| Author |
Message
|
| HenriqueS |
 Posted: Tue Aug 18, 2009 9:24 am Post subject: Trying to use CDDT to connect MQ Explorer to remote qmgr |
 |
|
Master
Joined: 22 Sep 2006
Posts: 235
|
I am trying to setup SSL for MQ administration through MQExplorer. I realized that I need to connect using a CDDT instead of a regular MQExplorer connection because there is need to supply extra parameters only available on the CDDT.
When I try to add, I get a generic error AMQ4059.
This is what I tried:
1) Created on my local qmgr a client connection definition, looks like this:
DISPLAY CHANNEL(QM.MQ_H)
| Code: |
3 : DISPLAY CHANNEL(QM.MQ_H)
AMQ8414: Erro no Comprimento da Cadeia.
CHANNEL(QM.MQ_H) CHLTYPE(CLNTCONN)
ALTDATE(2009-08-18) ALTTIME(13.46.59)
COMPHDR(NONE) COMPMSG(NONE)
CONNAME(mq-h.bc(1414)) DESCR( )
HBINT(300) KAINT(AUTO)
LOCLADDR( ) MAXMSGL(4194304)
MODENAME( ) PASSWORD( )
QMNAME(QM.MQ_H) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SSLCIPH( )
SSLPEER( ) TPNAME( )
TRPTYPE(TCP) USERID( )
|
2) Copied the AMQCLCHL.TAB file sitting under the /@Ãpcc directory of my local QMGR to C:\TEMP .
3) I went to my local MQExplorer copy and tried to include a new qmgr, clicking on the radio button labeled "use client channel definition table".
4) Pointed to the C:\TEMP\AMQCLCHL.TAB file. Clicked on "Finish".
5) MQ Explorer complains "Could not connect to queue manager (AMQ4059)".
*As you can see this is a clean connection, I did not enable yet anythign related to SSL.
*Creating a regular MQ Explorer connection to this remote queue manager gives no problems at all.
There is any object missing? The client connection definition must be sitting also on the remote queue manager? |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Tue Aug 18, 2009 9:34 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Does the CHANNEL(QM.MQ_H) exist as a SVRCONN on the remote qmgr?
Does the user running MQExplorer, or the MCAUSER on QM.MQ_H have sufficient privileges? |
|
| Back to top |
|
|
| HenriqueS |
| Posted: Tue Aug 18, 2009 10:49 am Post subject: |
|
|
Master
Joined: 22 Sep 2006
Posts: 235
|
Many thanks, I did not realize that I should push the client channel name the same as the one sitting at the remote queue manager. I thought the admininstrative commands would flow through SYSTEM.ADMIN.SVRCONN.
| mqjeff wrote: |
Does the CHANNEL(QM.MQ_H) exist as a SVRCONN on the remote qmgr?
Does the user running MQExplorer, or the MCAUSER on QM.MQ_H have sufficient privileges? |
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Aug 18, 2009 11:23 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The CCDT fully specifies the client connection half of the channel. Like all channels, Client Connections are paired with Server Connection channels and are matched by name.
So if you want to connect to SYSTEM.ADMIN.SVRCONN, you must create a SYSTEM.ADMIN.SVRCONN Client Connection channel in your CCDT.
But please don't use that channel. Use a "MQEXPLORER.ADMIN.SVRCONN" or something that makes it visible that you're using MQExplorer for Admin purposes, or whatever your naming standards say. |
|
| Back to top |
|
|
| HenriqueS |
| Posted: Tue Aug 18, 2009 6:19 pm Post subject: |
|
|
Master
Joined: 22 Sep 2006
Posts: 235
|
Thanks for the feedback. Yes, I will change the channel naming.
After playing with de CDDT, finally got working this client channel over SSL. This was a concern for me. It is a tricky and very detailed thing though (generate certs, create key databases, exchange certs between databases, export .kdb to .jks, MQExplorer settings, etc.).
My idea is to create 2 SSL´d client channels, 1) one for administrative purposes for MQExplorer use and 2) another for application API calls.
After that I will probably delete any other server connection channels, including SYSTEM ones. What do you think? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Aug 18, 2009 7:44 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Don't need to delete system channels. Just set the mcauser to nobody and make sure nobody is not a user on the system and / or has no mq priviledges. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| HenriqueS |
| Posted: Mon Aug 24, 2009 3:07 pm Post subject: |
|
|
Master
Joined: 22 Sep 2006
Posts: 235
|
| Just one more thing, how do I store the access password for the java keysstore (JKS)? Everythime I log onto MQ Explorer I need to retype the password... |
|
| Back to top |
|
|
| PhilBlake |
| Posted: Tue Aug 25, 2009 1:40 am Post subject: |
|
|
Acolyte
Joined: 25 Oct 2005
Posts: 64
|
|
| Back to top |
|
|
| HenriqueS |
| Posted: Tue Aug 25, 2009 8:55 am Post subject: |
|
|
Master
Joined: 22 Sep 2006
Posts: 235
|
|
| Back to top |
|
|
| HenriqueS |
| Posted: Mon Aug 31, 2009 11:12 am Post subject: |
|
|
Master
Joined: 22 Sep 2006
Posts: 235
|
| Well, I just gave up because seems that MQ Explorer 7.0 sends to the queue manager some very specific commands that are only supported on MQ 7. |
|
| Back to top |
|
|
| HenriqueS |
| Posted: Mon Aug 31, 2009 11:15 am Post subject: |
|
|
Master
Joined: 22 Sep 2006
Posts: 235
|
Folks, I did distribute the .tab and .jks files to other 2 people that work with me.
Trying to configure and MQ Explorer connection on their machines did not work however. I pointed to the .tab and .jks files, supplied the keystore password, and nothing happened. MQ Explorer complained like if the destination qmgr did not exist at all.
Thiss could be related to the local MQ installation? I guess that they have 6.0.0.1 and I have 6.0.0.7 . Do the patches deal something on MQ Explorer ? |
|
| Back to top |
|
|
| PhilBlake |
| Posted: Tue Sep 01, 2009 2:36 pm Post subject: |
|
|
Acolyte
Joined: 25 Oct 2005
Posts: 64
|
| HenriqueS wrote: |
| Well, I just gave up because seems that MQ Explorer 7.0 sends to the queue manager some very specific commands that are only supported on MQ 7. |
Ummm, no, that should work. What errors are you seeing ? |
|
| Back to top |
|
|
| PhilBlake |
| Posted: Tue Sep 01, 2009 2:41 pm Post subject: |
|
|
Acolyte
Joined: 25 Oct 2005
Posts: 64
|
| HenriqueS wrote: |
Folks, I did distribute the .tab and .jks files to other 2 people that work with me.
Trying to configure and MQ Explorer connection on their machines did not work however. I pointed to the .tab and .jks files, supplied the keystore password, and nothing happened. MQ Explorer complained like if the destination qmgr did not exist at all.
Thiss could be related to the local MQ installation? I guess that they have 6.0.0.1 and I have 6.0.0.7 . Do the patches deal something on MQ Explorer ? |
Your client certificate will have your userid in the label and the server certificate will have the queue manager name in the label, so I would be surprised if these certifcates (.jks files) worked on someone else's setup. |
|
| Back to top |
|
|
|
|
