| Author |
Message
|
| subilmathews |
 Posted: Thu Feb 28, 2013 3:51 pm Post subject: Delayed Start on SSL enabled MQ channel |
 |
|
Newbie
Joined: 10 Sep 2012
Posts: 4
|
Hi,
I have a SDR/RCR channel where i enabled SSL with same SSLCIPHER on both ends. However after enabling SSL, the channel thinks for around 4 minutes after issusing a start channel. Same case with ping channel command also. No errors in queue manager error logs. After the ~4 min of delay, the channel is in RUNNING status. I removed SSL, the channel start and ping command works normal. looks like the SSL handshake is taking long time for negotiation. Refresh security tried, no luck.
Enabled trace, got AMQ.SSL.TRC, but can't be formatted to read.
Anyone experieced this delayed start? Anything else i can try before contacting IBM. pls advise.
OS: SunOS
Version : SDR - V7, RCVR - V6 |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Thu Feb 28, 2013 4:20 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
How long does it take to start the channel with ssl not enabled at both ends of the channel?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| subilmathews |
| Posted: Thu Feb 28, 2013 4:24 pm Post subject: |
|
|
Newbie
Joined: 10 Sep 2012
Posts: 4
|
| Few seconds. less than 10 sec. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Feb 28, 2013 8:17 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| subilmathews wrote: |
| Few seconds. less than 10 sec. |
Still huge. Check the Solaris side for slow disk?
Something is wrong in your environment.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| subilmathews |
| Posted: Thu Feb 28, 2013 8:33 pm Post subject: |
|
|
Newbie
Joined: 10 Sep 2012
Posts: 4
|
'Few seconds' I meant immdediate like other normal channels start. Already checked with Solaris admin , he couldn't find anything fishy. Have a doubt on network, but without SSL, channel works like charm. File system is good too.
If there was any issue with SSL certificate/ signer, channel wouldn't have started. But here it starts and come to running state after the initial delay. Not getting any clue. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Mar 01, 2013 10:24 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| subilmathews wrote: |
'Few seconds' I meant immdediate like other normal channels start. Already checked with Solaris admin , he couldn't find anything fishy. Have a doubt on network, but without SSL, channel works like charm. File system is good too.
If there was any issue with SSL certificate/ signer, channel wouldn't have started. But here it starts and come to running state after the initial delay. Not getting any clue. |
Check ease of access to CRL (Certificate revocation list). This could be one of the reasons.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Mar 02, 2013 5:17 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Once the SSL-enabled channel successfully starts after 4 minutes or so, if it disconnects (disconnect interval), does it take another 4 minutes to come to RUNNING state? That is, does it take 4 minutes every time? Or just the first time?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Toronto_MQ |
| Posted: Mon Mar 04, 2013 11:00 am Post subject: |
|
|
Master
Joined: 10 Jul 2002
Posts: 263
Location: read my name
|
|
| Back to top |
|
|
| subilmathews |
| Posted: Thu Apr 04, 2013 1:34 pm Post subject: |
|
|
Newbie
Joined: 10 Sep 2012
Posts: 4
|
Thanks everyone for your valuable inputs.
As suspected issue was with OCSP.
As per IBM suggestion we removed the line
OCSPAuthentication=OPTIONAL
and added the below line in qm.ini
OCSPCheckExtensions=NO
That fixed the issue. |
|
| Back to top |
|
|
|
|
