| Author |
Message
|
| riyaz_tak |
 Posted: Thu Dec 10, 2015 12:58 am Post subject: Channel program XXXXX was ended by exit '/u1/mqu/lib/exit.so |
 |
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Hi
We recently migrated to WMQ 7.5.0.4 from 7.0.1.11.
After migrating we are getting below error in MQ log for receiver channel :
AMQ9536: Channel ended by an exit.
EXPLANATION:
Channel program XXXX was ended by exit '/u1/mqu/lib/exit.so(secExit)'.
Receiver channel details :
define channel (xxxxxx) +
chltype (rcvr) +
trptype (tcp) +
sslcauth (required) +
sslciph (RC4_MD5_EXPORT) +
mcauser ('rubbish') +
maxmsgl (65536) +
scyexit ('/u1/mqu/lib/exit.so(secExit)') +
scydata ('cfg/sec.cfg')
Platform Solaris 10.
GSKit version 7.0.4.45
Please let me know if you need more information.
Regards
Riyaz |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Thu Dec 10, 2015 1:00 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
did you rebuild the Exit with the V7.5 libraries?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Thu Dec 10, 2015 1:13 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
No I guess we didn't.
Infact don't have much idea about it.
Could you please advise us how to do it? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Dec 10, 2015 5:45 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You need to rebuild the exit for both 32 and 64 bits with the new libraries.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Dec 10, 2015 5:58 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| riyaz_tak wrote: |
| Could you please advise us how to do it? |
Aside from the very valid advice offered, you could also consider what security features the exit provides (I'm guessing something called "secExit" is a security exit) and see if those functions can be replaced with the features added in v7.5, eliminating the need for the exit to be recompiled along with the need for the exit.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Thu Dec 10, 2015 6:49 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| Thanks everyone for valuable advice |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Fri Dec 11, 2015 12:49 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
WMQ v 7.5 has added SERIALNUMBER parameter in SSLpeer.
Out custom security exit module was failing because of that.
Handled SERIALNUMBER and channel got started. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Dec 11, 2015 5:39 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| riyaz_tak wrote: |
WMQ v 7.5 has added SERIALNUMBER parameter in SSLpeer.
Out custom security exit module was failing because of that.
Handled SERIALNUMBER and channel got started. |
For the benefit of others, please explain how exactly you "Handled" this.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Mon Dec 14, 2015 1:27 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
We have written channel security exit program.
This program was verifying SSLpeer values against CN,OU,O,ST and C values configured in config files.
Now we were getting extra parameter called SERIELNUMBER in SSLpeer (it's equivalent to certificate serial number ) so our security exit was failing.
So we added this new parameter in our config file and issue got resolved.
I hope this will help. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Mon Dec 21, 2015 3:04 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| smdavies99 wrote: |
| did you rebuild the Exit with the V7.5 libraries? |
Absolutely not required.
| fjb_saper wrote: |
| You need to rebuild the exit for both 32 and 64 bits with the new libraries. |
Incorrect. Channel security exit for MQ greater than v5.3 on Solaris MUST be 64-bit. The MCA process will not run as 32-bit.
| riyaz_tak wrote: |
WMQ v 7.5 has added SERIALNUMBER parameter in SSLpeer.
Out custom security exit module was failing because of that.
Handled SERIALNUMBER and channel got started. |
Your code (exit) is explicitly closing the channel by doing
| Code: |
| pCXP->ExitResponse = MQXCC_SUPPRESS_FUNCTION; |
| riyaz_tak wrote: |
| Now we were getting extra parameter called SERIELNUMBER in SSLpeer (it's equivalent to certificate serial number ) so our security exit was failing. |
So basically, some poor logging going on in your code (exit).
FYI: Anytime your code (exit) explicitly closes the channel, it should be logging EXACTLY why it closed the channel, so that people are not confused by the channel not running.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
