| Author |
Message
|
| anuprz1 |
 Posted: Thu Aug 25, 2005 11:08 pm Post subject: |
 |
|
Newbie
Joined: 23 Sep 2004
Posts: 7
Location: Poland
|
| anuprz1 wrote: |
I had the same problem yesterday, and did :
| Code: |
gsk7cmd_64 -keydb -stashpw -db key.kdb -pw some_password
|
and then it worked |
no, it did not work.
Sorry  |
|
| Back to top |
|
 |
| anuprz1 |
| Posted: Thu Aug 25, 2005 11:52 pm Post subject: |
|
|
Newbie
Joined: 23 Sep 2004
Posts: 7
Location: Poland
|
nowww.. Im really surprised...
I checked the SSLKEYR once again for both qmgrs :
| Code: |
$ echo "dis qmgr sslkeyr"|runmqsc QM1|grep QMN
SSLKEYR(/var/mqm/qmgrs/QM1/ssl/key) QMNAME(QM1)
$ echo "dis qmgr sslkeyr"|runmqsc QM2|grep QMN
SSLKEYR(/var/mqm/qmgrs/QM2/ssl/key) QMNAME(QM2)
|
I found the location is ok. Files are there.
But, there is a small difference beetwen them !
For QM1 it was already working (manually stashed password after key repository creation). For QM2 i have also did that trick, but it was not ok.
As in my previous posts.
Then I saw this small difference.
There is much more white space before QMNAME.
I thought, maybe I will alter qmgr once again..
| Code: |
$ echo "alter qmgr SSLKEYR('/var/mqm/qmgrs/QM2/ssl/key')"|runmqsc QM2
5724-B41 (C) Copyright IBM Corp. 1994, 2002. ALL RIGHTS RESERVED.
Starting MQSC for queue manager QM2.
1 : alter qmgr SSLKEYR('/var/mqm/qmgrs/QM2/ssl/key')
AMQ8005: WebSphere MQ queue manager changed.
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
|
So I did, and then :
| Code: |
$ echo "dis qmgr sslkeyr"|runmqsc QM2|grep QMN
SSLKEYR(/var/mqm/qmgrs/QM2/ssl/key) QMNAME(QM2)
$ echo "dis qmgr sslkeyr"|runmqsc QM1|grep QMN
SSLKEYR(/var/mqm/qmgrs/QM1/ssl/key) QMNAME(QM1)
|
It was looking ok !
And channel started then automatically !
Now, would somebody put some light on this ? I really dont get it...
However it works  |
|
| Back to top |
|
|
| DJudd |
| Posted: Fri Aug 26, 2005 4:20 am Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
| I stashed the password successfully from the command line and the gui. The channel still won't come up. Thanks |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Aug 26, 2005 4:23 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| DJudd wrote: |
| I stashed the password successfully from the command line and the gui. The channel still won't come up. Thanks |
Are you still getting the same error, or a different one?
Maybe it is worth trying to alter the channel to remove the SSL, and then alter it again to reenable it.
Don't forget to check for errors on both ends of the channel.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| DJudd |
| Posted: Fri Aug 26, 2005 5:02 am Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
| The channel works fine without the encryption enabled. Files have been passed from queue to queue going both directions without the encryption enbaled. The error message stays the same on both ends no matter what I have done. I have even deleted and recreated the key db and still gotten the same error. The network firewall traces show that the port is not attempting to communicate when I enable encrytion but does communicate when I do. Any help would be greatly appreciated. Thanks |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Aug 26, 2005 5:06 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Have you enabled MQ tracing, and seen what that shows?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| DJudd |
| Posted: Fri Aug 26, 2005 5:19 am Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
Yes I have done that:
16:10:44.275668 4293.1 gsk_environment_init: input: gsk_env_handle=0x40092c20
16:10:44.275859 4293.1 gsk_environment_init: output: gsk_env_handle=0x40092c20
16:10:44.275870 4293.1 --(05)----}! ccigsk_environment_init rc=Unknown(198)
16:10:44.275881 4293.1 --(05)----{ cciSslReportGSKitError
16:10:44.275899 4293.1 --(06)-----{ rrxError
16:10:44.275921 4293.1 RetCode = 20009660, rc1 = 408, rc2 = 0, Comment1 = 'QMJ720BT1.QMY1', Comment2 = 'gsk_environment_init', Comment3= '', File= './amqccisx.c', Line= '1010'
16:10:44.275931 4293.1 --(06)-----}! rrxError rc=rrcE_SSL_BAD_KEYFILE_PASSWORD
Thanks |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Aug 26, 2005 5:26 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I hate to ask this, but... are you sure you have the right password stashed? In the correct case and all that...?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| DJudd |
| Posted: Fri Aug 26, 2005 5:38 am Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
I have done the gsk6cmd -cert -list -db dbname.kdb without the password command and it prompts for the password. I enter the password and it proceeds to list the certs in the DB. I also tried the -list command and entered the wrong password:
gsk6cmd -cert -list -db key.kdb
A password is required to access this key database.
