| Author |
Message
|
| rajesh00001 |
 Posted: Tue Sep 08, 2009 7:39 pm Post subject: SSL configuration |
 |
|
Apprentice
Joined: 08 Sep 2009
Posts: 34
|
Hi All,
I am trying to do ssl configuration between two queue managers.One queue manager is available in Windows OS and another queue manager is available in solaris OS.MQ version is 6.0 in both the servers.
I got Self signed certificate from Version and configured according to the procedure.
I got below error while i am starting Sender channel from windows system.
----- amqrcmsa.c : 2070 -------------------------------------------------------
3/13/2009 11:02:30 - Process(52376.1) User(MUSR_MQADMIN) Program(runmqchl.exe)
AMQ9002: Channel 'QM1_QM2' is starting.
EXPLANATION:
Channel 'QM1_QM2' is starting.
ACTION:
None.
-------------------------------------------------------------------------------
3/13/2009 11:02:32 - Process(52376.1) User(MUSR_MQADMIN) Program(runmqchl.exe)
AMQ9209: Connection to host ' ' closed.
EXPLANATION:
An error occurred receiving data from ' ' over TCP/IP. The connection to the
remote host has unexpectedly terminated.
ACTION:
Tell the systems administrator.
----- amqccita.c : 3094 -------------------------------------------------------
3/13/2009 11:02:32 - Process(52376.1) User(MUSR_MQADMIN) Program(runmqchl.exe)
AMQ9999: Channel program ended abnormally.
EXPLANATION:
Channel program 'QM1_QM2' ended abnormally.
ACTION:
Look at previous error messages for channel program 'QM1_QM2' in the
error files to determine the cause of the failure
Please help me solve this case. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Sep 08, 2009 7:52 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
First check that it works without SSL. Then put the SSL in debug log/trace level. Find out what the SSL logs / errors say.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| jeevan |
| Posted: Tue Sep 08, 2009 9:40 pm Post subject: Re: SSL configuration |
|
|
Grand Master
Joined: 12 Nov 2005
Posts: 1432
|
| rajesh00001 wrote: |
Hi All,
I am trying to do ssl configuration between two queue managers.One queue manager is available in Windows OS and another queue manager is available in solaris OS.MQ version is 6.0 in both the servers.
I got Self signed certificate from Version and configured according to the procedure.
I got below error while i am starting Sender channel from windows system.
----- amqrcmsa.c : 2070 -------------------------------------------------------
3/13/2009 11:02:30 - Process(52376.1) User(MUSR_MQADMIN) Program(runmqchl.exe)
AMQ9002: Channel 'QM1_QM2' is starting.
EXPLANATION:
Channel 'QM1_QM2' is starting.
ACTION:
None.
-------------------------------------------------------------------------------
3/13/2009 11:02:32 - Process(52376.1) User(MUSR_MQADMIN) Program(runmqchl.exe)
AMQ9209: Connection to host ' ' closed.
EXPLANATION:
An error occurred receiving data from ' ' over TCP/IP. The connection to the
remote host has unexpectedly terminated.
ACTION:
Tell the systems administrator.
----- amqccita.c : 3094 -------------------------------------------------------
3/13/2009 11:02:32 - Process(52376.1) User(MUSR_MQADMIN) Program(runmqchl.exe)
AMQ9999: Channel program ended abnormally.
EXPLANATION:
Channel program 'QM1_QM2' ended abnormally.
ACTION:
Look at previous error messages for channel program 'QM1_QM2' in the
error files to determine the cause of the failure
Please help me solve this case. |
Which fixpac have you applied? None of these error are ssl related. These could be due to network/or connection problem.
As fjb_saper said, get the channel runninig without SSL, then setup SSL. It would be easier to debug that way then mixing many problem[divide and conquer] |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 08, 2009 11:37 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
CHECKLIST
1. You created a self-signed certificate in QM1's key store, and exported it.
2. You created a self-signed certificate in QM2's key store, and exported it.
3. You imported QM1's self-signed certificate into QM2's key store.
4. You imported QM2's self-signed certificate into QM1's key store.
5. You altered QM1's SSLKEYR attribute to reference QM1's key store, and in stem format, i.e. '<path>/QM1/ssl/key' and not '<path>/QM1/ssl/key.kdb'.
6. You altered QM2's SSLKEYR attribute to reference QM2's key store, and in stem format, i.e. '<path>/QM2/ssl/key' and not '<path>/QM2/ssl/key.kdb'.
7. You refreshed security in each queue manager.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hsyeow |
| Posted: Tue Sep 15, 2009 5:33 am Post subject: |
|
|
Newbie
Joined: 15 Sep 2009
Posts: 4
|
I'm facing the similar issue with SSL . Sometimes I get tcp/ip code 104 (X'68') aka Connection Reset by Peer and at times AMQ9665: SSL connection closed by remote end of channel.
QM1 -> QM2 failed with the above errors.
