| Author |
Message
|
| dzifchock |
 Posted: Wed Dec 03, 2008 12:01 pm Post subject: SSL Cluster SDR/RCVR |
 |
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
I've recently converted our distributed queueing setup over to a cluster consisting of 4 qmgrs. I've created the sdr/rcvr pairs between and to the 2 FRs. Everything works fine when NOT using SSL.
As soon as I try to make all of the cluster SDR/RCVR's to use SSL i keep getting the errors below:
12/03/2008 07:45:08 PM - Process(30774.140) User(mqm) Program(amqrmppa)
AMQ9645: Correctly labelled SSL certificate missing on channel '????'.
EXPLANATION:
The key database file in use has not been set up with a correctly labelled SSL
certificate. The channel is '????'; in some cases its name cannot be determined
and so is shown as '????'. The channel did not start.
ACTION:
Add a correctly labelled SSL certificate to the current key database file.
Restart the channel.
----- amqccisa.c : 1330 -------------------------------------------------------
12/03/2008 07:45:08 PM - Process(30774.140) User(mqm) Program(amqrmppa)
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
These qmgrs are mixed HPUX/LINUX/WINDOWS and all of the key repositories are set correctly. All of the CipherSpecs match, and the certificate labels are all following the format ibmwebspheremq<qmgr name>
Has anyone had this type of problem before, Im at a loss.
HPUX 11.11 MQ 6.0.2.2
LINUX RHEL4 MQ 6.0.2.2
W2k3 MQ 6.0.2.2 |
|
| Back to top |
|
 |
| dzifchock |
| Posted: Wed Dec 03, 2008 1:25 pm Post subject: |
|
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
| I've also run the support pac mh03 on all of the qmgrs and everything pans out ok. I reverted back to NO SSL and got the channels running just fine, I also tried to update the cipherspecs while the channels were running, suggestion from a post on mqseries.net, stopped the channel and restarted it and still had the same problem. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Dec 03, 2008 3:05 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
As you are running in a cluster... are you aware that the cluster sender gets automagically defined from the corresponding cluster receiver?
Are you also aware that each qmgr in the cluster needs to have a certificate for each other qmgr in the cluster? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| dzifchock |
| Posted: Thu Dec 04, 2008 6:02 am Post subject: |
|
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
Yes I am aware that the cluster sender is automatically created. The channels that I am trying to get up and running are the manually created sdr/rcvrs to the FRs. 2 of the qmgrs are FRs 2 are PRs.
So if I want QMGRA and QMGRB to communicate over SSL, QMGRA has a certificate for itself and QMGRB and QMGRB has its certificate and QMGRAs?
Then SSL works differently in a cluster than in distributed queueing? |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Dec 04, 2008 6:34 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
If you are using self-signed certificates, all queue managers will need each others certificates, i.e. QMGRA will need the certificates of QMGRB, QMGRC and QMGRD and so on.
Before you converted to a cluster, were the SDR/RCVR pairs between each queue manager secured by SSL? If so, and they were working, did you refresh security after defining the CLUSSDR/CLUSRCVR pairs?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| dzifchock |
| Posted: Thu Dec 04, 2008 6:39 am Post subject: |
|
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
| The certificates are signed by an internal CA and the CA certificate is also in the key db. One of the sdr/rcvr pairs was secured by SSL, and will still need to be secured by SSL, hence setting SSL up on all of the qmgrs in order to keep this channel secure. The queue that needs to be accessed is on one of the FRs so I assumed that in order to keep this one channel secure I needed to use SSL throughout. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Dec 04, 2008 6:42 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| dzifchock wrote: |
| Then SSL works differently in a cluster than in distributed queueing? |
No, but any clustered queue manager can connect to any other queue manager and hence all queue managers need all certificates.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Dec 04, 2008 6:49 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| dzifchock wrote: |
| ...One of the sdr/rcvr pairs was secured by SSL... |
And did it work?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| dzifchock |
| Posted: Thu Dec 04, 2008 7:02 am Post subject: |
|
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
Yes the SSL sdr/rcvr pair worked before I converted to a cluster.
So if I follow correctly qmgra needs qmgrb, qmgrc and qmgrd's certificates and vice versa in order for SSL to function correctly in the cluster? |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Dec 04, 2008 7:03 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| dzifchock wrote: |
| So if I follow correctly qmgra needs qmgrb, qmgrc and qmgrd's certificates and vice versa in order for SSL to function correctly in the cluster? |
Yes - all the queue managers need the certificates of all the queue managers.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| dzifchock |
| Posted: Thu Dec 04, 2008 8:51 am Post subject: |
|
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
Thank you very much for your help, I've now got all channels up and running using SSL now. Hopefully it will go smoother in the next environment now that I have that knowledge =)
Cheers,
Dave |
|
| Back to top |
|
|
| zhanghz |
| Posted: Thu Dec 04, 2008 4:58 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
| the solution was to include all other qmgrs' certs in all qmgrs? I thought you mentioned you were using CA signed certs and you have CA certs included already? |
|
| Back to top |
|
|
| dzifchock |
| Posted: Fri Dec 05, 2008 1:04 pm Post subject: |
|
|
Apprentice
Joined: 21 Feb 2007
Posts: 41
|
Yes even though we were using CA signed certs after adding all certs in all qmgrs everything is working properly.
Before there was only a single cert and CA cert in every key database. Now there are 4 certs and a CA cert in every key database. |
|
| Back to top |
|
|
| exerk |
| Posted: Sat Dec 06, 2008 8:29 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| dzifchock wrote: |
Yes even though we were using CA signed certs after adding all certs in all qmgrs everything is working properly.
Before there was only a single cert and CA cert in every key database. Now there are 4 certs and a CA cert in every key database. |
Which suggests to me that they are not CA-signed, but self-signed...confusing 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Dec 06, 2008 10:22 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
| Then SSL works differently in a cluster than in distributed queueing? |
No, SSL remains point-to-point.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
