| Author |
Message
|
| rmah |
 Posted: Thu Jan 15, 2009 4:07 pm Post subject: MQ SSL on Windows 2003 |
 |
|
Centurion
Joined: 04 May 2007
Posts: 142
|
SOLVED
Hi,
I'm getting a very puzzling error.
I have configured my SSLKEY value to this for my queue manager:
C:\Program Files\IBM\WebSphere MQ\Qmgrs\CAP02REPL\ssl\key
I get this error:
AMQ9642: No SSL certificate for channel 'to.mqhub_01'.
I've set the SSL for 'to.mqhub_01' to NULL_SHA and REQUIRED.
The key.* files are readable and writable by the user the queue manager is running under.
If I put:
C:\Program Files\IBM\WebSphere MQ\Qmgrs\CAP02REPL\ssl\key.kdb
I get this error:
AMQ9660: SSL key repository: password stash file absent or unusable.
I've stashed the password many times with key manager tool, and the .sth file is there!
What could problem be?
Thanks...
_________________
MQ 6.0.2.3
Broker 6.0.0.7
for Linux
Last edited by rmah on Thu May 28, 2009 1:37 pm; edited 1 time in total |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Jan 15, 2009 6:45 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
What is the path & name of the key file?
What is the path & name of the corresponding stash file?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zhanghz |
| Posted: Sun Jan 18, 2009 5:26 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
I assume the full path and name of your key file is "C:\Program Files\IBM\WebSphere MQ\Qmgrs\CAP02REPL\ssl\key.kdb". Then you should put "C:\Program Files\IBM\WebSphere MQ\Qmgrs\CAP02REPL\ssl\key" in SSLKEYR of your qmgr.
Now check whether you have your qmgr's cert with the label of "ibmwebspheremq<your_qmgr_name>" in the repository. On Windows, your own cert should be labeled like that, all small letters.
And have you issued "refresh security type(ssl)" or restarted qmgr after the change? |
|
| Back to top |
|
|
| rmah |
| Posted: Thu May 28, 2009 12:23 pm Post subject: |
|
|
Centurion
Joined: 04 May 2007
Posts: 142
|
| zhanghz wrote: |
I assume the full path and name of your key file is "C:\Program Files\IBM\WebSphere MQ\Qmgrs\CAP02REPL\ssl\key.kdb". Then you should put "C:\Program Files\IBM\WebSphere MQ\Qmgrs\CAP02REPL\ssl\key" in SSLKEYR of your qmgr.
Now check whether you have your qmgr's cert with the label of "ibmwebspheremq<your_qmgr_name>" in the repository. On Windows, your own cert should be labeled like that, all small letters.
And have you issued "refresh security type(ssl)" or restarted qmgr after the change? |
You say teh label should be all small letters. My queue manager name is all caps - should I still use all letteres for the label name?
_________________
MQ 6.0.2.3
Broker 6.0.0.7
for Linux |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu May 28, 2009 12:29 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Have you read the WMQ Security manual? There's a chapter "Working with SSL or TLS on UNIX and Windows systems."
A quick search for key label in this manual came up with:
ibmwebspheremq followed by the name of your queue manager changed to lower case. For example, for QM1, ibmwebspheremqqm1
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu May 28, 2009 1:32 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Lots of good info HERE...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
