| Author |
Message
|
| bcostacurta |
 Posted: Wed Dec 30, 2009 1:47 am Post subject: AMQ9639: Remote channel did not specify a CipherSpec |
 |
|
Acolyte
Joined: 10 Dec 2009
Posts: 71
Location: Luxembourg
|
Hello,
I have a problem to setup a client connection using SSL.
I configured both channel SVRCONN and CLNTCONN (with same name as required in the MQSeries client doc), and I exported the AMQCLCHL.tab file (which should contain channel definitions and related cipher specification) to the client (platform Windows XP).
However there is an error when connecting to the MQSeries server (platform is Solaris):
...
12/30/09 9:56:40 AM - Process(18033.6718) User(mqm) Program(amqrmppa)
AMQ9639: Remote channel 'ADMIN.TEST.SSL' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'ADMIN.TEST.SSL' did not specify a CipherSpec when the local
channel expected one to be specified. The channel did not start.
ACTION:
Change the remote channel 'ADMIN.TEST.SSL' to specify a CipherSpec so that both
ends of the channel have matching CipherSpecs.
...
The channels definitions are :
display chl(ADMIN.TEST.SSL) chltype sslcauth sslciph sslpeer conname qmname trptype
AMQ8414: Display Channel details.
CHANNEL(ADMIN.TEST.SSL) CHLTYPE(SVRCONN)
SSLCAUTH(OPTIONAL) SSLCIPH(TRIPLE_DES_SHA_US)
SSLPEER(CN=MQ*) TRPTYPE(TCP)
AMQ8414: Display Channel details.
CHANNEL(ADMIN.TEST.SSL) CHLTYPE(CLNTCONN)
CONNAME(SQDE(1454)) QMNAME(SQDE)
SSLCIPH(TRIPLE_DES_SHA_US) SSLPEER(CN=MQ*)
TRPTYPE(TCP)
Note : the keyring on the MQSeries server was setup via gsk7cmd command. It contains CA certificate,
and the private certificate which is labelled 'ibmwebspheremqsqde' as required by the MQSeries to identify the private key to be used for encryption (authentication is not required for this client connection).
On the client side Windows XP :
SET MQCHLLIB=d:\documents\projects\ssl
SET MQCHLTAB=AMQCLCHL.TAB
amqscnxc -x SQDE(1454) -c ADMIN.TEST.SSL SQDE
The AMQCLCHL.TAB is present in the defined directory, it was transferred using the binary FTP mode and should containt the channel definitions and related cipher specifications.
Note : amqscnxc is the program delivered with MQSeries via the tools sample binaries.
The client test end with :
amqscnxc -x SQDE(1454) -c ADMIN.TEST.SSL SQDE
Sample AMQSCNXC start
Connecting to queue manager SQDE
using the server connection channel ADMIN.TEST.SSL
on connection name SQDE(1454).
MQCONNX ended with reason code 2393
I have the feeling the AMQCLCHL.tab it is not found, but environment variable definition about AMQCLCHL.TAB looks correct to me (I'm not a Windows expert). Or is it possible that the client is not 'cipher enabled' ?
Any idea or clue ?
Thanks for attention.
Bye,
Bruno |
|
| Back to top |
|
 |
| exerk |
| Posted: Wed Dec 30, 2009 5:39 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
What about the keyring and personal certificate for the client end?
And try using the simple amqsputc sample as you are using the MQCONNX sample and there are differences, i.e. you are not using the CCDT, which is why you are getting a cipher spec error. Look in the appropriate manual for what can/should be specified in th MQCONNX call
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Dec 30, 2009 5:48 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
You can use amqscnxc, but don't specify any flags if you want it to look for MQSERVER or MQCHLTAB/MQCHLLIB. As soon as you add -x and -c you are telling it you are providing the connection info and so it never looks for the info anywhere else.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| bcostacurta |
| Posted: Thu Dec 31, 2009 12:58 am Post subject: |
|
|
Acolyte
Joined: 10 Dec 2009
Posts: 71
Location: Luxembourg
|
Thanks for info.
