| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL-enabled channels - RCVR running, SDR retrying |
« View previous topic :: View next topic » |
| Author |
Message
|
| zhanghz |
 Posted: Wed Mar 04, 2009 5:12 pm Post subject: SSL-enabled channels - RCVR running, SDR retrying |
 |
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
Hi, I encountered such a case yesterday. AIX QMGR renewed cert, I imported their new cert into my z/OS QMGR, REFRESH SECURITY TYPE(SSL), and found my RCVR was running, my SDR was retrying.
I stopped my RCVR, asked AIX to stopp its SDR. I restarted my RCVR, asked AIX to start its SDR. My RCVR is running.
I asked AIX to stopp its RCVR, I stopped my SDR. I asked AIX to start its RCVR, I started my SDR. My SDR still retrying.
The problem was resolved by AIX re-starting its QMGR.
What puzzles me is, why my RCVR could be running but my SDR was not? My RCVR has SSLCAUTH set to REQUIRED, and my understanding of this is that my RCVR running means 2-way SSL handshake is successful already.
When my SDR starts, the SSL handshake will also be a 2-way process, but why failed??
Any difference between the 2-way handshake in these 2 scenarios?
Your answer will help me better understand SSL handshake process.
Thanks.
Last edited by zhanghz on Wed Mar 04, 2009 5:19 pm; edited 1 time in total |
|
| Back to top |
|
 |
| zhanghz |
| Posted: Wed Mar 04, 2009 5:14 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
to add the extract of MQ log from AIX QMGR:
AMQ9658: An invalid SSL certificate was received from the remote system.
EXPLANATION:
An SSL certificate received from the remote system was not corrupt but failed
validation checks on its date fields. The certificate has either expired, or
its date is not valid yet (i.e. the from date is later than today), or the
validity date range is incorrect (e.g. the to date is earlier than the from
date). The channel is '????'; in some cases its name cannot be determined and
so is shown as '????'. The channel did not start.
ACTION:
Ensure that the remote system has a valid, current SSL certificate. Restart the
channel.
On my side, MQ log only showed the following:
+CSQX209E +ZQM1 CSQXRCTL Connection unexpectedly terminated,
channel ZQM1.AIX1,
connection (10.X.X.X)
(queue manager ????)
TRPTYPE=TCP
+CSQX638E +ZQM1 CSQXRCTL SSL communications error for channel
ZQM1.AIX1
+CSQX599E +ZQM1 CSQXRCTL Channel ZQM1.AIX1 ended abnormally |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Mar 05, 2009 12:18 am Post subject: Re: SSL-enabled channels - RCVR running, SDR retrying |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zhanghz wrote: |
| ...The problem was resolved by AIX re-starting its QMGR... |
Which suggests their AIX-end is running WMQ V5.3 (or their running V6.0 and they don't know they don't need to bounce the queue manager).
There is also the implication that they are using self-signed certs, in which case a definite SSL refresh should be done at their end.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| zhanghz |
| Posted: Thu Mar 05, 2009 5:07 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
Thanks exerk. But the question is why my RCVR was running while my SDR was retrying.
I went over the handshake process several times but couldn't figure out why. My RCVR has SSLCAUTH(REQUIRED), so I would send my cert to AIX, and also request AIX to send its cert to me. Only after both ends verify the cert was correct did the channel start.
The fact that my RCVR was running indicated certs were all okay, didn't it?
When my SDR started, the same process started, except that I became the client now. How come it was retrying then?
Still puzzled.. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Mar 06, 2009 1:20 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| zhanghz wrote: |
| Thanks exerk. But the question is why my RCVR was running while my SDR was retrying... |
Possibly because of this:
| zhanghz wrote: |
...to add the extract of MQ log from AIX QMGR:
AMQ9658: An invalid SSL certificate was received from the remote system.
EXPLANATION:
An SSL certificate received from the remote system was not corrupt but failed validation checks on its date fields. |
Best guesses are that either the z/OS cert was in need of renewal, or the queue manager was confused as to what date it was, and the bounce helped. After any cert work in WMQ V5.3 queue managers, I always 'refreshed' SSL security, i.e. bounced them - as stated in my previous post.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
