| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL problems |
« View previous topic :: View next topic » |
| Author |
Message
|
| floring |
 Posted: Tue Jul 27, 2004 2:45 am Post subject: SSL problems |
 |
|
Newbie
Joined: 20 Jul 2004
Posts: 4
Location: Bucharest, Romania
|
Hi,
I have a problem with a java client application (running on Websphere Applications Server on AIX) that connects to a Queue Manager (running on another AIX box) using SSL.
Configuration of SSL is fine on both boxes.
One of 2 times, this app is connectiong without problems to Queue Manager.
Other times, on the client, I can see in the app logs a connection failure, reason code is 2397(MQ_JSSE_ERROR). Further investigation reveals SSL_HANDSHAKE_FAILURE.
During this time, in the queue manager logs I can see something like this:
----- amqrmrsa.c : 461 --------------------------------------------------------
07/26/04 17:44:05
AMQ9633: Bad SSL certificate for channel '????'.
EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated, or
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system, or
(c) it was found in a Certification Revocation List (CRL) on an LDAP server.
The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.
ACTION:
Check which of the three possible causes applies on your system. Correct the
error, and restart the channel.
----- amqccisx.c : 1014 -------------------------------------------------------
07/26/04 17:44:05
AMQ9228: The TCP/IP responder program could not be started.
EXPLANATION:
An attempt was made to start an instance of the responder program, but the
program was rejected.
ACTION:
The failure could be because either the subsystem has not been started (in this
case you should start the subsystem), or there are too many programs waiting
(in this case you should try to start the responder program later). The reason
code was 0.
Strange thing is that this error do not appears always, like I said, 50% of the times it's working. How could the ssl certificate be good one time and the other time it's became invalid?
My CSD level is 7.
Any sugestions ?
Thanks |
|
| Back to top |
|
 |
| techno |
| Posted: Tue Aug 24, 2004 8:54 am Post subject: SSL Passwords file?? |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
I too get 2397. I am using JKS Keystore. Using keytool to create self signed certificate.
Errors in AMQ log:
AMQ9660: SSL key repository: password stash file absent or unusable.
EXPLANATION:
The SSL key repository cannot be used because MQ cannot obtain a password to
access it. Reasons giving rise to this error include:
(a) the key database file and password stash file are not present in the
location configured for the key repository,
(b) the key database file exists in the correct place but that no password
stash file has been created for it,
(c) the files are present in the correct place but the userid under which MQ is
running does not have permission to read them,
(d) one or both of the files are corrupt.
How does mq knows where the passwords are located? I know that when ikeyman is used, the passwords can be stored to a file. I do not see any such options with java's keytool?
Thanks |
|
| Back to top |
|
|
| techno |
| Posted: Tue Aug 24, 2004 2:59 pm Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
When I use ikeyman instead of keytool: I am getting following error.
Chosen keystore as CMS.
MQJE001: An MQException occurred: Completion Code 2, Reason 2397
MQJE056: Initial negotiation failure
MQJE001: Completion Code 2, Reason 2397
USRAPP: Root cause = javax.net.ssl.SSLHandshakeException: sun.security.validator
.ValidatorException: No trusted certificate found
Exception in thread "main" com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2397
What may have gone wrong? |
|
| Back to top |
|
|
| techno |
| Posted: Tue Aug 24, 2004 4:00 pm Post subject: |
|
|
Chevalier
Joined: 22 Jan 2003
Posts: 429
|
There looks to be something wrong with the keystore which is trusted to java client.
How is this solved?
I copied java1.4's cacrts(keystore) to some place and imported server's self signed certificate to this cacerts. And changed the
Djavax.net.ssl.trustStore to D:\docs\keystores\cacerts
Works fine!! Reason: Don't know. There may be some problem with the keystore. But I created the keystores, both on Unix(server) and Windows (java client) using the iKeyman...
Anybody has any clues?? Please note that I am not able to open cacerts with iKeyman.. Please throw some light.
Thanks |
|
| Back to top |
|
|
| Tibor |
| Posted: Wed Nov 10, 2004 7:24 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
Hi techno,
Had you got success in this problem (Java + SSL)? I'm very confused because we have a lot of SSL certified connection for MQ, natively. But when I'm trying with MQ clients in Java environment (AIX, Win) I get always errors.
Tibor |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
