ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » SSL Failures

Post new topic  Reply to topic
 SSL Failures « View previous topic :: View next topic » 
Author Message
blovell
PostPosted: Fri Jul 10, 2015 3:53 am    Post subject: SSL Failures Reply with quote

Acolyte

Joined: 08 Feb 2006
Posts: 63
Location: Alpharetta, GA
I have been working with a specific client that is unable to establish a SSL connection from their SDR to my RCVR. (Vice Versa works without issue) The signer certificate has been loaded to my key repository and the certificate works when my SDR to their RCVR is started.

Any attempt for them to start their SDR results in a local errors on their side stating:

CSQXRCTL SSL certificate failed remote check. (Not confident what MQ release they use.)


I am currently on MQ 7.0.1.3 (x386 on RHEL 4) and receiving AMQ alerts show:
----- amqrmrsa.c : 524 --------------------------------------------------------
07/10/2015 11:51:21 AM - Process(13217.120491457) User(mqm) Program(amqrmppa)
Host(elsfts01.sl.easylink.com)
AMQ9633: Bad SSL certificate for channel '????'.

EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system
(c) it was found in a Certification Revocation List (CRL) on an LDAP server
(d) a CRL was specified but the CRL could not be found on the LDAP server
(e) an OCSP responder has indicated that it is revoked

The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The remote host is '172 (172.24.32.9)'. The channel did not
start.
ACTION:
Check which of the possible causes applies on your system. Correct the error,
and restart the channel.

I am completely at a loss. Why would the SSL authentication work in one direction and not another? We are not specifying any PEER filtering so that cannot be the case.
_________________
Bradley M. Lovell
Back to top
View user's profile Send private message AIM Address
fjb_saper
PostPosted: Fri Jul 10, 2015 8:35 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
Can you establish a non SSL connection on the failing channel?
Sometimes there is a FW that does not allow some inbound stuff??
What cipher are you using? What is the key length of the "bad cert"?

Having the outbound channel work does not necessarily mean that the client cert is used. You may have one way encryption... Did you check for that?
What is the value of SSLCAUTH on your receiver channel? Does it work if the value of SSLCAUTH is not set to required?

What are the different versions of MQ on each side?



_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » SSL Failures
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.