| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQJE001 2397 |
« View previous topic :: View next topic » |
| Author |
Message
|
| myKilkenny |
 Posted: Sun Oct 19, 2008 4:54 am Post subject: MQJE001 2397 |
 |
|
Newbie
Joined: 17 Oct 2008
Posts: 3
|
Hi Guys
I am absolutely new to MQ SSL here. Hopefully you guys can point to the right direction. Recently, I have been trying to connect MQ with a SSL channel. To do this:
1. I have generated a keystore (using SUN JDK)
2. Generated a request.
3. Received two certificate from the server.
4. Import the two certificate into my keystore with the following command
. keytool -import -file CA.cer -keystore my.keystore
. keytool -import -file Client.cer -alias myAlias -keystore my.keystore
5. Now try to connect to send a JMS to MQ with the following parameter
. javax . net . ssl . keyStore=my . keystore
. javax . net . ssl . truststore=my . keystore
And then I got an error:
Please refer to my following post |
|
| Back to top |
|
 |
| myKilkenny |
| Posted: Sun Oct 19, 2008 4:56 am Post subject: |
|
|
Newbie
Joined: 17 Oct 2008
Posts: 3
|
Hi Guys
I am absolutely new to MQ SSL here. Hopefully you guys can point to the right direction. Recently, I have been trying to connect MQ with a SSL channel. To do this:
1. I have generated a keystore (using SUN JDK)
2. Generated a request.
3. Received two certificate from the server.
4. Import the two certificate into my keystore with the following command
. keytool -import -file CA.cer -keystore my.keystore
. keytool -import -file Client.cer -alias myAlias -keystore my.keystore
5. Now try to connect to send a JMS to MQ with the following parameter
. javax . net . ssl . keyStore=my . keystore
. javax . net . ssl . truststore=my . keystore
And then I got an error:
.....
| Code: |
*** ServerHello, SSLv3
RandomCookie: GMT: 0 bytes = { 187, 127, 82, 7, 26, 57, 143, 216, 214, 228, 166, 214, 62, 187, 4, 179, 11, 217, 80, 97, 194, 76, 226, 232, 234, 100, 72, 235 }
Session ID: {0, 12, 16, 14, 82, 177, 63, 154, 162, 45, 121, 187, 217, 177, 76, 139, 92, 169, 109, 47, 88, 88, 88, 88, 0, 0, 0, 0, 0, 0, 0, 0}
Cipher Suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
** SSL_RSA_WITH_3DES_EDE_CBC_SHA
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 00 00 00 00 00 BB 7F 52 07 1A 39 ...F........R..9
0010: 8F D8 D6 E4 A6 D6 3E BB 04 B3 0B D9 50 61 C2 4C ......>.....Pa.L
0020: E2 E8 EA 64 48 EB 20 00 0C 10 0E 52 B1 3F 9A A2 ...dH. ....R.?..
0030: 2D 79 BB D9 B1 4C 8B 5C A9 6D 2F 58 58 58 58 00 -y...L.\.m/XXXX.
0040: 00 00 00 00 00 00 00 00 0A 00 ..........
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=xxxxx, CN="xxx", OU=IT, OU=xxxx, DC=hk, DC=xxxxx, DC=com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 92130877816823205416253538442359207892975475499283419306945925346694313571708217470135387917653546947725937244161616576547757442776651096063282425512069122671403533605843744608437956666430551298801533226783984294298573964962637250353868781317544190634626977247652867421253115725736147993964136260076491025003
public exponent: 65537
Validity: [From: Fri Oct 03 18:06:06 GMT+08:00 2008,
To: Sat Oct 03 18:06:06 GMT+08:00 2009]
Issuer: CN=xxxxxx, DC=xxxx, DC=com
SerialNumber: [ 61417ea4 00000000 003c]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1C 1E 1A 00 41 00 64 00 6D 00 69 00 6E 00 69 .....A.d.m.i.n.i
0010: 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 .s.t.r.a.t.o.r
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 36 0A 8A 20 8D 32 D1 D0 66 B7 8F 61 26 B0 9C 21 6.. .2..f..a&..!
