Author |
Message
|
KCW |
Posted: Mon Apr 14, 2008 7:22 am Post subject: Client channels with SSL |
|
|
Newbie
Joined: 14 Apr 2008 Posts: 4
|
Windows appeared to have lost a key from its keystore, so I reimported it using Internet explorer, then used amqmcert -a to install it in the MQ keystore.
This appeared to complete ok, and amqmcert -l seemed to show that the key was present.
However, trying an amqsputc command resulted in:
04/14/08 15:52:04
AMQ9699: An unknown error occurred during an SSL security call during SSL
handshaking.
EXPLANATION:
An unknown error occurred during an SSPI call to the Secure Channel (Schannel)
SSL provider during SSL handshaking. The error may be due to a Windows SSL
problem or to a general Windows problem or to invalid WebSphere MQ data being
used in the call. The WebSphere MQ error recording routine has been called. The
error has caused WebSphere MQ channel name 'MQ.CLT.LP.MQS8 ' to be closed.
If the name is '????' then the name is unknown.
ACTION:
Consult the Windows Schannel reference manual to determine the meaning of
status 0x80090320 for SSPI call InitializeSecurityContext.
And a FFST
| Probe Id :- CO272005 |
| Application Name :- MQM |
| Component :- cciTcpSslPerformClientHandshakeLoop |
| Build Date :- Dec 20 2006 |
| CMVC level :- p530-13-L061220 |
| Build Type :- IKAP - (Production) |
| UserID :- EATONP |
| Process Name :- C:\Program Files\IBM\WebSphere MQ\bin\amqsputc.exe |
| Process :- 00000366 |
| Thread :- 00000001 |
| Major Errorcode :- rrcE_SSL_SSPI_ERROR_HANDSHAKING |
| Minor Errorcode :- OK |
| Probe Type :- MSGAMQ9699 |
| Probe Severity :- 2 |
| Probe Description :- AMQ9699: An unknown error occurred during an SSL |
| security call during SSL handshaking. |
| FDCSequenceNumber :- 0 |
| Comment1 :- MQ.CLT.LP.MQS8 |
| |
| Comment2 :- InitializeSecurityContext |
| |
| Comment3 :- 0x80090320 |
MQM Trace History
--------{ xcsFreeMem
--------} xcsFreeMem rc=OK
-------} xusDelStanzaLineList rc=OK
------} xurClearStanzaList rc=OK
-----} xcsBrowseRegistryCallback rc=xecU_W_KEY_NOT_FOUND
----} xcsBrowseIniCallback rc=xecU_W_KEY_NOT_FOUND
How can I tell is the key is really there ?
Is it possible to clean up all the MQ key information and start all over again ? |
|
Back to top |
|
 |
Gaya3 |
Posted: Mon Apr 14, 2008 8:35 pm Post subject: |
|
|
 Jedi
Joined: 12 Sep 2006 Posts: 2493 Location: Boston, US
|
hope you refreshed the security at Client side too.
If not you have to do that also here to have proper hand shaking
Regards
Gayathri _________________ Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
Back to top |
|
 |
KCW |
Posted: Tue Apr 15, 2008 8:05 am Post subject: |
|
|
Newbie
Joined: 14 Apr 2008 Posts: 4
|
Presumably that should be REFRESH SECURITY on the server side ? The client side (Windows) has no queue manager. The server side is zOS
I have an identical Windows setup where the channel is also failing to connect, after I tried to reimport the certificate in the MQ key store.
The error I get here is AMQ9698, with status code 0x80090304, which means that the Local Security Authority cannot be contacted
I have just "inherited" these Windows machines with the certificates having been generated some time last year. As I an new to an environment where security is important and SSL-enabled channels are required. I am a bit lost |
|
Back to top |
|
 |
jefflowrey |
Posted: Tue Apr 15, 2008 8:07 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002 Posts: 19981
|
It's probably a good idea to migrate to v6 as soon as possible.
Then it's much clearer where the certificates are and whether they're still valid. _________________ I am *not* the model of the modern major general. |
|
Back to top |
|
 |
KCW |
Posted: Thu Apr 24, 2008 6:32 am Post subject: |
|
|
Newbie
Joined: 14 Apr 2008 Posts: 4
|
I fixed this last week:
Where the error was 0x80090304 I removed the certs using amqmcert -r, then amqmcert -a to put them back in.
Where the error was 0x80090320 I found that the client channel table was pointed to a queue manager that it should not have been. I corrected this and reinstalled the cert
Both client channels work OK now. |
|
Back to top |
|
 |
Vitor |
Posted: Thu Apr 24, 2008 6:34 am Post subject: |
|
|
 Grand High Poobah
Joined: 11 Nov 2005 Posts: 26093 Location: Texas, USA
|
Thanks for posting your solution
 _________________ Honesty is the best policy.
Insanity is the best defence. |
|
Back to top |
|
 |
|