Please enter a password:
sdfg
An invalid password was provided or the key database has been tampered or corrupted.
gsk6cmd -cert -list -db key.kdb
A password is required to access this key database.
Please enter a password:
xxxx
Certificates in database: key.kdb
DODCA3
DODCA4
DODCA7
I thought this meant the password is stashed and working. I could be crazy though. Thanks |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Aug 26, 2005 6:05 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Try running the MQSC command "REFRESH SECURITY TYPE(SSL)".
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| DJudd |
| Posted: Fri Aug 26, 2005 6:27 am Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
REFRESH SECURITY TYPE(SSL)
1 : REFRESH SECURITY TYPE(SSL)
AMQ8405: Syntax error detected at or near end of command segment below:-
REFRESH SECURITY TYPE
AMQ8427: Valid syntax for the MQSC command:
REFRESH SECURITY [ (*) ]
This didn't appear to be the required syntax so I did:
refresh security(*)
4 : refresh security(*)
AMQ8560: WebSphere MQ security cache refreshed.
I stopped and started the queue manager and command server, stopped and started the channel. I am in a retrying state. Thanks |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Aug 26, 2005 6:37 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| DJudd wrote: |
REFRESH SECURITY TYPE(SSL)
1 : REFRESH SECURITY TYPE(SSL)
AMQ8405: Syntax error detected at or near end of command segment below:- |
Dang! I was worried that was v6 specific!
Sorry.
Did we go through file permissions on the key files already? (It's not showing me anything on the previous page in the topic review...)
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| DJudd |
| Posted: Fri Aug 26, 2005 6:47 am Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
The SA set the own to mqm and group to mqm on all of the files below that were not already mqm/mqm. Then I restarted the QM and channels. No luck.
/opt/mqm/ssl/jre/lib/ext
-rwxrwxrwx 1 mqm mqm 1937 Sep 18 2002 US_export_policy.jar
-rwxrwxrwx 1 mqm mqm 71950 Sep 18 2002 ibmjcefw.jar
-rwxrwxrwx 1 mqm mqm 760652 Sep 18 2002 ibmjceprovider.jar
-rwxrwxrwx 1 mqm mqm 142054 Sep 18 2002 ibmjlog.jar
-rwxrwxrwx 1 root sys 208825 Sep 18 2002 ibmjsse.jar
-rwxrwxrwx 1 mqm mqm 637536 Sep 18 2002 ibmpkcs.jar
-rwxrwxrwx 1 mqm mqm 1928 Sep 18 2002 local_policy.jar
/opt/mqm/ssl/jre/lib/security
aemhp2:security 154% ls -l
total 64
-r--r--r-- 1 bin bin 7365 Aug 16 2001 cacerts
-r--r--r-- 1 bin bin 2223 Aug 16 2001 java.policy
-rwxrwxrwx 1 mqm mqm 4471 Sep 18 2002 java.security
-r--r--r-- 1 root sys 3950 Oct 8 2004 java.security.bk
Thanks |
|
| Back to top |
|
|
| DJudd |
| Posted: Fri Aug 26, 2005 6:53 am Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
Please disregard previous list of file permissions. I copied and pasted the wrong data. Below are the permissions:
/opt/mqm/ssl/jre/lib/ext
-rwxr-xr-x 1 mqm mqm 76979 Aug 19 08:04 ibmjcefw.jar
-rwxr-xr-x 1 mqm mqm 688215 Aug 19 08:04 ibmjceprovider.jar
-rwxr-xr-x 1 mqm mqm 142054 Aug 19 08:04 ibmjlog.jar
-rwxr-xr-x 1 root sys 208825 Aug 19 08:04 ibmjsse.jar
-rwxr-xr-x 1 mqm mqm 688834 Aug 19 08:04 ibmpkcs.jar
-rwxr-xr-x 1 mqm mqm 1928 Aug 19 08:04 local_policy.jar
-rwxr-xr-x 1 mqm mqm 1937 Aug 19 08:04 US_export_policy.jar
/opt/mqm/ssl/jre/lib/security
r--r--r-- 1 bin bin 7365 Aug 16 2001 cacerts
-r--r--r-- 1 bin bin 2223 Aug 16 2001 java.policy
-rwxrwxrwx 1 mqm mqm 4471 Sep 18 2002 java.security
-r--r--r-- 1 root sys 3950 Apr 27 13:55 java.security.bk
Thanks |
|
| Back to top |
|
|
| wschutz |
| Posted: Fri Aug 26, 2005 6:57 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
try posting that list again .... I think we want /var/mqm/qmgrs/QM/ssl
_________________
-wayne |
|
| Back to top |
|
|
|
|