QM2 -> QM1 no problem.
No matter what error code I see at sender side, the receiver will only see AMQ9633 Bad SSL Certificate for Channel xxx. According to IBM's support page, it's suppose to appear at sender side but somehow it only appear at receiver side. Tried setting receiver's SSL authentication to OPTIONAL but to no avail.
| fjb_saper wrote: |
First check that it works without SSL. Then put the SSL in debug log/trace level. Find out what the SSL logs / errors say.
|
Connectivity is ok without SSL. How do I do a debug log/trace level?
| exerk wrote: |
CHECKLIST
1. You created a self-signed certificate in QM1's key store, and exported it.
2. You created a self-signed certificate in QM2's key store, and exported it.
3. You imported QM1's self-signed certificate into QM2's key store.
4. You imported QM2's self-signed certificate into QM1's key store.
5. You altered QM1's SSLKEYR attribute to reference QM1's key store, and in stem format, i.e. '<path>/QM1/ssl/key' and not '<path>/QM1/ssl/key.kdb'.
6. You altered QM2's SSLKEYR attribute to reference QM2's key store, and in stem format, i.e. '<path>/QM2/ssl/key' and not '<path>/QM2/ssl/key.kdb'.
7. You refreshed security in each queue manager. |
1-4. I need to export QM1 self-signed cert and import QM2 cert & vice versa? I thought all I need to do is extract QM1 CA cert, add it into QM2 and repeat for QM2?
That's what I did for the testing qmgr and it there's no problem. Currently having problem after following the same steps with the production qmgr.
5-6. Checked
7. QM1 yes. QM2, not sure but since it's able to connect to QM1, I suppose it was. If it's not, could that be the cause of my problem? |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 15, 2009 5:47 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| hsyeow wrote: |
| 1-4. I need to export QM1 self-signed cert and import QM2 cert & vice versa? I thought all I need to do is extract QM1 CA cert, add it into QM2 and repeat for QM2? |
Poor wording on my part...I should have used the correct phraseology  ...Apologies.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hsyeow |
| Posted: Tue Sep 15, 2009 5:53 am Post subject: |
|
|
Newbie
Joined: 15 Sep 2009
Posts: 4
|
| exerk wrote: |
| hsyeow wrote: |
| 1-4. I need to export QM1 self-signed cert and import QM2 cert & vice versa? I thought all I need to do is extract QM1 CA cert, add it into QM2 and repeat for QM2? |
Poor wording on my part...I should have used the correct phraseology ...Apologies. |
Thanks for the clarification. With that out of the way, any idea where do I start digging for more clues? I'm pretty clueless on MQ with SSL. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 15, 2009 6:04 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| hsyeow wrote: |
| ...I'm pretty clueless on MQ with SSL... |
Don't worry, so am I  , I normally just 'hack' around until it works.
I'd look at the possibility of a problem with the certificate add, so suggest deleting the 'CA' certificate in the problem queue manager (receiving end), i.e. in QM2, delete QM1's certificate, and extracting a fresh copy from QM1 and add it again to QM2 - or it might be the other way around, I always get hazy as to which end is doing what!
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hsyeow |
| Posted: Tue Sep 15, 2009 4:48 pm Post subject: |
|
|
Newbie
Joined: 15 Sep 2009
Posts: 4
|
Did that too. I've recreated QM1's Keydb and added the new CA into QM2's Keydb. The old one was deleted beforehand.
No progress. Will try SSL trace as suggested by fjb_saper. I doubt I know how to read the trace log  |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Sep 15, 2009 5:23 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| hsyeow wrote: |
| Will try SSL trace as suggested by fjb_saper. I doubt I know how to read the trace log |
Look upon it as a training experience and do not despair. It's not deliberately cryptic and complex; it just looks it..... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| zhanghz |
| Posted: Tue Sep 15, 2009 5:59 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
| If you are not on z/OS, make sure the qmgr's cert has the label in the format "ibmwebspheremq<qmgr>", ALL IN SMALL LETTERS. |
|
| Back to top |
|
|
| hsyeow |
| Posted: Tue Sep 15, 2009 10:14 pm Post subject: |
|
|
Newbie
Joined: 15 Sep 2009
Posts: 4
|
Just an update. The issue was resolved  after QM2 was restarted *facepalm*
| Vitor wrote: |
| hsyeow wrote: |
| Will try SSL trace as suggested by fjb_saper. I doubt I know how to read the trace log |
Look upon it as a training experience and do not despair. It's not deliberately cryptic and complex; it just looks it..... |
I did take a look at the log, to me it does look really cryptic and complex. And the problem is I don't even know what to look for.
All in all, I did gain valuable knowledge. Thanks a lot guys. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 15, 2009 11:18 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| hsyeow wrote: |
| Just an update. The issue was resolved after QM2 was restarted *facepalm* |
As you stated you're on V6.0, I take it that a refresh security type(ssl) didn't work, or wasn't issued?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
