| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL ONEWAY FROM CLIENT TO MQ SERVER |
« View previous topic :: View next topic » |
| Author |
Message
|
| ashokt |
 Posted: Mon Oct 10, 2022 3:43 am Post subject: SSL ONEWAY FROM CLIENT TO MQ SERVER |
 |
|
Novice
Joined: 09 Oct 2022
Posts: 18
|
Hi Team,
I have been facing SSL issue since 10 days, I've Configured in my local system SSL Between vmware(linux) to windows server(not installed MQ client)
From the VMWARE:
---------------------
I've created QMGR
->START QMGR
->DEFINE LISTENER
->START LISTENER
->DEF SVRCONN CHL
DEF CHL(SSL.SVRCONN) CHLTYPE(svrconn) mcauser('mqm') .
->DEFINE CLNT CONNECTION CHANNEL
(DEF CHL(SSL.SVRCONN) CHLTYPE(CLNTCONN) CONNAME(xx.25.11.113(1661)
->Give the connect permisson for respective client application
->given full permissions to the queues .
->Then I created kdb file ,sef-signed cert and extract it then given name as cert.arm file by using ikaymantool.
->altered the channels channels with below code
TLS_RSA_WITH_AES_128_CBC_SHA256
->Then copied .arm file to Clint server's temp location as below explained.
----------------------------------------
Client SIDE(windows local system):
--------------------
Chosen Temp path
->Created Kdb file ,add cert.arm file to KDB File
->Copied the TAB file to client machine under the temp folder
->SET THE ENVIRONMENT VARIABLE LIKE BELOW
SET MQSLLKEYR=C:\Users\testmq\temp\MQClient\ssl\key
SET MQCHLLIB=C:\Users\testmq\temp\MQClient
SET MQCHLTAB=AMQCLCHL.TAB
SET MQSERVER=
When i running the command like amqputc QL throwing below reason codes.
mqrc 2539 ,2538.
Note:refreshing SSL ,disabled chlauth ,aconnauth. kindly advise me.
Regards,
Ashok |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Mon Oct 10, 2022 5:02 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9442
Location: US: west coast, almost. Otherwise, enroute.
|
Was amqsputc or any other MQ client sample app successful BEFORE you attempted to implement your SSL solution?
What error messages in error logs on the server side?
Did you research r/c 2538 and 2539? Did you follow the programmer response to diagnose these r/c's?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| ashokt |
| Posted: Mon Oct 10, 2022 9:26 pm Post subject: |
|
|
Novice
Joined: 09 Oct 2022
Posts: 18
|
| bruce2359 wrote: |
Was amqsputc or any other MQ client sample app successful BEFORE you attempted to implement your SSL solution?
What error messages in error logs on the server side?
Did you research r/c 2538 and 2539? Did you follow the programmer response to diagnose these r/c's? |
-----------------------------------------------
Hi Bruce,
Thanks for the response , Yes amqsptc was successfully before implementing the SSL ,When alter the channels with SSLCIPH ,after that it's not working and reflecting below above reason codes..2539 getting channel configuration error.
when i searched with google getting below response.
---------------------------------------------------------------
The server and client cannot agree on the channel attributes to use.
There are errors in one or both of the QM.INI or MQCLIENT.INI configuration files.
The server machine does not support the code page used by the client.
------------------------------------------------------------------
MQ Error logs not generated any error logs related to 2539.
Even i tried from below command from client machine.
set mqserver=TUBC.SVRCONN/TCP/x.x.x.x(1661)
getting 2393.
SSL INITILIZASION ERROR
MQ Error logs showing that SSLCIPH value not matched .
AMQ9639E: Remote channel 'AUBC.SVRCONN' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'AUBC.SVRCONN' did not specify a CipherSpec when the local
channel expected one to be specified.
The remote host is 'abc (x.x.x.x.)'.
The channel did not start.
ACTION:
Change the remote channel 'AUBC.SVRCONN' on host 'abc (x.x.x.x.)'.
to specify a CipherSpec so that both ends of the channel have matching
CipherSpecs.
Kindly advise.
Regards,
Ashok. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Oct 11, 2022 8:34 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9442
Location: US: west coast, almost. Otherwise, enroute.
|
| ashokt wrote: |
| DEF CHL(SSL.SVRCONN) CHLTYPE(CLNTCONN) CONNAME(xx.25.11.113(1661) |
You didn't specify SSL attributes on this DEFINE.
| ashokt wrote: |
->altered the channels channels with below code
TLS_RSA_WITH_AES_128_CBC_SHA256 |
Which channels did you ALTER? Please be precise. The SVRCONN on the qmgr? The CLNTCONN DEF?
Did you ALTER the channel DEFs before you exposed (copied) the CCDT to the client platform? Use any text editor to inspect the CCDT on the client. Do you see matching SSL specifications?
Use runmqsc to Display both SVRCONN and CLNTCONN channel definitions. Post results here.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Oct 12, 2022 12:12 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| ashokt wrote: |
set mqserver=TUBC.SVRCONN/TCP/x.x.x.x(1661)
|
Please read further in regard to the use of TLS and the MQSERVER variable, specifically the second paragraph.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ashokt |
| Posted: Wed Oct 12, 2022 1:38 am Post subject: |
|
|
Novice
Joined: 09 Oct 2022
Posts: 18
|
| bruce2359 wrote: |
| ashokt wrote: |
| DEF CHL(SSL.SVRCONN) CHLTYPE(CLNTCONN) CONNAME(xx.25.11.113(1661) |
You didn't specify SSL attributes on this DEFINE.
| ashokt wrote: |
->altered the channels channels with below code
TLS_RSA_WITH_AES_128_CBC_SHA256 |
Which channels did you ALTER? Please be precise. The SVRCONN on the qmgr? The CLNTCONN DEF?
Did you ALTER the channel DEFs before you exposed (copied) the CCDT to the client platform? Use any text editor to inspect the CCDT on the client. Do you see matching SSL specifications?
Use runmqsc to Display both SVRCONN and CLNTCONN channel definitions. Post results here. |
===========================
Hi Bruce,
Thank you for your update.
I've erased old configuration and configured properly now it's working fine as expected.  thank you very much for your valuable support.
Regards,
Ashok
 |
|
| Back to top |
|
|
| ashokt |
| Posted: Wed Oct 12, 2022 1:41 am Post subject: |
|
|
Novice
Joined: 09 Oct 2022
Posts: 18
|
| exerk wrote: |
| ashokt wrote: |
set mqserver=TUBC.SVRCONN/TCP/x.x.x.x(1661)
|
Please read further in regard to the use of TLS and the MQSERVER variable, specifically the second paragraph. |
=============
Hi Exerk,
Thank you for your response . 2nd time i am not used mqserver=TUBC.SVRCONN/TCP/x.x.x.x(1661) this command from client machine .used amqsputc queue name , then it's working fine with ssl.
Regards,
Ashok |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
