| Author |
Message
|
| zhanghz |
 Posted: Tue Jul 29, 2008 2:35 am Post subject: SSL query - label name |
 |
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
I know that QMGRs on z/OS require the personal cert labels to be in ibmWebSphereMQ<QMGR> format, and QMGRs on distributed systems require the personal cert labels to be in ibmwebspheremq<qmgr> format.
But I can't find information on when this format thingy is checked by QMGRs.
I list the SSL handshake process below:
1) "client hello": SDR channel sends cipher spec to RCVR channel (SDR is client, RCVR is server)
2) "server hello": RCVR chooses/matches cipher spec and send server cert and client cert request (if applicable) to SDR
3) SDR verifies server cert
4) SDR sends a session key and client cert to RCVR
5) RCVR verfiies client cert and descrypts the session key
6) RCVR starts conversation encrypted using the secrete session key with SDR
Can anyone please elabroate at which step the label format is checked?
I have a problem starting a SDR channel, but RCVR channel is working. With SSL.
Thanks. |
|
| Back to top |
|
 |
| Mr Butcher |
| Posted: Tue Jul 29, 2008 2:48 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
what error codes do you get when you start your sender? please post the proper log entries.....
_________________
Regards, Butcher |
|
| Back to top |
|
|
| zhanghz |
| Posted: Tue Jul 29, 2008 3:08 am Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
SDR is on z/OS:
+CSQX209E +qmgr CSQXRCTL Connection unexpectedly terminated, 813
channel qmgr.aixqmgr.t2,
connection (10.xx.xx.xx)
(queue manager aixqmgr)
TRPTYPE=TCP
+CSQX599E +qmgr CSQXRCTL Channel qmgr.aixqmgr.t2 ended abnormally
RCVR is on AIX:
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is '????' (if '????' it is unknown at this stage in the SSL processing).
The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.
----- amqccisx.c : 2419 -------------------------------------------------------
z/OS QMGR is using self-signed cert, AIX QMGR is using CA signed certs. z/OS QMGR already added and connected the CA certs given by AIX QMGR (1 root, 1 intermediate); AIX QMGR also already added z/OS QMGR's personal cert in its key store.
z/OS has the correct label format for its own self-signed personal cert in z/OS keyring; AIX has its CA-signed server cert in the format "ibmwebspheremqAIXQMGR" where AIXQMGR is AIX qmgr name. But AIX team is saying their cert's label name is fine.
I searched for error code AMQ9637 and found it's related to label name format..
That's why this post of mine.
What might be wrong?
Thanks. |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Tue Jul 29, 2008 4:00 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
Certificate labels on AIX MUST be ALL lower case so if your AIX QM is called MYQM its certificate *must* have the label "ibmwebspheremqmyqm"
Similarly if you are using a self-signed cert for the MVS QM, (assume it is called CSQ1), then on AIX when you import the certificate, you give it the label "ibmwebspheremqcsq1".
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| bbburson |
| Posted: Tue Jul 29, 2008 12:14 pm Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| David.Partridge wrote: |
Certificate labels on AIX MUST be ALL lower case so if your AIX QM is called MYQM its certificate *must* have the label "ibmwebspheremqmyqm"
Similarly if you are using a self-signed cert for the MVS QM, (assume it is called CSQ1), then on AIX when you import the certificate, you give it the label "ibmwebspheremqcsq1". |
Not exactly. The ONLY certificate label that matters to the queue manager is the one for the queue manager itself, and you are right it must be all lower case for non-z/OS.
I have a key.kdb file with two self-signed certs in it for two queue managers. In the QM1 copy of the key.kdb the labels are:
ibmwebspheremqqm1
ALabelForQM2
In the QM2 copy of the key.kdb the labels are:
ibmwebspheremqqm2
ALabelForQM1
My SSL sender/receiver channels are running in both directions using those certs and SSLPEER validation against the CN attributes of the certs. |
|
| Back to top |
|
|
| zhanghz |
| Posted: Tue Jul 29, 2008 6:36 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
ya, that's why I want to know at which step the label name format is checked by MQ QMGR. The understanding of this will make the problem solving faster and easier i believe. Now i don't understand why one channel is running and the other is not while for both sides SSLCAUTH is set to REQUIRED (we are not using SSLPEER).
QMGR on AIX box has its own CA-signed personal cert labeled as "ibmwebspheremqAIXQMGR" where its QMGR name is in capital letters. They claim they have this kind of format for other projects and have no problems..
well... |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Tue Jul 29, 2008 11:16 pm Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
Yes, strictly correct - other certs can be labelled much as you like ...
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| zhanghz |
| Posted: Wed Jul 30, 2008 12:46 am Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
| David.Partridge wrote: |
| Yes, strictly correct - other certs can be labelled much as you like ... |
Hi David, you were replying to bbburson's post?
So it means, on z/OS QMGR's key ring, z/OS' own cert must be labeled as "ibmWebSphereMQ<QMGR>", AIX's cert can be named whatever; on AIX QMGR's key store, AIX's own cert must be labeled as "ibmwebspheremq<qmgr>", z/OS' cert can be names whatever.
Is this understanding correct? So in my case, AIX box should have its own cert labeled as "ibmwebspheremqaixqmgr" (all lower case) in AIX qmgr's key store. Right?
Please advise.
Thank you.
ps: I can't test with AIX support now because customers are using the channels (without SSL) for testing .. |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Wed Jul 30, 2008 1:08 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
Yes, I was replying to bbburson's post.
And, yes the label on the aixqmgr's key store for it's own certificate MUST be "ibmwebspheremqaixqmgr" all lower case.
_________________
Cheers,
David C. Partridge |
|
| Back to top |
|
|
| zhanghz |
| Posted: Wed Jul 30, 2008 1:30 am Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
| Thanks, David. Will try that first. |
|
| Back to top |
|
|
| zhanghz |
| Posted: Thu Jul 31, 2008 9:50 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
Managed to get both SDR and RCVR channels running with SSL.
z/OS side didn't change anything. AIX side changed their label names to all lower cases, and they also claimed previously the .crl file was missing.. Now I don't know whether the problem encountered last time was due to non-standard label name or the missing of .crl file.. |
|
| Back to top |
|
|
|
|
