ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » SSL problems / Bad Certificate that's not bad

Post new topic  Reply to topic
 SSL problems / Bad Certificate that's not bad « View previous topic :: View next topic » 
Author Message
edinho
PostPosted: Mon Dec 01, 2008 10:32 am    Post subject: SSL problems / Bad Certificate that's not bad Reply with quote

Newbie

Joined: 17 Nov 2008
Posts: 6

Hi everyone!

I'm having some troubles with the SSL Configuration or something like that, and I hope you can help me, because no other place, or even here I couldn't found the solution. I'll try to explain as clearly as possible:

I have a WMQ 6.0.2.4 installed in a Win2003 SP 2 environment. It communicates with another MQ that is in a Mainframe ZO/S environment. So far, everything's fine, the data transmissions are working well, no problems. After that, we had to set the SSL in the channels, and both parts did the homework. We made the requests, set up the chains both sides, received the certificates and when the cipher was set up, the communication didn't work.

It seems a normal problem, with a certificate problem or something else, but that's the disgusting thing: There's nothing wrong. I'm sure of that because I set up another machine with a trial version and a internal CA and it worked well. At the other side, the guy did the same thing and it worked too. The main difference is about the OS (Win2000). I just sent my kdb to him for the tests, without giving any password and he just configured and worked fine.
Then we figured out that it's not a certificate problem. And here is the message I'm getting: AMQ9633: Bad SSL certificate for channel 'SEFAZSP.QGF1' (SEFAZSP is the Win2003 QM)

Some other info:
- Cipher are the same: RC4_MD5_US
- All configuration was done by visual MQ Explorer
- We monitored the network and the packages are not stucking anywhere
- The win2003 MQ installation was an Trial version at first. I've downloaded another version of MQ Trial and it was different from the first one.

We are in contact with IBM support and they are as lost as us, and it's been a while.
We also made a lot of tests, and I can send anything for you. I have the step by step screens that I have copied while I've configured the MQ and I can post somewhere, but I had used default configurations.

me please!

I don't know if I'm doing anything wrong, or if I've missed something, but I've followed the manuals and tutorials and the final result are always the same.

I've looked all through the net, and I think this is the best forum for MQ.

Thanks a lot in advance.

Eder.


Last edited by edinho on Sat Dec 06, 2008 10:59 am; edited 2 times in total
Back to top
View user's profile Send private message
exerk
PostPosted: Mon Dec 01, 2008 11:49 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Was REFRESH SECURITY TYPE(SSL) run on the queue managers? Have they been stopped/started since, and the same problem is still present?

Are the certificates installed on z/OS of the correct version? RACF will not allow the use of lower-version certificates (the version of the certificate can be found within it).
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Tue Dec 02, 2008 5:06 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA

I'll make a wild guess, and assume the channel is a sender. To determine if it is just one end, can you turn off 'Required' at the receiver?

If that works, then it tells you the senders CA and key are known at the receiver QMGR. Also, that there is a problem with either the CA cert or the QMGR cert at the receiver (and it could be both). The slightest error in the label name will make this fail.

If you are self signing your certs then do yourself a favor, and use one CA per environment to sign them all. Since this is z/OS, use RACF as the CA.
Back to top
View user's profile Send private message AIM Address
edinho
PostPosted: Tue Dec 02, 2008 5:29 am    Post subject: Reply with quote

Newbie

Joined: 17 Nov 2008
Posts: 6

exerk wrote:
Was REFRESH SECURITY TYPE(SSL) run on the queue managers? Have they been stopped/started since, and the same problem is still present?

Are the certificates installed on z/OS of the correct version? RACF will not allow the use of lower-version certificates (the version of the certificate can be found within it).


Hi exerk, I followed all the procedures and stopped/started the QMGRs. We are having this problem for some time. Can you explain about the lower-version certificates? I don't think that there is a problem with the certificate, because we set up another machine with the same kdb communicating with ZO/s and it worked. The difference is that the Win2003 with the problem is behind a firewall.

We thought that it could be the problem, but why does it work when there isn't SSL? Then I'd asked for the network to watch the net while we try the communication, and they said that there's nothing wrong and that there's probably something with the configs of the application.

The IBM guy told me to run this: http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg24014179&loc=en_US&cs=utf-8&lang=en
I did it and it doens't complain about the config.

Anyway, I asked for the ZO/s guy to do the REFRESH, because I'm the Windows guy and I've already done it.

Any other ideas?

