| Author |
Message
|
| edhi |
 Posted: Tue Jan 10, 2006 6:15 am Post subject: Channel is lacking a certificate |
 |
|
Novice
Joined: 10 Jan 2006
Posts: 15
|
When I try to connect from a WinXP MQClient to Solaris MQ Manager over an SSL server connection channel, I get this error message in the unix error log:
"AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is 'MORLC350T_SSL.SCN01' (if '????' it is unknown at this stage in the SSL
processing). The channel did not start."
When I setup the server connection channel WITHOUT client authentication, the connection succeeds.
On the same WinXP PC I also have an MQManager. When I set up an SSL Channel (WITH client authentication) between this MQ Manager and the MQManager on Unix, the connection is also successful. It works in both directions.
In all cases the certificates reside in the same repository.
I think the problem has to do with the client certificate label. I tried several different names for but none works.
I use a modified version of amqscnxc.c.
Any suggestions? |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Tue Jan 10, 2006 6:23 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
|
| Back to top |
|
|
| edhi |
| Posted: Tue Jan 10, 2006 6:37 am Post subject: |
|
|
Novice
Joined: 10 Jan 2006
Posts: 15
|
Thanks for the reply.
In the source code of amqscnxc.c I inserted this:
MQSCO SecureConn = {MQSCO_DEFAULT};
...
strcpy(SecureConn.KeyRepository, "D:\\Program Files\\IBM\\WebSphere MQ\\Qmgrs\\MORLC350T\\ssl\\key");
Connect_options.SSLConfigPtr = &SecureConn; |
|
| Back to top |
|
|
| edhi |
| Posted: Tue Jan 10, 2006 6:39 am Post subject: |
|
|
Novice
Joined: 10 Jan 2006
Posts: 15
|
Thanks for the reply.
In the source code of amqscnxc.c I inserted this:
MQSCO SecureConn = {MQSCO_DEFAULT};
...
strcpy(SecureConn.KeyRepository, "D:\\Program Files\\IBM\\WebSphere MQ\\Qmgrs\\MORLC350T\\ssl\\key");
Connect_options.SSLConfigPtr = &SecureConn; |
|
| Back to top |
|
|
| wschutz |
| Posted: Tue Jan 10, 2006 6:50 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
| I think the problem has to do with the client certificate label. I tried several different names for but none works |
What labels did you try? If the userid is "Phred", then the label name should be "ibmwebspheremqphred" ....
EDIT: That applies to MQ V6
_________________
-wayne
Last edited by wschutz on Tue Jan 10, 2006 7:32 am; edited 2 times in total |
|
| Back to top |
|
|
| edhi |
| Posted: Tue Jan 10, 2006 6:51 am Post subject: |
|
|
Novice
Joined: 10 Jan 2006
Posts: 15
|
|
| Back to top |
|
|
| wschutz |
| Posted: Tue Jan 10, 2006 7:00 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Are you using MQ V5.3 or MQ V6 on Windows? If its V6, then you need a .kdb file. (which you can migrate from a .sto file using amqtcert).
_________________
-wayne |
|
| Back to top |
|
|
| edhi |
| Posted: Tue Jan 10, 2006 7:13 am Post subject: |
|
|
Novice
Joined: 10 Jan 2006
Posts: 15
|
Since the test program runs from a debugger, under my userid, I created a label with my userid attached to it (I have been searching around on the internet, so I already found that suggestion), but that didn't work.
I also tried with certificate with label ibmwebspheremqmqm, because the MCA userid of the server connection channel on the unix server (to which I try to connect) is mqm.
Doesn't work either.
On winXP return code is 2393: MQRC_SSL_INITIALIZATION_ERROR[/b] |
|
| Back to top |
|
|
| edhi |
| Posted: Tue Jan 10, 2006 7:15 am Post subject: |
|
|
Novice
Joined: 10 Jan 2006
Posts: 15
|
|
| Back to top |
|
|
| wschutz |
| Posted: Tue Jan 10, 2006 7:28 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Did you assign the certificate to the MQ client using amqmcert ?
_________________
-wayne |
|
| Back to top |
|
|
| edhi |
| Posted: Tue Jan 10, 2006 7:56 am Post subject: |
|
|
Novice
Joined: 10 Jan 2006
Posts: 15
|
No, I use Websphere MQ Explorer and I access the key repository through the MQ manager that is available on the same machine.
When I execute "amqmcert -k CA -l" or "amqmcert -k ROOT -l" I see the certificates in the list.
Maybe something is wrong with the assignment? Should I use amqmcert for assigning certificates?
It also makes no difference if I use MQSSLKEYR to specify key repository location or if I do this in the source code (SecureConn.KeyRepository="..."). |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Jan 10, 2006 7:58 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Does the user that is running the client program have file system access to the key store?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| edhi |
| Posted: Tue Jan 10, 2006 8:06 am Post subject: |
|
|
Novice
Joined: 10 Jan 2006
Posts: 15
|
| Yes. I run the program in debugger under my userid on my PC. I cheched the security settings of the directory and gave all users as much rights as possible. Although this isn't really advisable for a key store, I suppose. |
|
| Back to top |
|
|
| edhi |
| Posted: Tue Jan 10, 2006 8:07 am Post subject: |
|
|
Novice
Joined: 10 Jan 2006
Posts: 15
|
| How can I assign the certificate to the client, using amqmcert? |
|
| Back to top |
|
|
| wschutz |
| Posted: Tue Jan 10, 2006 8:56 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| edhi wrote: |
| How can I assign the certificate to the client, using amqmcert? |
Its documented in the System Admin guide
_________________
-wayne |
|
| Back to top |
|
|
|
|
