| Author |
Message
|
| elikatz |
 Posted: Thu Feb 26, 2009 9:34 am Post subject: SSL issue - server to server connection |
 |
|
Voyager
Joined: 24 Feb 2009
Posts: 86
|
Hi,
I've something fishy happening, I have server to server connection over SSL.
The client can connect to us but we can't start our sender channel.
Here is the error I get on my end (from the FDC) without the real names:
+-----------------------------------------------------------------------------+
| |
| WebSphere MQ First Failure Symptom Report |
| ========================================= |
| |
| Date/Time :- Thu February 26 12:24:54 Eastern Standard Time 2009 |
| Host Name :- [HOSTNAME] (Windows Ver 5.2 Build 3790: Service Pack 1) |
| PIDS :- 5724B4100 |
| LVLS :- 530.12 CSD12 |
| Product Long Name :- WebSphere MQ for Windows |
| Vendor :- IBM |
| Probe Id :- CO272005 |
| Application Name :- MQM |
| Component :- cciTcpSslPerformClientHandshakeLoop |
| Build Date :- Dec 8 2005 |
| CMVC level :- p530-12-L051208 |
| Build Type :- IKAP - (Production) |
| UserID :- ClusterService |
| Process Name :- D:\Program Files\IBM\WebSphere MQ\bin\runmqchl.EXE |
| Process :- 00007016 |
| Thread :- 00000001 |
| QueueManager :- QMGR |
| Major Errorcode :- rrcE_SSL_SSPI_ERROR_HANDSHAKING |
| Minor Errorcode :- OK |
| Probe Type :- MSGAMQ9699 |
| Probe Severity :- 2 |
| Probe Description :- AMQ9699: An unknown error occurred during an SSL |
| security call during SSL handshaking. |
| FDCSequenceNumber :- 0 |
| Comment1 :- [SENDER.CHANNEL] |
| |
| Comment2 :- InitializeSecurityContext |
| |
| Comment3 :- 0x80090327 (An unknown error occurred while processing |
| the cert |
| |
+-----------------------------------------------------------------------------+
any idea? |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Thu Feb 26, 2009 9:38 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Sender channels do not connect to Server Connection channels.
  |
|
| Back to top |
|
|
| elikatz |
| Posted: Thu Feb 26, 2009 11:04 am Post subject: |
|
|
Voyager
Joined: 24 Feb 2009
Posts: 86
|
| I didn't mention server connection channel |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Feb 26, 2009 11:07 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Well, I misread "server to server connection" then.
What are the channel types involved? What are the SSL properties? Where does it matter than a client connects using SSL? |
|
| Back to top |
|
|
| elikatz |
| Posted: Thu Feb 26, 2009 12:10 pm Post subject: |
|
|
Voyager
Joined: 24 Feb 2009
Posts: 86
|
no worries... after second read I guess I would understand the same...
some answers:
- this is sender -recevier pair
- SSL using CipherSpec TRIPLE_DASH_SHA_US
- the client's sender channel works fine |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Feb 26, 2009 12:15 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Okay, by "client" you mean "the other queue manager", and not "an mq client application".
Let me see if I understand your setup now.
You have a queue manager configured with SSL and it has it's own certificate and etc. etc. etc. On that queue manager, you have configured a Sender channel TO another qmgr and a Receiver channel FROM that other queue manager.
The other queue manager has a Sender channel TO your Receiver channel, and this functions and has SSL enabled on it.
You are unable to start your Sender channel TO the Receiver channel on the other side, when you try you get the SSL Handshake error you posted.
You need to get the other side to look at their logs and see if they have error messages - this may tell you or them more what the problem is. Maybe they forgot to add your cert to their keyring, maybe they forgot to configure SSL at all on the receiver, only they can tell you. |
|
| Back to top |
|
|
| elikatz |
| Posted: Thu Feb 26, 2009 4:02 pm Post subject: |
|
|
Voyager
Joined: 24 Feb 2009
Posts: 86
|
Appologies for not giving the information clear...
Everything you write is true.
As for the last line, I think I need to verify that their certificate is installed on my queue manager since it's me sending them.
The remote queue manager gets error AMQ9699.
I've check the logs related to Schannel on my queue manager and found the following:
Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36885
Date: 2/25/2009
Time: 1:10:12 AM
User: N/A
Computer: [COMPUTER_NAME]
Description:
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Feb 27, 2009 1:39 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| elikatz wrote: |
| ...As for the last line, I think I need to verify that their certificate is installed on my queue manager since it's me sending them... |
That implies they are using a self-signed certificate for their queue manager, or do you mean that you need to check whether their signer CA certificate is within your key store?
| elikatz wrote: |
| ...When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted... |
There's the answer to your problem I'd say...perhaps clearing out any redundant, i.e. not required, signer certificates from your key store may be of some help - unless you are using a server-level key store?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
