| Author |
Message
|
| ivanachukapawn |
 Posted: Tue Mar 21, 2006 1:13 pm Post subject: Clustered SSL channels will not start |
 |
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
| Problem: Cluster Sender and Receiver channels will not start when SSL enabled. (These channels cluster fine when non-SSL. The Keystores for all 3 queue managers in the cluster are established and work successfully to enable both SSL SVRCONN connections, and Queue Manager sender/receiver queue manager connections.) |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Tue Mar 21, 2006 1:15 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Using my crystal ball, I will say that you have not provided all of the certificates necessary to every queue manager.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| bbburson |
| Posted: Tue Mar 21, 2006 1:31 pm Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
Wait, wait!! MY crystal ball says the cluster sender definitions includes SSL attributes but the cluster receiver definitions do not.
 |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 21, 2006 1:46 pm Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
Thankyou Jeff and BB for your hopefully prophetic forecasts. However, as I pointed out, the keystores for all three queue managers (and the keystore on Windows XP for the Java Client) contain all the certificates. These SSL connections can be established with no problem. I have Java Clients connecting to each of the 3 queue managers over SSL SVRCONN channels, and I have Java Clients connecting via SSL SVRCONN channel to one Queue Manager and then putting to a Remote Queue which utilizes non-clustered SSL Sender/Receiver channels between the queue managers.
I created Cluster Sender and Receiver channels for the 3 queue managers (2 of which are REPOS), and successfully enabled Clustering of the 3 queue managers. I then modified the Cluster Senders and Receivers to specify the appropriate Cipher Spec and checked that the /path information in the Queue Manager definition pointed to the keystore. I doubled checked to make sure that all Cluster Sender and Cluster Receiver channels had the appropriate CipherSpec. I fail to see what it is that I have overlooked (obviously). I have a problem case open with IBM but I am hoping that you guys can successfully crystal ball this problem. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Mar 21, 2006 1:48 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
We're telling you to give us more information, so we can stop guessing.
Remember that the PR CLUSRCVR is used as the MODEL for CLUSSDRs.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| bbburson |
| Posted: Tue Mar 21, 2006 1:55 pm Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| ivanachukapawn wrote: |
| I created Cluster Sender and Receiver channels for the 3 queue managers (2 of which are REPOS), and successfully enabled Clustering of the 3 queue managers. I then modified the Cluster Senders and Receivers to specify the appropriate Cipher Spec and checked that the /path information in the Queue Manager definition pointed to the keystore. |
If you did not stop and start your queue managers between these two steps then your cluster is probably trying to continue to run with the nonSSL channel definitions on one end or the other. I ran into similar situation when I first SSL'd my cluster. Bring all the queue managers down and then start fresh and see if that makes a difference. |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 21, 2006 2:02 pm Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
Jeff
looking at
"Remember that the PR CLUSRCVR is used as the MODEL for CLUSSDRs."
I guess you mean that the cluster receiver for a queue manager should be named the same as the cluster sender to it from another queue manager. I that is correct, then I can tell you that that is the case.
If not, please tell me what you mean.
Also, thanks in advance for any help you give me on this. This case is totally baffling right now. I need help!
Incidentally, I'd be glad to give you any more information on this (short of ftp'ing you the Certs). I have listed all the keystores and verified that all the Certs are present and have correct labels and DNs. I have checked all the Cluster Channel definitions to make sure that the same CipherSpec is specified. What additional information would you like me to supply?
JD |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Tue Mar 21, 2006 2:09 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
No, what I mean is this.
When you add a queue manager to a cluster as a Partial Repository, you create CLUSSDRs that point to every FR. You also create a CLUSRCVR that points to the local queue manager.
When another queue manager needs to send a message to a PR, it creates an automatically defined CLUSSDR that uses the information from the CLUSRCVR for the destination PR.
So the cert information on the CLUSSDR to the FRs need to be the valid cert information for the FRs. But the cert information on CLUSRCVRs needs to be valid for the local queue manager.
As far as I remember.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Tue Mar 21, 2006 2:10 pm Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
Bruce,
Yes! I ran runmqsc for each queue manager and ran
REFRESH SECURITY TYPE(SSL) for each.
