| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL Help! |
« View previous topic :: View next topic » |
| Author |
Message
|
| LoveLess |
 Posted: Thu Sep 27, 2007 2:13 am Post subject: SSL Help! |
 |
|
Novice
Joined: 26 Jun 2007
Posts: 23
|
Hi,
I am trying to implement SSL between two Queue Managers on the same Windows machine.I have done everything under the sun to get the channels running but they are always in the retrying state.
WinXP with MQ 6.
The certificates are Self Signed.
I can see both the cerifcates "myCAcertfile1.cer" and "myCAcertfile2.cer"
when i run "runmqckm -cert -list -db key.kdb -pw password" in the ssl directory of both the QMs.
The Sender and the Reciever channels have the same cipher spec DES_SHA_EXPORT.
They are running fine without SSL.
With SSL the channels are in the retrying state.
The key repository path is C:\Program Files\IBM\WebSphere MQ\Qmgrs\R1\ssl\key and C:\Program Files\IBM\WebSphere MQ\Qmgrs\R2\ssl\key for R1 and R2 respectively.
The script executed is as follows:-
runmqckm -keydb -create -db "C:\Program Files\IBM\WebSphere MQ\Qmgrs\R1\ssl\key.kdb" -pw password -type cms -stash
runmqckm -keydb -create -db "C:\Program Files\IBM\WebSphere MQ\Qmgrs\R2\ssl\key.kdb" -pw password -type cms -stash
runmqckm -cert -create -db "C:\Program Files\IBM\WebSphere MQ\Qmgrs\R1\ssl\key.kdb" -pw password -type cms -label "myCAcertificate1" -dn "CN=myCAName,O=myOrganisation,OU=myDepartment,L=myLocation,C=UK" -expire 1000 -size 1024
runmqckm -cert -extract -db "C:\Program Files\IBM\WebSphere MQ\Qmgrs\R1\ssl\key.kdb" -pw password -type cms -label "myCAcertificate1" -target "C:\Program Files\IBM\WebSphere MQ\Qmgrs\R2\ssl\myCAcertfile1.cer" -format ascii
runmqckm -cert -create -db "C:\Program Files\IBM\WebSphere MQ\Qmgrs\R2\ssl\key.kdb" -pw password -type cms -label "myCAcertificate2" -dn "CN=myCAName,O=myOrganisation,OU=myDepartment,L=myLocation,C=UK" -expire 1000 -size 1024
runmqckm -cert -extract -db "C:\Program Files\IBM\WebSphere MQ\Qmgrs\R2\ssl\key.kdb" -pw password -type cms -label "myCAcertificate2" -target "C:\Program Files\IBM\WebSphere MQ\Qmgrs\R1\ssl\myCAcertfile2.cer" -format ascii
runmqckm -cert -add -db "C:\Program Files\IBM\WebSphere MQ\Qmgrs\R1\ssl\key.kdb" -pw password -type cms -file "C:\Program Files\IBM\WebSphere MQ\Qmgrs\R1\ssl\myCAcertfile2.cer" -label "myCAcertificate2"
runmqckm -cert -add -db "C:\Program Files\IBM\WebSphere MQ\Qmgrs\R2\ssl\key.kdb" -pw password -type cms -file "C:\Program Files\IBM\WebSphere MQ\Qmgrs\R2\ssl\myCAcertfile1.cer" -label "myCAcertificate1"
Is there anything more that I have to do ?
Please write back if anybody needs more information.
Thanks in advance.
_________________
Screw the Roses, Send Me the Thorns |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Sep 27, 2007 2:21 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Can you post the SSL setting for the queue manager & the channels in question?
Also relevant entries (if any) in the queue manager logs?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| LoveLess |
| Posted: Thu Sep 27, 2007 3:40 am Post subject: |
|
|
Novice
Joined: 26 Jun 2007
Posts: 23
|
Thanks for the quick reply
Here are the SSL setting for the queue manager R1
key repository: C:\Program Files\IBM\WebSphere MQ\Qmgrs\R1\ssl\key
Authentication Information check box has been unchecked.
CRL namelist : Left Blank
Crytographic hardware :No encryption hardware specified
SSL reset count :0
SSL FIPS required :No
Here are the SSL setting for the queue manager R2
key repository: C:\Program Files\IBM\WebSphere MQ\Qmgrs\R2\ssl\key
Authentication Information check box has been left unticked.
CRL namelist : Left Blank
Crytographic hardware :No encryption hardware specified
SSL reset count :0
SSL FIPS required :No
Here are the SSL setting for the Sender Channel
SSL CipherSpec : DES_SHA_EXPORT
Accept only certificates check box is left unticked.
Actentication of parties initiating connections :Required
Here are the SSL setting for the Reciever Channel
SSL CipherSpec : DES_SHA_EXPORT
Accept only certificates check box is left unticked.
Actentication of parties initiating connections :Required
Error for Queue manager R1
9/27/2007 17:06:22 - Process(3240.1) User(u15911) Program(runmqchl.exe)
AMQ9002: Channel 'Sender' is starting.
EXPLANATION:
Channel 'Sender' is starting.
ACTION:
None.
-------------------------------------------------------------------------------
9/27/2007 17:06:22 - Process(3240.1) User(u15911) Program(runmqchl.exe)
AMQ9209: Connection to host 'D704DTRV (192.168.12.175)' closed.
EXPLANATION:
An error occurred receiving data from 'D704DTRV (192.168.12.175)' over TCP/IP.
The connection to the remote host has unexpectedly terminated.
ACTION:
Tell the systems administrator.
----- amqccita.c : 3248 -------------------------------------------------------
9/27/2007 17:06:22 - Process(3240.1) User(u15911) Program(runmqchl.exe)
AMQ9999: Channel program ended abnormally.
EXPLANATION:
Channel program 'Sender' ended abnormally.
ACTION:
Look at previous error messages for channel program 'Sender' in the error files
to determine the cause of the failure.
----- amqrccca.c : 777 --------------------------------------------------------
Thanks
_________________
Screw the Roses, Send Me the Thorns |
|
| Back to top |
|
|
| LoveLess |
| Posted: Thu Sep 27, 2007 5:19 am Post subject: |
|
|
Novice
Joined: 26 Jun 2007
Posts: 23
|
I Got it working at last!!.
I changed the labels assigned to the certificates to
ibmwebspheremqqmname.
Thanks
_________________
Screw the Roses, Send Me the Thorns |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Sep 27, 2007 5:22 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| LoveLess wrote: |
I Got it working at last!!.
|
Well done you! 
Thanks for posting the solution.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
