| Author |
Message
|
| futuremqguruihope |
 Posted: Wed Apr 18, 2007 2:10 pm Post subject: MQCONN ended with reason code 2393 |
 |
|
Novice
Joined: 18 Apr 2007
Posts: 10
|
Hi. I am running WSMQ version 6 client on a windows 2003 server and I'm trying to get SSL to work. I have the personal cert installed in my key database. It's a verisign cert and I keep getting the error:
No SSL certificate for channel '%**.******.****'.
The channel '%**.******.****' did not supply a certificate to use during SSL handshaking, but a certificate is required by the remote queue manager. The channel did not start.
Ensure that the key repository of the local queue manager or MQ client contains an SSL certificate which is associated with the queue manager or client. Alternatively, if appropriate, change the remote channel definition so that its SSLCAUTH attribute is set to OPTIONAL and it has no SSLPEER value set. &P If you have migrated from WebSphere MQ V5.3 to V6, it is possible that the missing certificate is due to a failure during SSL key repository migration. Check the relevant error logs. If these show that an orphan certificate was encountered then you should obtain the relevant missing certification authority (signer) certificates and then import these and the orphan certificate into the WebSphere MQ V6 key repository, and then re-start the channel.
---
HELP! |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Apr 18, 2007 2:13 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I always use the Support Pack MO04 to get started with SSL.
It will generate all the commands you need to configure the channels and create and import the certs.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu Apr 19, 2007 3:59 am Post subject: Re: MQCONN ended with reason code 2393 |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
What is the name of your personal cert installed in key database ?
It should be "ibmwebspheremqYOURQMNAMELOWERCASE" for QM
and "ibmwebspheremqYOURUSERID" for client application.
Everything lowercase.
_________________
Marcin |
|
| Back to top |
|
|
| futuremqguruihope |
| Posted: Thu Apr 19, 2007 6:29 am Post subject: Re: MQCONN ended with reason code 2393 |
|
|
Novice
Joined: 18 Apr 2007
Posts: 10
|
Hey guys thanks for getting back.
The name of the cert is "* ibmwebspheremq".
How do I know which userid to use and how can I change the label on the personal cert? Or would verisign change the label?
I will look into the support pack!
Thanks so much. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu Apr 19, 2007 6:38 am Post subject: Re: MQCONN ended with reason code 2393 |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| futuremqguruihope wrote: |
The name of the cert is "* ibmwebspheremq".
|
It's not correct name of cert. I placed here correct names.
| futuremqguruihope wrote: |
How do I configure the userid? |
Always application is started in context of concrete user.
userid is name of this system user.
_________________
Marcin |
|
| Back to top |
|
|
| futuremqguruihope |
| Posted: Thu Apr 19, 2007 6:46 am Post subject: Re: MQCONN ended with reason code 2393 |
|
|
Novice
Joined: 18 Apr 2007
Posts: 10
|
Is this concrete user the user currently logged into Windows?
Also, how do I change "ibmwebspheremq" to "ibmwebspheremq<userid>"? Not sure where to make this change.
Thanks. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Apr 19, 2007 6:49 am Post subject: Re: MQCONN ended with reason code 2393 |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| futuremqguruihope wrote: |
| Is this concrete user the user currently logged into Windows? |
Yes.
| futuremqguruihope wrote: |
| Also, how do I change "ibmwebspheremq" to "ibmwebspheremq<userid>"? Not sure where to make this change. |
It's the label of the cert. It may or may not be changeable, if it is it would be done in iKeyMan.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| futuremqguruihope |
| Posted: Thu Apr 19, 2007 7:31 am Post subject: Re: MQCONN ended with reason code 2393 |
|
|
Novice
Joined: 18 Apr 2007
Posts: 10
|
Thank you. One more thing.
Ultimately, I'm trying to incorporate this into a VB.NET application once I get the SSL handshake to work.
Does this mean when the username should be the aspnet worker process? Or who would it be in this case? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Apr 19, 2007 8:48 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
In all cases, it will be the user that is executing the program.
