| Author |
Message
|
| hguapluas |
 Posted: Thu Aug 12, 2004 1:25 pm Post subject: Windows Schannel Reference Guide and SSL? |
 |
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
I'm working on Windows MQ5.3 CSD6 and building test implementation of SSL secured channels. One of the errors I am getting is to reference the Schannel Reference Guide. Where is this located? I can't find it and know it's been mentioned in other threads by title, but not by location.
Also, in the FDC files, I am getting specific messages but can't find information to help point me in the right direction. Can anybody help?
I created two private certificates using an Enterprise CA authority and imported both into both systems. Assigned appropriate key to each system and set CipherSpec on both S/R channels to match.
Edited parts of FDCs below:
| Major Errorcode :- rrcE_SSL_SSPI_ERROR_HANDSHAKING
| Minor Errorcode :- OK
| Probe Type :- MSGAMQ9699
| Probe Severity :- 2
| Probe Description :- AMQ9699: An unknown error occurred during an SSL security call during SSL handshaking.
| FDCSequenceNumber :- 35
| Comment1 :- ????
| Comment2 :- AcceptSecurityContext
| Comment3 :- 0x80090304 (The Local Security Authority cannot be contacted )
...
--------{ cciTcpSslLoadCertificateFromStore
---------{ cciTcpSslOpenDefaultStore
----------{ cciTcpSslGetDefaultStoreFile
-----------{ cciSslEnterCriticalSection
-----------} cciSslEnterCriticalSection rc=Unknown(1)
-----------{ cciSslLeaveCriticalSection
-----------} cciSslLeaveCriticalSection rc=Unknown(1)
----------} cciTcpSslGetDefaultStoreFile rc=OK
----------{
----------} rc=Unknown(1)
---------} cciTcpSslOpenDefaultStore rc=OK
---------{ cciTcpSslSerialNumberToStr
---------} cciTcpSslSerialNumberToStr rc=OK
--------} cciTcpSslLoadCertificateFromStore rc=OK
-------} cciTcpSslGetQueueManagerCertificate rc=OK
------} cciTcpSslGetCertificate rc=OK
------{ cciTcpSslInitCredentialData
------} cciTcpSslInitCredentialData rc=OK
------{ cciTcpSslAcquireCredentialsHandle
------} cciTcpSslAcquireCredentialsHandle rc=OK
------{ cciTcpSslSetSecurityContextAttr
------} cciTcpSslSetSecurityContextAttr rc=OK
------{ cciTcpSslPerformServerHandshake
-------{ ccxAllocMem
-------} ccxAllocMem rc=OK
-------{ cciTcpSslInitializeSecurityContext
-------} cciTcpSslInitializeSecurityContext rc=OK
-------{ cciTcpSend
--------{ send
--------} send rc=Unknown(14EE)
-------} cciTcpSend rc=OK
-------{ cciTcpReceive
--------{ recv
--------} recv rc=Unknown(655)
-------} cciTcpReceive rc=OK
-------{ cciTcpSslInitializeSecurityContext
-------} cciTcpSslInitializeSecurityContext rc=OK
-------{ cciSslSetInserts
-------} cciSslSetInserts rc=OK
-------{ xcsFFST
This represents the FDC for one of the channels. The FDC for the other channel is the same except for the following info:
| Comment1 :- CH2
| Comment2 :- QueryContextAttributes
| Comment3 :- 0x80090301 (The handle specified is invalid )
The channels do work when SSL is not enabled so I am guessing I am missing some configuration issue or maybe the problem is starting at the OS level?
Any assistance in being pointed in the right direction so I can identify the specific problem(s) and answer(s) would be appreciated.
(I have read the SSL tutorial, used it as my guide and also gone through most of the SSL threads at least once or twice. The Redbooks and Guides I have are not helping much either.)
Cheers |
|
| Back to top |
|
 |
| interactivechannel |
| Posted: Mon Aug 16, 2004 5:41 am Post subject: |
|
|
Voyager
Joined: 20 May 2003
Posts: 94
Location: uk
|
A couple of questions which may not be relevant or intelligent:
Have you imported the public certificate of the CA into the keystores?