0010: D9 31 39 9C .19.
]
]
[3]: ObjectId: 1.2.840.113549.1.9.15 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 37 30 35 30 0E 06 08 2A 86 48 86 F7 0D 03 02 .7050...*.H.....
0010: 02 02 00 80 30 0E 06 08 2A 86 48 86 F7 0D 03 04 ....0...*.H.....
0020: 02 02 00 80 30 07 06 05 2B 0E 03 02 07 30 0A 06 ....0...+....0..
0030: 08 2A 86 48 86 F7 0D 03 07 .*.H.....
[4]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A9 61 C1 EA 25 C3 F1 50 6F 47 6C 6C A6 45 29 AC .a..%..PoGll.E).
0010: 2D 5C 92 F7 -\..
]
]
[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.4.1.311.20.2.3, RFC822Name: xxxxxx]]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.4.1.311.10.3.1, 1.3.6.1.4.1.311.10.3.4, 1.3.6.1.5.5.7.3.4, 1.3.6.1.5.5.7.3.2]]
[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
Unparseable certificate extensions: 2
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
0000: 30 82 01 6D 30 81 D9 06 08 2B 06 01 05 05 07 30 0..m0....+.....0
0010: 02 86 81 CC 6C 64 61 70 3A 2F 2F 2F 43 4E 3D 44 ....ldap:///CN=Dxxxxx
.......
***
main, SEND SSLv3 ALERT: fatal, description = certificate_unknown
main, WRITE: SSLv3 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 00 00 02 02 2E .......
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication
caught JMSException: javax.jms.JMSException: MQJMS2005: failed to create MQQueueManager for '10.210.55.13:FOTS_QM_PRD_2'
linked exception: com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2397
|
What have I done wrong? |
|
| Back to top |
|
|
| myKilkenny |
| Posted: Sun Oct 19, 2008 6:15 am Post subject: |
|
|
Newbie
Joined: 17 Oct 2008
Posts: 3
|
I have done further digging on the SSL trace and found that the certificate my client send to the server is differ from the certificate received from the server.
The first certificate is from the client and 2nd certificate is from the server.
| Quote: |
Version: V3
Subject: EMAILADDRESS=xxxxxxx, CN="xxx", OU=IT, OU=xxxx, DC=hk, DC=xxx, DC=com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 90293963799527062618961533095324333186363771933708684158076222330112417393458087565282885653486042917324302252516982857315284294293523000696444496243234843331656521040515451865578427222326680135399885526344235145184676168867780386289060976782352339176649026089693410658076905918748726353681778948349414471971
public exponent: 65537
Validity: [From: Wed Oct 08 16:34:07 GMT+08:00 2008,
To: Thu Oct 08 16:34:07 GMT+08:00 2009]
Issuer: CN=xxxxx, DC=hk, DC=xxx, DC=com
SerialNumber: [ 19ad268a 00000000 003d]
Version: V3
Subject: EMAILADDRESS=xxxx, CN="xxx", OU=IT, OU=xxx, DC=hk, DC=xxx, DC=com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 92130877816823205416253538442359207892975475499283419306945925346694313571708217470135387917653546947725937244161616576547757442776651096063282425512069122671403533605843744608437956666430551298801533226783984294298573964962637250353868781317544190634626977247652867421253115725736147993964136260076491025003
public exponent: 65537
Validity: [From: Fri Oct 03 18:06:06 GMT+08:00 2008,
To: Sat Oct 03 18:06:06 GMT+08:00 2009]
Issuer: CN=xxxxx, DC=hk, DC=xxx, DC=com
SerialNumber: [ 61417ea4 00000000 003c]
|
Is this the caused of the problem? |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
