Author |
Message
|
mqsme |
Posted: Mon Aug 10, 2015 12:58 pm Post subject: Empty ssl key respository |
|
|
 Acolyte
Joined: 16 Sep 2013 Posts: 51
|
I setup a new testing MQ manager. Since it is for testing only, i dont want to enable SSL nor create any cert
- Can i put /MQHA/testmqm/data/qmgrs/testmqm/ssl/key as key repository but not puttinng any key.* in the ssl folder?
- Can i leave key repository empty/space (SSLKEYR) and not puttinng any key.* in the ssl folder?
- however i keep hitting AMQ9660: SSL key repository: password stash file absent or unusable every minute. is it because a MQ client is connecting to my MQ manager but expect to exchange SSL cert information?
Thanks! |
|
Back to top |
|
 |
zpat |
Posted: Mon Aug 10, 2015 1:19 pm Post subject: |
|
|
 Jedi Council
Joined: 19 May 2001 Posts: 5866 Location: UK
|
You do not need a keystore, if your MQ clients (or other QM channels) do not attempt to use SSL and if your non-SSL client channel definition doesn't reference a cipher name, or have authentication "required" set. _________________ Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
Back to top |
|
 |
mqsme |
Posted: Mon Aug 10, 2015 2:15 pm Post subject: |
|
|
 Acolyte
Joined: 16 Sep 2013 Posts: 51
|
same as what i thought. I don't have any keystore in ssl folder. however i keep hitting AMQ9660 on MQ server when MQ client applicaiton on |
|
Back to top |
|
 |
fjb_saper |
Posted: Tue Aug 11, 2015 5:11 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
zpat wrote: |
You do not need a keystore, if your MQ clients (or other QM channels) do not attempt to use SSL and if your non-SSL client channel definition doesn't reference a cipher name, or have authentication "required" set. |
Not quite. If you have ANY type of SSL going on, on the queue manager, you will need a qmgr certificate at the minimum. This means a valid key.kdb or whatever name you provided in the qmgr config.
Nothing to do with the REQUIRED parameter for SSL authentication.
This parameter will only determine whether the client needs to present a cert to the MQ server (qmgr) or not.
Agreed it is irrelevant if the channel is not set up for authentication at all (blank Cipherspec).  _________________ MQ & Broker admin |
|
Back to top |
|
 |
mqjeff |
Posted: Tue Aug 11, 2015 5:23 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
You need a keystore if you use SSL.
You need a trust store if you use SSL.
They don't have to contain certs, if you are using very specific ssl algorithms.
If you don't need to secure your channels at all, then don't use SSL in the first place. |
|
Back to top |
|
 |
mqsme |
Posted: Tue Aug 11, 2015 10:30 am Post subject: |
|
|
 Acolyte
Joined: 16 Sep 2013 Posts: 51
|
actually here is my MQM SSL settings
ROUTEREC(MSG) SCHINIT(QMGR)
SCMDSERV(QMGR) SSLCRLNL( )
SSLCRYP( ) SSLEV(DISABLED)
SSLFIPS(NO) SSLKEYR( )
SSLRKEYC(0) STATACLS(QMGR)
and channel SSL settings
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCAUTH(OPTIONAL)
SSLCIPH( ) SSLPEER( )
TRPTYPE(TCP)
so i have none of files under /MQHA/testmqm/data/qmgrs/testmqm/ssl/key
is it sufficient to tell my continuous AMQ9660 error is because the client is keep trying to exchange any SSL information to my MQM server? |
|
Back to top |
|
 |
bruce2359 |
Posted: Tue Aug 11, 2015 12:20 pm Post subject: |
|
|
 Poobah
Joined: 05 Jan 2008 Posts: 9469 Location: US: west coast, almost. Otherwise, enroute.
|
Was an FDC file created for this AMQ9660 error? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
 |
mqsme |
Posted: Tue Aug 11, 2015 1:00 pm Post subject: |
|
|
 Acolyte
Joined: 16 Sep 2013 Posts: 51
|
There is one FDC file yesterday rrcE_BAD_DATA_RECEIVED
AMQ9207: The data received from host 'hostname(ip)' is not valid
but not really related to the AMQ9660 |
|
Back to top |
|
 |
fjb_saper |
Posted: Tue Aug 11, 2015 1:32 pm Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
mqsme wrote: |
is it sufficient to tell my continuous AMQ9660 error is because the client is keep trying to exchange any SSL information to my MQM server? |
That would be one reason for the message...  _________________ MQ & Broker admin |
|
Back to top |
|
 |
bruce2359 |
Posted: Tue Aug 11, 2015 2:02 pm Post subject: |
|
|
 Poobah
Joined: 05 Jan 2008 Posts: 9469 Location: US: west coast, almost. Otherwise, enroute.
|
mqsme wrote: |
There is one FDC file yesterday rrcE_BAD_DATA_RECEIVED
AMQ9207: The data received from host 'hostname(ip)' is not valid
but not really related to the AMQ9660 |
Post the first 100 lines from the FDC here.
Are these new channels? _________________ I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
Back to top |
|
 |
PeterPotkay |
Posted: Tue Aug 11, 2015 4:55 pm Post subject: |
|
|
 Poobah
Joined: 15 May 2001 Posts: 7722
|
mqjeff wrote: |
They don't have to contain certs, if you are using very specific ssl algorithms.
|
Jeff, please explain. _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
 |
fjb_saper |
Posted: Wed Aug 12, 2015 4:38 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
I am thinking here Kerberos encryption?  _________________ MQ & Broker admin |
|
Back to top |
|
 |
mqjeff |
Posted: Wed Aug 12, 2015 5:53 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008 Posts: 17447
|
fjb_saper wrote: |
I am thinking here Kerberos encryption?  |
Well. I was vaguely thinking about NULL cipherspecs. But those probably don't count any more. |
|
Back to top |
|
 |
fjb_saper |
Posted: Wed Aug 12, 2015 6:16 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
mqjeff wrote: |
fjb_saper wrote: |
I am thinking here Kerberos encryption?  |
Well. I was vaguely thinking about NULL cipherspecs. But those probably don't count any more. |
Yaeh, none of those are TLS...  _________________ MQ & Broker admin |
|
Back to top |
|
 |
mqsme |
Posted: Wed Aug 12, 2015 10:12 am Post subject: |
|
|
 Acolyte
Joined: 16 Sep 2013 Posts: 51
|
client connect through a new NSSL channel (in running mode) and able to pick up message. At the same time the AMQ9660 does not tell which channel is under 'attack'
"The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start." |
|
Back to top |
|
 |
|