Have you altered the CRL parameters? |
|
| Back to top |
|
|
| hguapluas |
| Posted: Mon Aug 16, 2004 6:27 am Post subject: |
|
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
| I am using the MQ Explorer to add the SSL certificates to the QM and Channels. So, I am hoping that the MQ Explorer did both of these. Otherwise, the answer would be no. |
|
| Back to top |
|
|
| interactivechannel |
| Posted: Mon Aug 16, 2004 6:58 am Post subject: |
|
|
Voyager
Joined: 20 May 2003
Posts: 94
Location: uk
|
| When you open Manage SSL Certificates can you see the assigned certificate containing private key AND the CA certificate? |
|
| Back to top |
|
|
| hguapluas |
| Posted: Mon Aug 16, 2004 9:22 am Post subject: |
|
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
Yes I can. I see certificates for both systems. The certificate with the private key for QM1 does have the green check symbol on it. On the 2nd system, certificate for QM2 also has it's green check symbol on it. I have assigned key for QM1 on system 1 and likewise for QM2 on system 2. Cert 1 has also been assigned to system 2 and Cert 2 has been assigned to system 1.
The error I am getting when I try to assign cypherspec SSL and start the channels is stored in the QM error logs (not the system logs) and does not generate an FDC (anymore). The error code follows:
8/16/2004 10:15:31
AMQ9002: Channel 'CH2' is starting.
EXPLANATION:
Channel 'CH2' is starting.
ACTION:
None.
-------------------------------------------------------------------------------
8/16/2004 10:15:31
AMQ9698: An SSL security call failed during SSL handshaking.
EXPLANATION:
An SSPI call to the Secure Channel (Schannel) SSL provider failed during SSL
handshaking. The failure has caused WebSphere MQ channel name 'CH2' to be
closed. If the name is '????' then the name is unknown.
ACTION:
Consult the Windows Schannel reference manual to determine the meaning of
status 0x8009030E (No credentials are available in the security package ) for
SSPI call AcquireCredentialsHandle. Correct the failure and if necessary
re-start the channel.
----- amqccisn.c : 2706 -------------------------------------------------------
8/16/2004 10:15:31
AMQ9999: Channel program ended abnormally.
EXPLANATION:
Channel program 'CH2' ended abnormally.
ACTION:
Look at previous error messages for channel program 'CH2' in the error files to
determine the cause of the failure.
----- amqrccca.c : 784 --------------------------------------------------------
What does 0x8009030E mean? Where can I find this and similar error codes in this format? I have tried looking for it in several books unsuccessfully  |
|
| Back to top |
|
|
| interactivechannel |
| Posted: Tue Aug 17, 2004 1:22 am Post subject: |
|
|
Voyager
Joined: 20 May 2003
Posts: 94
Location: uk
|
|
| Back to top |
|
|
| hguapluas |
| Posted: Wed Aug 18, 2004 7:02 am Post subject: |
|
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
Thanks for the link. Just found out yesterday that I am having a cert issue at the OS level on one of the boxes. So, I am having to go back and rework that box to try and fix the cert error at that level and will try the SSL again probably next week.
Seems for some reason, that box stopped accepting the certificate. In the process, it also stopped my SQL Server on that box, also due to the same certificate issue.
Oh wonderful MS. Just gotta love the way they integrate everything to use everything else and not tell you up front. Seems that when you start installing certificates on the box, SQL Server will automatically attempt to use the certs for authenticating communications. Augh-h-h-h. If it isn't one thing, it's another. And they don't make it common knowledge on how to get SQL Server to stop using SSL either 
Wondering ----- Has anybody else implemented SSL with MQ on a box (or boxes, possibly in a cluster) that also have SQL Server installed and running production databases at the same time? I would be particularly interested in any horror stories regarding this group of services and any failures while in production (especially SSL), what the symptons were, what was done to solve the problem, and any words of advice. This is going to be the environment our MQ cluster will be configured to in the near future and I would like to get as much of a jump on issues to watch for. Thanks. |
|
| Back to top |
|
|
|
|
