| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Unable to verify the SSL setup between queue manager and MQ |
View previous topic :: View next topic |
| Author |
Message
|
| Sunil |
 Posted: Wed Jul 09, 2008 8:28 am Post subject: Unable to verify the SSL setup between queue manager and MQ |
 |
|
Novice
Joined: 20 May 2008
Posts: 11
|
We are doing MQ setup to do remote administration on Queue manager installed on different machine using MQ explorer. MQ explorer will connect to remote queue manager using SSL protocol.
MQ SETUP
Machine A
This is machine where MQ explore is installed.
Operation system: Windows XP
MQ version: 6.0.2.0(MQ Explorer)
Access setup
userA exist in machine A.
Machine B
This is machine where queue manager which need to be remote administered is running.
Operation system: Windows XP
MQ version: 6.0
Server Connect Channel: - RCR (MCA User ID attribute = userA)
Access setup
User with same name “userA” also exists in machine B and belongs to group Users (Windows OP group).
userA, has following privileges in queue manager running on machine B.
Queue manager
setmqaut -m QMGB -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -g Users +get +browse +inq
Queues
setmqaut -m QMGRB-t q -n SYSTEM.ADMIN.COMMAND.QUEUE -g Users +get +browse +inq +put
setmqaut -m QMGRB-t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -g Users +inq +browse +get +dsp
setmqaut -m QMGRB-t q -n queuename -g Users +all
setmqaut -m QMGRB-t q -n queuename -g Users +all
Channels
setmqaut -m QMGRB-t channel -n RCR -g Users +dsp
Setup verification
Without SSL
User connects to queue manager running on Machine B from Machine A using MQ explorer. Explorer connects to queue manager running on default port and server connection channel RCR. This is working fine.
With SSL
SSL Setup
Machine B
Create a CMS key database called key.kdb.
Create a self signed certificate RCR.arm for this key database.
Export the certificate and transfer to machine A.
SSL Attribute of QMGRB points to key database key.kdb.
SSL Cipher Attribute (ssl_cipher_spec)of channel RCR is set to TRIPLE_DES_SSH_US.
Machine A
Create a jks key database (also tried with CMS database) called key.jks.
Add self signed certificate RCR.arm in this database.
MQ Explore SSL configuration
Category: SSL Client Certificate store
Trusted Certificate store :-key.jks
Setup verification
MQ explorer is not able to connect to queue manager running on Machine B. It throws error message “Could not establish connection to queue manager (AMQ4059)”. How ever when we unset ssl_cipher_spec on channel RCR then it works.
We are not sure if SSL is used by explorer to connect to queue manager.
We also tried to do SSL setup using client connection channel table. Explore was using it to connect to queue manager.
Referred Documents
MQ Explorer SSL: http://hursleyonwmq.wordpress.com/2007/07/30/using-websphere-mq-explorer-with-ssl/
MQ Explorer as a read-only viewer: http://hursleyonwmq.wordpress.com/2007/02/08/using-websphere-mq-explorer-as-a-read-only-viewer/
Using the WebSphere MQ Explorer to connect to a remote queue manager using SSL enabled MQI channels:
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.amqzag.doc/fa12120_.htm |
|
| Back to top |
|
 |
| exerk |
| Posted: Wed Jul 09, 2008 11:29 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Presumably this TRIPLE_DES_SSH_US is a typo?
Are you setting any environment variables?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zhanghz |
| Posted: Thu Jul 10, 2008 8:09 am Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
I have also tried to use MQ Explorer to do remote administration. I also encountered the same error you had, but unfortunately I am still unable to connect using SSL.
AMQ4059 is because MQ client does not set CIPH SPEC. This conclusion is supported by the fact that you were able to connect after you removed CIPH SPEC from the svrconn channel. Channel definication table should be used when connecting to remote qmgr, with the client channel having the same CIPH SPEC as the srvconn channel.
If you can connect successfully using SSL, pls post your solution so that I can have a look to.. I am stuck at "SSL certificate failed remote check". My post is at http://www.mqseries.net/phpBB2/viewtopic.php?t=44197 .
Thanks. |
|
| Back to top |
|
|
| zhanghz |
| Posted: Thu Jul 10, 2008 7:44 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
| i tried my MQ Explorer again, now it's working! didn't change anything since last time.. haha |
|
| Back to top |
|
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
