| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL Errors on MQ after DataPower firmware Upgrade |
« View previous topic :: View next topic » |
| Author |
Message
|
| harish_td |
 Posted: Tue Sep 15, 2009 4:17 am Post subject: SSL Errors on MQ after DataPower firmware Upgrade |
 |
|
Master
Joined: 13 Feb 2006
Posts: 236
|
All,
We have DP XI50 and MQ 6.0.2.4 running on AIX 5.2. After we did the firmware upgrade to DataPower XI50.3.7.3.5 , we notice a lot of connection broken (mqrc 2009) errors. When SSL is disabled the communication between DP and MQ is fine.
It looks like either the firmware upgrade altered the way SSL information is exchanged between the device and MQ or the keystores have now become unusable.
Apart from the firmware upgrade nothing else was changed on either the DP Device or the MQ Server. In fact this service is a daily service and has been working undisturbed for many months now.
Has anyone faced such an issue? We will open a PMR with IBM, but i just wanted to get your views on this issue.
Thanks
On the MQ Server side we see the below errors.
| Code: |
----- amqccita.c : 3276 -------------------------------------------------------
09/10/09 08:20:43 - Process(995500.990721) User(abcdefgh) Program(amqrmppa)
AMQ9665: SSL connection closed by remote end of channel 'ABCDEFGH'.
EXPLANATION:
The SSL connection was closed by the remote end of the channel during the SSL
handshake. The channel is 'ABCDEFGH'; in some cases its name cannot be
determined and so is shown as '????'. The channel did not start.
ACTION:
Check the remote end of the channel for SSL-related errors. Fix them and
restart the channel.
----- amqccisa.c : 1330 -------------------------------------------------------
|
Here's a sample of the MQ probe
| Code: |
| Probe Id :- CO052000 |
| Application Name :- MQM |
| Component :- cciTcpReceive |
| SCCS Info :- lib/comms/amqccita.c, 1.255.1.32 |
| Line Number :- 3437 |
| Build Date :- May 12 2008 |
| CMVC level :- p600-204-080509 |
| Build Type :- IKAP - (Production) |
| UserID :- 00001001 (abcdefgh) |
| Program Name :- amqrmppa |
| Addressing mode :- 64-bit |
| Process :- 958676 |
| Thread :- 1192812 |
| QueueManager :- abc |
| ConnId(1) IPCC :- 5738778 |
| ConnId(3) QM-P :- 2427197 |
| Last HQC :- 3.0.0-613400 |
| Last HSHMEMB :- 0.0.0-0 |
| Major Errorcode :- rrcE_BAD_DATA_RECEIVED |
| Minor Errorcode :- OK |
| Probe Type :- MSGAMQ9207 |
| Probe Severity :- 2 |
| Probe Description :- AMQ9207: The data received from host '8(xxx)' is not valid. |
|
[/code] |
|
| Back to top |
|
 |
| SAFraser |
| Posted: Tue Sep 15, 2009 7:38 am Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
We have only just started with Datapower in a sandbox lab, so I cannot offer any experience at all. But please, when you get the fix, would you be good enough to post it for all of us?
And, thank you for a very well done post, lots of information is included with your question. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Sep 15, 2009 12:47 pm Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Well, apply maintenance 6.02.7.
* check tcp_nodelayack=1, this is not the default and could delay up to 200ms
no -a | grep tcp_nodelayack
* to set tcp_nodelayack, as root run
no -p -o tcp_nodelayack=1 |
|
| Back to top |
|
|
| harish_td |
| Posted: Tue Sep 15, 2009 11:07 pm Post subject: |
|
|
Master
Joined: 13 Feb 2006
Posts: 236
|
Thanks Joseph for the helpful pointer.
I also noticed the below technote:
http://www-01.ibm.com/support/docview.wss?uid=swg21385899
We cannot seem to understand how only this service is impacted. This particular MQ Server is reused by a lot of Clients connected via Server Conn channels and Server-Server channels between multiple queue managers. All tied down with SSL with/without encryption.
Even on the DataPower device, multiple services reuse the same certificates and SSL Profiles.
We might not be able to apply the patch at the earliest as this is a PROD server. Same thing goes for the OS Level setting. However we are now testing this out in our test servers.
A PMR is also open. I will keep you posted on what we hear from the powers to be [read: IBM] |
|
| Back to top |
|
|
| harish_td |
| Posted: Mon Nov 23, 2009 5:17 pm Post subject: |
|
|
Master
Joined: 13 Feb 2006
Posts: 236
|
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
