| Author |
Message
|
| visionR32 |
 Posted: Mon Aug 03, 2009 9:44 am Post subject: ssl setup : mq 6 on windows |
 |
|
Novice
Joined: 29 Jan 2009
Posts: 11
|
Hi All,
I'm going through the security pdf for mq windows pg: chap 11 - topic: setting up ssl communication.
question: - can you please confirm if these are the right steps when setting up CA signed cert. between 2 queue managers on different machines?
1. Create a cert req on both QMA and QMB.
2. Add the signer cert from the CA and import it into the *.kdb key store (with the CA's name for the lable) - do this on both queue managers.
3. Receive the signed personal cert and add the relevent certs to the queue manager which the request was made
4 [THIS IS WHERE I GET LOST] - i imported the cert in #2 to both queue mangers as its the same CA that signed them.
after all this the sender channel from QMA gets into a retry state (by the way with SSL disabled it works fine).
in the error log i get: the below in the error log.
----- amqrmrsa.c : 459 --------------------------------------------------------
2009/08/03 18:19:14 - Process(3484.2) User(MUSR_MQADMIN) Program(amqrmppa.exe)
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is '????' (if '????' it is unknown at this stage in the SSL processing).
The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.
If you have migrated from WebSphere MQ V5.3 to V6, it is possible that the
missing certificate is due to a failure during SSL key repository migration.
Check the relevant error logs. If these show that an orphan certificate was
encountered then you should obtain the relevant missing certification authority
(signer) certificates and then import these and the orphan certificate into the
WebSphere MQ V6 key repository, and then re-start the channel.
----- amqccisa.c : 3448 -------------------------------------------------------
2009/08/03 18:19:14 - Process(3484.2) User(MUSR_MQADMIN) Program(amqrmppa.exe)
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
----- amqrmrsa.c : 459 --------------------------------------------------------
and i initially tested the above with SELF-SINGED certs and they worked fine!
what i'm i missing ?
regards |
|
| Back to top |
|
 |
| exerk |
| Posted: Mon Aug 03, 2009 10:06 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
In each queue manager, did you refresh security after adding the CA cert and receiving the queue manager personal cert?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| visionR32 |
| Posted: Mon Aug 03, 2009 10:59 am Post subject: |
|
|
Novice
Joined: 29 Jan 2009
Posts: 11
|
Yes i did,
I even restarted both queue managers,
and i did create the request from cert with lower case labels. e.g ibmwebspheremqqma |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Aug 03, 2009 1:47 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
And each queue managers SSLKEYR attribute contains the correct path, and key store name (in stem format), e.g. 'C:\Program Files\IBM\WebSphere MQ\Qmgrs\<QMNAME>\ssl\key', to the location of the key store?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| visionR32 |
| Posted: Thu Aug 06, 2009 12:52 am Post subject: |
|
|
Novice
Joined: 29 Jan 2009
Posts: 11
|
Thank you guys for you help, - I managed to solve the problem - one of my queue manager's personal cert lable was misspelled.
Regards
VisionR32 |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Aug 06, 2009 1:09 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Please edit your original post Subject line with * SOLVED *, so as to make it more 'visible' for anyone searching the site for similar problems they may be encountering - it works as an eye-catcher.
Thank you.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
