(FAST) NETPRTY(0)
SUSPEND(NO) SSLCIPH(TRIPLE_DES_SHA_US)
SSLCAUTH(REQUIRED) BATCHHB(0)
LOCLADDR( ) KAINT(AUTO)
SSLPEER()
SENDEXIT( )
SENDDATA( )
MSGEXIT( )
MSGDATA( )
RCVEXIT( )
RCVDATA( )
dis clusqmgr(G06AP203)
3 : dis clusqmgr(G06AP203)
AMQ8441: Display Cluster Queue Manager details.
CLUSQMGR(G06AP203) CLUSTER(PRMWWEXT)
CHANNEL(TO.G06AP203)
CONNAME(g06papp203.crm.ahe.uk.ibm.com(1415))
QMID(G06AP203_2006-05-10_14.25.10) DESCR( )
CLUSTIME(13.09.43) CLUSDATE(2007-06-25)
ALTTIME(13.09.43) ALTDATE(2007-06-25)
TRPTYPE(TCP) DEFTYPE(CLUSSDRB)
QMTYPE(REPOS) MCANAME( )
MODENAME( ) TPNAME( )
BATCHSZ(50) DISCINT(6000)
SHORTRTY(10) SHORTTMR(60)
LONGRTY(999999999) LONGTMR(1200)
SCYEXIT( ) SCYDATA( )
SEQWRAP(999999999) MAXMSGL(4194304)
CONVERT(NO) USERID( )
PASSWORD( ) MCAUSER( )
MCATYPE(THREAD) HBINT(300)
BATCHINT(0) NPMSPEED(FAST)
NETPRTY(0) SUSPEND(NO)
STATUS(RETRYING) SSLCIPH(TRIPLE_DES_SHA_US)
SSLCAUTH(REQUIRED) BATCHHB(0)
LOCLADDR( ) KAINT(AUTO)
SSLPEER()
SENDEXIT( )
SENDDATA( )
MSGEXIT( )
MSGDATA( )
RCVEXIT( )
RCVDATA( )


203 channels
dis clusqmgr(G06AP203)
1 : dis clusqmgr(G06AP203)
AMQ8441: Display Cluster Queue Manager details.
CLUSQMGR(G06AP203) CLUSTER(PRMWWEXT)
CHANNEL(TO.G06AP203)
CONNAME(g06papp203.crm.ahe.uk.ibm.com(1415))
QMID(G06AP203_2006-05-10_14.25.10) DESCR( )
CLUSTIME(17.02.2 CLUSDATE(2006-05-24)
ALTTIME(13.13.02) ALTDATE(2007-06-26)
TRPTYPE(TCP) DEFTYPE(CLUSRCVR)
QMTYPE(REPOS) MCANAME( )
MODENAME( ) TPNAME( )
BATCHSZ(50) DISCINT(6000)
SHORTRTY(10) SHORTTMR(60)
LONGRTY(999999999) LONGTMR(1200)
SCYEXIT( ) SCYDATA( )
SEQWRAP(999999999) MAXMSGL(4194304)
PUTAUT(DEF) CONVERT(NO)
MCAUSER( ) MCATYPE(THREAD)
MREXIT( ) MRDATA( )
MRRTY(10) MRTMR(1000)
HBINT(300) BATCHINT(0)
NPMSPEED(FAST) NETPRTY(0)
SUSPEND(NO) SSLCIPH(TRIPLE_DES_SHA_US)
SSLCAUTH(REQUIRED) BATCHHB(0)
LOCLADDR( ) KAINT(AUTO)
SSLPEER()
SENDEXIT( )
SENDDATA( )
MSGEXIT( )
MSGDATA( )
RCVEXIT( )
RCVDATA( )

dis clusqmgr(G06AP103)
3 : dis clusqmgr(G06AP103)
AMQ8441: Display Cluster Queue Manager details.
CLUSQMGR(G06AP103) CLUSTER(PRMWWEXT)
CHANNEL(TO.G06AP103)
CONNAME(g06papp103.crm.ahe.uk.ibm.com(1415))
QMID(G06AP103_2006-05-10_14.24.2 DESCR( )
CLUSTIME(13.48.53) CLUSDATE(2007-06-25)
ALTTIME(13.10.37) ALTDATE(2007-06-25)
TRPTYPE(TCP) DEFTYPE(CLUSSDRB)
QMTYPE(REPOS) MCANAME( )
MODENAME( ) TPNAME( )
BATCHSZ(50) DISCINT(6000)
SHORTRTY(10) SHORTTMR(60)
LONGRTY(999999999) LONGTMR(1200)
SCYEXIT( ) SCYDATA( )
SEQWRAP(999999999) MAXMSGL(4194304)
CONVERT(NO) USERID( )
PASSWORD( ) MCAUSER( )
MCATYPE(THREAD) HBINT(300)
BATCHINT(0) NPMSPEED(FAST)
NETPRTY(0) SUSPEND(NO)
STATUS(RETRYING) SSLCIPH(TRIPLE_DES_SHA_US)
SSLCAUTH(REQUIRED) BATCHHB(0)
LOCLADDR( ) KAINT(AUTO)
SSLPEER()
SENDEXIT( )
SENDDATA( )


Error log extract from 103
06/27/07 09:40:37
AMQ9002: Channel 'TO.G06AP203' is starting.

