| Author |
Message
|
| broker_new |
 Posted: Fri May 29, 2009 7:46 am Post subject: SSL=>Self Signed Certificate |
 |
|
Yatiri
Joined: 30 Nov 2006
Posts: 614
Location: Washington DC
|
Hi guys,
I have a problem in setting up the self signed certificate.Here is the scenario.
Host B (Recevier side)
======
Created Qmanager QMB
1) Created a kdb of type CMS
2) Stashed the password to .sth file
3) Created a self signed certificate
a) made sure that the label name is "ibmwebspheremqqmb"
4) exported the key in pkcs format and FTP'ed the file to the HOST A
Host A (Sender side)
=====================
Created Qmanager QMA
1) Created a kdb of type CMS
2) Stashed the password to .sth file
3) Imported the key successfully.
a) updated the label name as "ibmwebspheremqqma"
Fine....Works well...
If i use the same label name as "ibmwebspheremqqmb" its failing ...
encountering the following error
05/29/09 11:44:16 - Process(844004.1) User(mqm) Program(runmqchl_nd)
AMQ9633: Bad SSL certificate for channel 'QMA.QMB'.
EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated, or
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system, or
(c) it was found in a Certification Revocation List (CRL) on an LDAP server.
(d) a CRL was specified but the CRL could not be found on the LDAP server.
The channel is 'QMA.QMB'; in some cases its name cannot be determined and
so is shown as '????'. The channel did not start.
ACTION:
Check which of the three possible causes applies on your system. Correct the
error, and restart the channel.
am i following the correct steps.please guide me
_________________
IBM ->Let's build a smarter planet |
|
| Back to top |
|
 |
| exerk |
| Posted: Fri May 29, 2009 8:51 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
1. Create a self-signed certificate for queue manager A.
2. Create a self-signed certificate for queue manager B.
3. Extract the certificate, as Base64 encoded ASCII, from queue manager A.
4. Extract the certificate, as Base64 encoded ASCII, from queue manager B.
5. Add queue manager A's certificate to the Signer section of queue manager B's key store.
6. Add queue manager B's certificate to the Signer section of queue manager A's key store.
7. Refresh security type(ssl) in both queue managers, or restart them.
8. Feed back.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| broker_new |
| Posted: Fri May 29, 2009 12:26 pm Post subject: |
|
|
Yatiri
Joined: 30 Nov 2006
Posts: 614
Location: Washington DC
|
i followed your suggestions, Facing the same problem
05/29/09 16:24:43 - Process(348372.1) User(mqm) Program(runmqchl_nd)
AMQ9633: Bad SSL certificate for channel 'QMA.QMB'.
EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated, or
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system, or
(c) it was found in a Certification Revocation List (CRL) on an LDAP server.
(d) a CRL was specified but the CRL could not be found on the LDAP server.
The channel is 'QMA.QMB'; in some cases its name cannot be determined and
so is shown as '????'. The channel did not start.
ACTION:
Check which of the three possible causes applies on your system. Correct the
error, and restart the channel.
_________________
IBM ->Let's build a smarter planet |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri May 29, 2009 1:14 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
exerc: for clarification: The signer section of the qmgr's keystore is the castore right? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| broker_new |
| Posted: Fri May 29, 2009 2:59 pm Post subject: |
|
|
Yatiri
Joined: 30 Nov 2006
Posts: 614
Location: Washington DC
|
It felt unusual to me but tried his way but didn't work.
I have tried the other way too that is Exported the cert from QMB keystore in pkcs format and imported into QMA keystore of personal certificate section and in the same way i have created the self signed certificate in QMA and imported in QMB keystore in pkcs format of personal certificate section.
I am facing the same problem.
_________________
IBM ->Let's build a smarter planet |
|
| Back to top |
|
|
| exerk |
| Posted: Sat May 30, 2009 1:36 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| exerc: for clarification: The signer section of the qmgr's keystore is the castore right? |
Correct. I was of course assuming that broker_new was using the key management GUI to make his/her life easier...or at least initially so!
broker_new, if you are using command line please post the commands you are running.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| broker_new |
| Posted: Sat May 30, 2009 4:52 am Post subject: |
|
|
Yatiri
Joined: 30 Nov 2006
Posts: 614
Location: Washington DC
|
Your assumption was correct, i was using the Ikeyman.
QMB
====
1)I have create the Self Signed Cert with Label name of "ibmwebspheremqqmb" and CN="QMB"
2)exported it as .pkcs format.
QMA
====
1)I have create the Self Signed Cert with Label name of "ibmwebspheremqqma" and CN="QMA"
2)exported it as .pkcs format.
3)imported the key from QMA into personal cert section with the same label name.
and altast on QMB side i have imported the key from QMB into personal cert section with the same label name.
I still have the same problem
_________________
IBM ->Let's build a smarter planet |
|
| Back to top |
|
|
| broker_new |
| Posted: Sat May 30, 2009 7:44 am Post subject: |
|
|
Yatiri
Joined: 30 Nov 2006
Posts: 614
Location: Washington DC
|
Cool, i refreshed the security but didn't work...at last i have bounced the queue manager..its working now. 
_________________
IBM ->Let's build a smarter planet |
|
| Back to top |
|
|
|
|
