| Author |
Message
|
| Anant.v |
 Posted: Tue Sep 05, 2017 4:03 am Post subject: Certificate validation failed AMQ9656 |
 |
|
Apprentice
Joined: 26 Nov 2014
Posts: 40
Location: Malaysia
|
Hi All,
Need you advice in an issue that iam facing.
we are in the process of upgrading MQ fix pack 8.0.0.7. So we have updated the passive node to 8.0.0.7 and failed over the MQ qmgrs to passive node. Active node has 8.0.0.2.
The issue we faced was, All the QMGR certificates which were working on MQ v8.0.0.2 stopped working on MQ v8.0.0.7 with MQ logs stating below error :
09/05/2017 01:11:21 PM - Process(19599.80) User(mqm) Program(amqrmppa)
Host(XXXXXXXXXXXX) Installation(Installation1)
VRMF(8.0.0.7) QMgr(XXXXXXX)
AMQ9656: An invalid SSL certificate was received from the remote system.
EXPLANATION:
An SSL certificate received from the remote system was not corrupt but failed
validation checks on its ASN fields. The channel is '????'; in some cases its
name cannot be determined and so is shown as '????'. The channel did not start.
ACTION:
Ensure that the remote system has a valid SSL certificate. Restart the channel.
Nothing has changed. Same clients , same QMGR kdb works on MQv8.0.0.2
Any ideas on this ? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Sep 05, 2017 5:22 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Deprecated cipher specs? No longer satisfying minimum key length requirements? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Anant.v |
| Posted: Tue Sep 05, 2017 5:25 am Post subject: |
|
|
Apprentice
Joined: 26 Nov 2014
Posts: 40
Location: Malaysia
|
keysize is 1024.
and to allow deprecated ciphers, i have added AllowSSLV3=Y and AllowWeakCipher in qm.ini stanza |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Sep 05, 2017 6:16 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Anant.v wrote: |
keysize is 1024.
and to allow deprecated ciphers, i have added AllowSSLV3=Y and AllowWeakCipher in qm.ini stanza |
Forget about getting a TLS connection with that key size. What Cipher were you using?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Anant.v |
| Posted: Tue Sep 05, 2017 7:13 am Post subject: |
|
|
Apprentice
Joined: 26 Nov 2014
Posts: 40
Location: Malaysia
|
TRIPLE_DES_SHA_US.
Iam aware its too old, but thats whats being used as of now, and so i have added qm.ini entries. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Sep 05, 2017 7:43 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Anant.v wrote: |
| TRIPLE_DES_SHA_US. |
You might as well get the channel working by taking off the encryption as use that. The channel will be about as secure.
My cat can crack that.
(We've had to ban him from the PC)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Anant.v |
| Posted: Tue Sep 05, 2017 7:04 pm Post subject: |
|
|
Apprentice
Joined: 26 Nov 2014
Posts: 40
Location: Malaysia
|
Guys its resolved now. Opened a PMR for it, and the solution was to just change kdb password and re-stash it.
It works !!!
This can be marked as closed now...
Thanks for your advice !
Cheers
Ananth  |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Sep 06, 2017 3:42 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
This http://www-01.ibm.com/support/docview.wss?uid=swg1IC96853 addresses the ambiguity of the AMQ9656 error. If the kdb can't be opened, then the cert can't be verified. I'd have thought that a manual START CHANNEL attempt would have resulted in a prompt for kdb password.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