That didn't work. So I stopped and restarted all 3 queue managers to ensure a refresh.
That didn't solve the problem.
But thanks for the thought.
JD |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Wed Mar 22, 2006 4:22 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
I do not have a crystal ball, so:
- Which platforms do we talk about?
- Which patch levels / CSDs do you have installed
One hint: In cluster channels the attributes of a cluster receiver are copied to all automatic cluster sender definitions. So you need not to modify your cluster sender channel. Alter only your cluster receiver channels, this should be sufficient.
_________________
Regards
Hubert |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Wed Mar 22, 2006 4:27 am Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
The problem environment:
MQ6.0 with refresh pack 6.0.1.0 running on Solaris.
Note that non SSL the 3 queue managers are successfully clustered.
Note2: The non repository queue manager has one Cluster Sender channel to one of the full repository queue managers. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Wed Mar 22, 2006 4:44 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
Did you alter the attributes of the cluster receivers only, when you tried to enable SSL?
I Assume, the non-repository QMgr has also a definition of a cluster receiver channel!
Note: To enable SSL first you have to add the CA certificates of your own MQ systems as well as those of your partner QMgrs (they may be different). Assure, that the certificates of your QMgrs are assigned by the same CAs or you insert the CA certificates of all QMgr certificates. Or do you use self-signed certificates?
Try the following steps:
1. Disable SSL by setting the SSLCIPH and SSLPEER attributes to a blank.
2. If the channels work fine, check the installed certificates:
| Code: |
| gsk7cmd -cert -list all -db <path to your key db> -pw <your password> |
3. Set the SSLCIPH attribute for the cluster receiver of only one repository to your required CipherSpec.
4. Now the connection to this repository should run with SSL, other connection still without SSL. If not, check the error messages.
Another note: Change only one QMgr (especialla repositories) at the same time, because this information needs to be sent to the other repository.
Hope, this helps.
_________________
Regards
Hubert |
|
| Back to top |
|
|
| ivanachukapawn |
| Posted: Wed Mar 22, 2006 6:04 am Post subject: |
|
|
Knight
Joined: 27 Oct 2003
Posts: 561
|
Update for all concerned helpers (and grandmasters).
I am using self-signed certificates.
Technique used for enabling SSL on an already working Cluster was to specify CipherSpec on all the Cluster Sender/Receiver channels and ensure that the 3 queue managers all pointed to their Keystores correctly. I gather that this is not the recommended procedure and may be the cause of my difficulties. So I am going back to square one to obtain a working NON-SSL cluster, then I'll enable SSL by specifying CipherSpec on one Cluster Receiver channel at a time. Hopefully I'll be able to start the channels doing it this way.
Thanks in advance for all the great assistance on this problem.
I'll post results on my latest test one way or another.
Thanks again,
JD |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Wed Mar 22, 2006 8:12 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| ivanachukapawn wrote: |
| ...I am using self-signed certificates. |
Then you need to insert all certificates into all QMgr key databases!
| ivanachukapawn wrote: |
| Technique used for enabling SSL on an already working Cluster was to specify CipherSpec on all the Cluster Sender/Receiver channels and ensure that the 3 queue managers all pointed to their Keystores correctly. |
Again: You only have to alter the cluster receiver channels.
| ivanachukapawn wrote: |
| So I am going back to square one to obtain a working NON-SSL cluster, then I'll enable SSL by specifying CipherSpec on one Cluster Receiver channel at a time. |
Give the cluster time, to distribute the altering of the cluster receiver, to alter the automatical cluster sender definitions.
You will have the same problem, when you change the IP adresses of your cluster repositories at the same time. The repositories need a chance, to exchange their information  .
_________________
Regards
Hubert |
|
| Back to top |
|
|
| wschutz |
| Posted: Wed Mar 22, 2006 8:25 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
| Problem: Cluster Sender and Receiver channels will not start when SSL enabled. |
I don't think anyone has asked this: What errors are you seeing in your AMQERR01.LOG files on both ends of the cluster channels?
_________________
-wayne |
|
| Back to top |
|
|
|
|