EXPLANATION:
Channel 'TO.G06AP203' is starting.
ACTION:
None.
-------------------------------------------------------------------------------
06/27/07 09:40:38
AMQ9642: No SSL certificate for channel 'TO.G06AP203'.

EXPLANATION:
The channel 'TO.G06AP203' did not supply a certificate to use during SSL
handshaking, but a certificate is required by the remote queue manager. The
channel did not start.
ACTION:
Ensure that the key repository of the local queue manager or MQ client contains
an SSL certificate which is associated with the queue manager or client.
Alternatively, if appropriate, change the remote channel definition so that its
SSLCAUTH attribute is set to OPTIONAL and it has no SSLPEER value set.
----- amqrfpta.c : 334 --------------------------------------------------------
06/27/07 09:40:38
AMQ9999: Channel program ended abnormally.

EXPLANATION:
Channel program 'TO.G06AP203' ended abnormally.
ACTION:
Look at previous error messages for channel program 'TO.G06AP203' in the error
files to determine the cause of the failure.
----- amqrccca.c : 883 --------------------------------------------------------
06/27/07 09:49:39
AMQ9665: SSL connection closed by remote end of channel '????'.

EXPLANATION:
The SSL connection was closed by the remote end of the channel during the SSL
handshake. The channel is '????'; in some cases its name cannot be determined
and so is shown as '????'. The channel did not start.
ACTION:
Check the remote end of the channel for SSL-related errors. Fix them and
restart the channel.
----- amqccisx.c : 1025 -------------------------------------------------------
06/27/07 09:49:39
AMQ9228: The TCP/IP responder program could not be started.

EXPLANATION:
An attempt was made to start an instance of the responder program, but the
program was rejected.
ACTION:
The failure could be because either the subsystem has not been started (in this
case you should start the subsystem), or there are too many programs waiting
(in this case you should try to start the responder program later). The reason
code was 0.


Error log on 203
06/27/07 09:40:24
AMQ9002: Channel 'TO.G06AP103' is starting.

EXPLANATION:
Channel 'TO.G06AP103' is starting.
ACTION:
None.
-------------------------------------------------------------------------------
06/27/07 09:40:25
AMQ9633: Bad SSL certificate for channel 'TO.G06AP103'.

EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated, or
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system, or
(c) it was found in a Certification Revocation List (CRL) on an LDAP server.

The channel is 'TO.G06AP103'; in some cases its name cannot be determined and
so is shown as '????'. The channel did not start.
ACTION:
Check which of the three possible causes applies on your system. Correct the
error, and restart the channel.
----- amqccisx.c : 1025 -------------------------------------------------------
06/27/07 09:40:25
AMQ9999: Channel program ended abnormally.

EXPLANATION:
Channel program 'TO.G06AP103' ended abnormally.
ACTION:
Look at previous error messages for channel program 'TO.G06AP103' in the error
files to determine the cause of the failure.
----- amqrccca.c : 883 --------------------------------------------------------
06/27/07 09:40:38
AMQ9637: Channel is lacking a certificate.

EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is 'TO.G06AP203' (if '????' it is unknown at this stage in the SSL
processing). The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.
----- amqccisx.c : 3166 -------------------------------------------------------
06/27/07 09:40:38
AMQ9999: Channel program ended abnormally.

EXPLANATION:
Channel program 'TO.G06AP203' ended abnormally.
ACTION:
Look at previous error messages for channel program 'TO.G06AP203' in the error
files to determine the cause of the failure.
----- amqrmrsa.c : 467 --------------------------------------------------------
06/27/07 09:41:45
AMQ9665: SSL connection closed by remote end of channel '????'.

EXPLANATION:
The SSL connection was closed by the remote end of the channel during the SSL
handshake. The channel is '????'; in some cases its name cannot be determined
and so is shown as '????'. The channel did not start.
ACTION:
Check the remote end of the channel for SSL-related errors. Fix them and
restart the channel.
----- amqccisx.c : 1025 -------------------------------------------------------
06/27/07 09:41:45
AMQ9228: The TCP/IP responder program could not be started.

EXPLANATION:
An attempt was made to start an instance of the responder program, but the
program was rejected.
ACTION:
The failure could be because either the subsystem has not been started (in this
case you should start the subsystem), or there are too many programs waiting
(in this case you should try to start the responder program later). The reason
code was 0.

---------------------------------------------------------

One of the things that did concern me was that i was able to do a dis clusqmgr and get the details (as in above) but when i went to take SSL off the channels and i did a display clusqmgr the changes id made to the clusrcvr channel did not take affect. i.e i removed the SSLCIPH and SSLCAUTH was set to optional and it said changes had been made a display of the channel showed it had worked but a display of the clusqmgr said it hadnt .. its out of sync somewhere along the line .. each time a refresh cluster command has been run.

Cheers

Phil
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » SSL & key.kdb problems
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.