Thanks a lot


Last edited by edinho on Mon Dec 08, 2008 1:14 pm; edited 2 times in total
Back to top
View user's profile Send private message
edinho
PostPosted: Tue Dec 02, 2008 5:48 am    Post subject: Reply with quote

Newbie

Joined: 17 Nov 2008
Posts: 6

JosephGramig wrote:
I'll make a wild guess, and assume the channel is a sender. To determine if it is just one end, can you turn off 'Required' at the receiver?

If that works, then it tells you the senders CA and key are known at the receiver QMGR. Also, that there is a problem with either the CA cert or the QMGR cert at the receiver (and it could be both). The slightest error in the label name will make this fail.

If you are self signing your certs then do yourself a favor, and use one CA per environment to sign them all. Since this is z/OS, use RACF as the CA.


Hi Joseph, there are both sender and receiver channels. I've tested with/without required, but it continues getting the same error. We have certisign as a signer for Win and the Government on the other side as a signer, all valid. In the post above, I'm telling why there's no problem with the certs.

I'm not the ZO/s MQ admin, but as far as I know, he is using just like you've said.

Thanks a lot,
Eder.


Last edited by edinho on Sat Dec 06, 2008 11:03 am; edited 1 time in total
Back to top
View user's profile Send private message
edinho
PostPosted: Wed Dec 03, 2008 5:30 am    Post subject: Reply with quote

Newbie

Joined: 17 Nov 2008
Posts: 6

Hi all,

any other clue or suggestion?

I don't know the machine history very well, and I was hired to take care of MQ Administration and the people that had worked here before I've got the job didn't keep any documentation either.

I know that at first, the trial version had been installed, and then it was turned into the official version by installing the license. This version was with the cluster stuff. After that, another guy was in charge and made another installation without the cluster (and I don't know how the re-installation was made). He left the communication working, but there wasn't SSL. When I took over, all that I had to do was turn on the SSL, that brought me to this point.

Well, I'm re-installing MQ again, and now with the official version from the IBM site (passport advantage) and if it doesn't work, I'll probably format the machine and start over from the very beginning.

I think that could be a problem with the installation because all that I've tried with the IBM Support didn't work, even the trace to see if there's a problem with SSL, and that's why I'm re-installing.

Anyway, I'm looking forward to getting new suggestions and tips.

Eder.


Last edited by edinho on Mon Dec 08, 2008 1:22 pm; edited 2 times in total
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Dec 03, 2008 6:11 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

edinho wrote:
Hi exerc, I did all the procedures and stopped/started the QMGRs. We are having this problem for some time. Can you explain about the lower-version certificates? I don't think that there is a problem with the certificate, because we set up another machine with the same kdb communicating with ZO/s and it worked. The difference is that the Win2003 with the problem is behind a firewall.


The issue I had was with a UNIX queue manager, whose owners were using a certificate generation tool that produced certificates with an obsolete Signature Algorithm not supported by the current RACF release being used at my site - clearly not relevant in your case as you have tried the same key store in a queue manager clone.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
edinho
PostPosted: Wed Dec 03, 2008 9:46 am    Post subject: Reply with quote

Newbie

Joined: 17 Nov 2008
Posts: 6

edinho wrote:
Hi all,

any other clue or suggestion?

I don't know the machine history very well, and I was hired to take care of MQ Administration and the people that had worked here before I've got the job didn't keep any documentation as well.

I know that at first, the trial version had been installed, and then it was turned into the official version by installing the license. This version was with the cluster stuffs. After that, another guy assumed and made another installation without the cluster (and I don't know how the re-installation was made). He left the communication working, but there wasn't SSL. When I assumed, all that I had to do was turn on the SSL, that brought me to this point.

Well, I'm re-intalling MQ again, and now with the official version from the IBM site (passport advantage) and if it doesn't work, I'll probably format the machine and start over from the very beggining.

I think that could be a problem with the installation because all that I've tried with the IBM Support didn't work, even the trace to see if there's a problem with SSL, and that's why I'm re-installing.

Anyway, I'm looking for new suggestions and tips.

Eder.


Hi again,

I installed the MQ, and I didn't use the trial version. I downloaded the official version and used typical. Then, after the configurations everything went fine.

I spent some time to figure out this simple thing to redo the installation, and I think that is partially because of logs that were telling me AMQ9633: Bad SSL certificate for channel. I really don't like disguised errors.

Thanks anyway.

Eder
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Installation/Configuration Support » SSL problems / Bad Certificate that's not bad
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.