In the case of web deployed applications, particularly under IIS, this is entirely subject to configuration.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| kats |
| Posted: Mon Apr 23, 2007 6:39 am Post subject: Re: MQCONN ended with reason code 2393 |
|
|
Voyager
Joined: 20 Apr 2006
Posts: 78
|
| marcin.kasinski wrote: |
What is the name of your personal cert installed in key database ?
It should be "ibmwebspheremqYOURQMNAMELOWERCASE" for QM
and "ibmwebspheremqYOURUSERID" for client application.
Everything lowercase. |
So should I create a cert on client side with label ibmwebspheremqYOURUSERID and import it in qmgr key.kdb?
If so, what about the domain ID's on NT. e.g.
If ID is XYZ@comanyname.com. what should the label be:
ibmwebspheremqxyz OR
ibmwebspheremqxyz@comanyname.com
One more quesiton:
According to IBM procedures: http://www-1.ibm.com/support/docview.wss?uid=swg21213079
They didn't mention creation of cert on MQ client machine in first place, just addition of cert(exported from Qmgr key.kdb) into key.kdb residing on MQ client.....or am I overlooking something somewhere else?
Also, when we transfer XXXX.arm file, is transfer binary or ascii?
So far I used to believe it's binary, but I am stuck on 2393... makes me explore all options
_________________
If everything goes well, don't panic, it won't last for long. |
|
| Back to top |
|
|
| kats |
| Posted: Wed Apr 25, 2007 7:29 am Post subject: |
|
|
Voyager
Joined: 20 Apr 2006
Posts: 78
|
Hi again,
MQ Client on Win XP(SP-2) and MQ 6.0.2.1 Server on SunOS 5.9
I'm only dealing with Self signed Certs.
I went thru Support Pack MO04; and I can figure out that:
If we have to authenticate MQ Client, then we have to create self signed cert of MQ client along with qmgr. and ftp mode is ascii.(Strangely, I remember that I always used ftp as binary transfer and it always worked)  So if ALTER CHANNEL(RAMAN.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(REQUIRED) is used, MQ client is authenticated.
But if ALTER CHANNEL(RAMAN.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL) is used, MQ client is not authenticated, we don't have to create self signed cert on MQ client.
Only self signed cert created at key.kdb(qmgr side) is ftped to Client and added to Key.kdb(Client)
So I tried the first method.
C:\program files\IBM\WebSphere MQ\Clients\ssl>amqsputc SYSTEM.DEFAULT.LOCAL.QUEUE QM1
Sample AMQSPUT0 start
MQCONN ended with reason code 2393
Please throw your comments/vague experiences...It doesn't have to be accurate...just discussion.
_________________
If everything goes well, don't panic, it won't last for long. |
|
| Back to top |
|
|
| kats |
| Posted: Wed Apr 25, 2007 7:58 am Post subject: |
|
|
Voyager
Joined: 20 Apr 2006
Posts: 78
|
My ID on Windows box(MQ client) is domain ID. it's XYZ@comany.com
Also I created certificate on MQ client with label: ibmwebspheremqxyz and not ibmwebspheremqxyz@company.com.
Also my windows domain ID doesn't exist in server under any group. I'm making usage of MCAUSER field of SVRCONN channel to pass through by plugging in ID with max authority. Works fine without SSL.
If that could be a problem? I doubt.
_________________
If everything goes well, don't panic, it won't last for long. |
|
| Back to top |
|
|
| kats |
| Posted: Wed Apr 25, 2007 9:22 am Post subject: |
|
|
Voyager
Joined: 20 Apr 2006
Posts: 78
|
I'm getting MQCONN ended with reason code 2393 when I transfer AMQCLCHL.TAB before SSL.
Size of file is 4kb.
I'm getting MQCONN ended with reason code 2381 when I transfer AMQCLCHL.TAB after SSL.
Size of this file is 6kb.
Error in errors logs is AMQ9639
Wondering, has anybody ever put SSL on SVRCONN channels?
_________________
If everything goes well, don't panic, it won't last for long. |
|
| Back to top |
|
|
|
|
