| Author |
Message
|
| arvind_kaur |
 Posted: Fri May 27, 2005 8:16 am Post subject: MQIPT problem with SSL enabled QMGRS |
 |
|
Novice
Joined: 21 Apr 2002
Posts: 10
|
Background: I have 2 SSL enabled QMGRs communicating with each other fine. I have 2 NON SSL QMGRs communicate with each other fine via MQIPT. My next stage was to introduce MQIPT between the 2 SSL enabled QMGRS and this fails.
As per the limited documentation, i have put the 'SSLProxyMode=true' in the route definition of the MQIPT configuration.
The channel just goes into BINDING state for ever.
From the mqipt trace, it appears, that it is waiting for an SSL V2.0 handshake. Cant work out why.
Please note that MQIPT is running a different box than the 2 SSL enabled QMGRs. AIX5.2 and MQ5.3CSD4
Please can anyone help.
Thanks a lot,
Arvind |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Fri May 27, 2005 8:19 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
What gain do you expect using MQIPT between these SSL qmgrs? HTTP Tunneling?
It seems that you need to look at enabling SSL to IPT, rather than trying to use MQIPT to tunnel SSL connections - if your goal is to ensure that all traffic is encrypted.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| arvind_kaur |
| Posted: Fri May 27, 2005 8:29 am Post subject: |
|
|
Novice
Joined: 21 Apr 2002
Posts: 10
|
The two reasons i have for choosing to do this way:
- my impression is, that SSL enabling through QMGRs is a preferred option by IBM, over MQIPT SSL option.
- I think, by doing this, our clients QMGR doesnt have to sit behind an MQIPT. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri May 27, 2005 8:34 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You have just listed two reasons not to use MQIPT.
But you said you were trying to use MQIPT.
What are you trying to do?
I don't think you can use MQIPT on only one end. But I don't know.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| arvind_kaur |
| Posted: Fri May 27, 2005 8:41 am Post subject: |
|
|
Novice
Joined: 21 Apr 2002
Posts: 10
|
 ... I thought i listed two reasons for not using SSL within MQIPT (not MQIPT itself).
I am successfully using MQIPT without SSL for non-SSL enabled QMGRs.
I am trying to introduce SSL in the setup.
Yes, you can use MQIPT without SSL on one end only.
Thanks |
|
| Back to top |
|
|
| arvind_kaur |
| Posted: Tue May 31, 2005 5:34 am Post subject: |
|
|
Novice
Joined: 21 Apr 2002
Posts: 10
|
| Any ideas any body? It will be much appreciated ... |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue May 31, 2005 11:59 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| What problem/business scenario are you trying to solve using IPT + SSL? |
|
| Back to top |
|
|
| arvind_kaur |
| Posted: Thu Jun 02, 2005 4:24 am Post subject: |
|
|
Novice
Joined: 21 Apr 2002
Posts: 10
|
| We are using MQIPT as a proxy between our MQ Server (QMGR) and our clients QMGR. Want to introduce SSL on QMGR level. The traffic of which passes through MQIPT. The 'SSLProxyMode=true' in the mqipt conf is all that is required as per the IBM limited documentation. But the moment, i start the SSL enabled channels on QMGRS (defined to go via MQIPT), the channels go into BINDING and never recover from it. |
|
| Back to top |
|
|
| EddieA |
| Posted: Thu Jun 02, 2005 8:16 am Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
| Quote: |
| We are using MQIPT as a proxy between our MQ Server (QMGR) and our clients QMGR |
Does that mean you are running like this:
| Quote: |
| QMGR <--> MQIPT <--> QMGR |
If so, then I'm going to guess that MQ and MQIPT have different ways of using SSL that are not compatible.
My feeling is, that the SSLProxyMode=true is intended for the this configuration:
| Quote: |
| QMGR <--> MQIPT <--> MQIPT <--> QMGR |
So that it knows the messages it sees are still MQ messages, even though they've already been encrypted.
Cheers,
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0 |
|
| Back to top |
|
|
| arvind_kaur |
| Posted: Tue Jun 07, 2005 7:35 am Post subject: |
|
|
Novice
Joined: 21 Apr 2002
Posts: 10
|
Great. Your comment was helpful in that we needed two MQIPTs between the two MQ QMGRs. But IBM had to provide a fix for the SSLProxyMode to work. So, once i had the fix from IBM, it didnt work with one MQIPT. Tried your suggestion and it worked.
Thanks a lot. |
|
| Back to top |
|
|
| arvind_kaur |
| Posted: Fri Jun 17, 2005 8:53 am Post subject: |
|
|
Novice
Joined: 21 Apr 2002
Posts: 10
|
| Correction, i didnt need 2 MQIPTs between the 2QMGRs, in the end. Had 1 instance of MQIPT running between 2 SSL enabled QMGRS, successfully. So, the fix from IBM sorted the problem. |
|
| Back to top |
|
|
| HugoB |
| Posted: Mon Jul 11, 2005 7:42 am Post subject: |
|
|
Acolyte
Joined: 26 Jun 2001
Posts: 67
|
You do mention a Fix every time.
I have version 1.3.2 (downloaded last week 6 july 2005).
Do i need a fix to accomplish MQ SSL through MQIPT ?
I want to do;
QMGR <--> MQIPT <--> MQIPT <--> QMGR
So SSL on Qmgr level, en ofcourse some firewalls.
Thnx
HugoB |
|
| Back to top |
|
|
| arvind_kaur |
| Posted: Mon Jul 11, 2005 8:00 am Post subject: |
|
|
Novice
Joined: 21 Apr 2002
Posts: 10
|
| Yes, IBM provided a fix to be applied on top of MQIPT 1.3.2, for SSLProxyMode to work correctly. |
|
| Back to top |
|
|
| Bear |
| Posted: Fri May 05, 2006 9:35 am Post subject: IBM fix for MQIPT with SSL enable Qmgrs |
|
|
Voyager
Joined: 17 Jan 2006
Posts: 28
Location: Montreal Canada
|
 Would you or somone be able to supply the IBM fix number or APAR number that was used to overcome this problem? Thanx. BB. |
|
| Back to top |
|
|
| PhilBlake |
| Posted: Sun May 07, 2006 7:39 am Post subject: |
|
|
Acolyte
Joined: 25 Oct 2005
Posts: 64
|
|
| Back to top |
|
|
|
|
