| Author |
Message
|
| chrisgclark |
 Posted: Wed Aug 26, 2009 9:26 am Post subject: rc=2393 Cannot Connect returned by RFHUtilc - SSL certs prob |
 |
|
Apprentice
Joined: 26 Mar 2009
Posts: 35
|
When using rfhutilc client to connect to (local or remote) queue manager using SSL we get 'rc=2393 Cannot Connect' message returned when the svrconn channel definition SSL parameter 'Accept only certificates with Distinguished Names matching these values:' is checked and specifies a DN. When not selected distinguished names on the channel, rfhutilc can put and get successfully.
With a java client certification/connction this works OK but we need to produce a SSL certificate (with distinguished names enabled) for a C program. We are using RFHUtil to test the client SSL certificate as this is a C application.
Any ideas? Thanks. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Wed Aug 26, 2009 9:40 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| You need the same certificate in two keystore formats. One a .jks for java one a .kdb for C. |
|
| Back to top |
|
|
| chrisgclark |
| Posted: Thu Aug 27, 2009 12:26 am Post subject: |
|
|
Apprentice
Joined: 26 Mar 2009
Posts: 35
|
Hi mqjeff,
We have in fact produced the same certificate in 2 formats. The jks java one works fine with distinguished names enabled, however the .kdb C one does not work with distinguished names enabled. We get the mqrc 2393 when we try to test the .kdb one using RFHUtil.
We have produced them with the same CA.
Chris |
|
| Back to top |
|
|
| crossland |
| Posted: Tue Sep 22, 2009 7:06 am Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
| Did you change anything else apart from the -type parameter on the create commands, between the commands used to create the jks and the commands used to create the kdb? |
|
| Back to top |
|
|
| chrisgclark |
| Posted: Thu Sep 24, 2009 3:04 am Post subject: |
|
|
Apprentice
Joined: 26 Mar 2009
Posts: 35
|
Hi,
Yes, same command just -type parameter different.
Fixed this issue now, we changed 2 things are it started working with DNs:
1. Name of suffix on the client side certificate label. This was missing the MCAUser ID of the qmgr channel.
2. We had to create a windows user that matched the MCAUser ID of the qmgr channel, then run RFHUtil under this user ID. The 'Set Connection user ID' option in RFHUtil didn't seem to send these username/password through to the qmgr.
Thanks for your suggestion though.
Chris |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Sep 24, 2009 3:52 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| chrisgclark wrote: |
| 1. Name of suffix on the client side certificate label. This was missing the MCAUser ID of the qmgr channel. |
For future reference, have a look at THIS.
| chrisgclark wrote: |
| 2. We had to create a windows user that matched the MCAUser ID of the qmgr channel, then run RFHUtil under this user ID. |
The user set in the MCAUSER attribute over-rides any userid passed in the connection, so any user could have been used.
| chrisgclark wrote: |
| The 'Set Connection user ID' option in RFHUtil didn't seem to send these username/password through to the qmgr. |
From the IH03 doc: "The user id and password are usually ignored by the channel unless a channel exit is specified for the specified channel"
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| ammad |
| Posted: Wed Jan 09, 2013 1:02 pm Post subject: |
|
|
Newbie
Joined: 09 Jan 2013
Posts: 1
|
| Quote: |
chrisgclark wrote:
The 'Set Connection user ID' option in RFHUtil didn't seem to send these username/password through to the qmgr.
From the IH03 doc: "The user id and password are usually ignored by the channel unless a channel exit is specified for the specified channel" |
Then what is the best way to provide user id and password ? Any other way for doing that? |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jan 09, 2013 1:05 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| ammad wrote: |
| Quote: |
chrisgclark wrote:
The 'Set Connection user ID' option in RFHUtil didn't seem to send these username/password through to the qmgr.
From the IH03 doc: "The user id and password are usually ignored by the channel unless a channel exit is specified for the specified channel" |
Then what is the best way to provide user id and password ? Any other way for doing that? |
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