So I tried :
SET MQCHLLIB=d:\documents\projects\ssl
SET MQCHLTAB=AMQCLCHL.TAB
SET MQSSLKEYR=D:\documents\projects\ssl\keyring
amqscnxc SQDE
(note: where SQDE is the MQSeries server to be contacted)
and receive error 2381 MQRC_KEY_REPOSITORY_ERROR
Obviously the keyring setup on the client side is incorrect.
I created it with the keytool, however its keyring file format is .jks but I think (correct me if I'm wrong) that MQSSLKEYR is expecting a .kdb format
(the required extension .kdb is correctly not indicated in the MQSSLKEYR var.environment definition).
Questions :
- is .jks compliant with .kdb ?
- which tools to create a keyring .kdb format under Windows XP ?
Thnaks for clue.
Bye,
Bruno |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Thu Dec 31, 2009 1:55 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
jks is not the same as kdb, just different format
jks is for java apps
kdb is for c apps
for both you can use the gskit to create the stores on windows
(see gsk7ikm.exe for example)
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| bcostacurta |
| Posted: Thu Dec 31, 2009 6:48 am Post subject: Resolved (or seems to be...) (was: AMQ9639) |
|
|
Acolyte
Joined: 10 Dec 2009
Posts: 71
Location: Luxembourg
|
Thanks for help.
It seems to be resolved.
I created the keyring on the client side using gsk7capicmd (from gskit installation).
In fact commands used are the same that the ones used on the server side except that the private certificate key is *not* imported on the client side.
So I tested :
SET MQCHLLIB=d:\documents\projects\ssl
SET MQCHLTAB=AMQCLCHL.TAB
SET MQSSLKEYR=D:\documents\projects\ssl\test
amqscnxc SQDE
D:\documents\projects\ssl>amqsputc SQDE
Sample AMQSPUT0 start
MQCONN ended with reason code 2059
D:\documents\projects\ssl>amqscnxc SQDE
Sample AMQSCNXC start
Connecting to queue manager SQDE
with no client connection information specified.
Connection established to queue manager SQDE
Sample AMQSCNXC end
---> no error code.
But, from there, can I consider the SSL setup client / server is correct ?
Is there any available application to send a message from a client using a SSL channel svrconn + clntconn setup ?
* Note : if I define a SSLPEER value I got an error :
2393 MQRC_SSL_INITIALIZATION_ERROR.
I probably have some confusion with the correct DN item and value to be used. However the SSLPEER is an optionnal value.
* Attention to Exerk : the amqsputc application seems not to be mqconnx compatible for client side usage.
Again thanks for attention
Bye,
Bruno |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Thu Dec 31, 2009 7:24 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
|
| Back to top |
|
|
| exerk |
| Posted: Thu Dec 31, 2009 10:54 am Post subject: Re: Resolved (or seems to be...) (was: AMQ9639) |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bcostacurta wrote: |
| * Attention to Exerk : the amqsputc application seems not to be mqconnx compatible for client side usage. |
It's just a client application, and if the syntax is correct it will work; try it again with the correct syntax.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bcostacurta |
| Posted: Mon Jan 04, 2010 5:41 am Post subject: |
|
|
Acolyte
Joined: 10 Dec 2009
Posts: 71
Location: Luxembourg
|
Hello Exerk,
amqscnxc is find but amqsput returns error abot missing MQM.dll.
Resolved : I switch to a Perl script and was finally able to put message from my client using MQCONNX and related parameters like qmgr name, client channel, key repository ..etc..
Anyway thanks a lot for attention and your help.
Bye,
Bruno |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jan 04, 2010 5:48 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bcostacurta wrote: |
Hello Exerk,
amqscnxc is find but amqsput returns error abot missing MQM.dll... |
I'd expect it to, but did you try amqsputc as I suggested?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bcostacurta |
| Posted: Fri Jan 08, 2010 3:12 am Post subject: |
|
|
Acolyte
Joined: 10 Dec 2009
Posts: 71
Location: Luxembourg
|
Dear Exerk,
you're right 100%
amqsputc works as an mq client using as :
SET MQCHLLIB=d:\documents\projects\ssl
SET MQCHLTAB=AMQCLCHL.TAB
SET MQSSLKEYR=D:\documents\projects\ssl\test
amqsputc TEST.BRUNO SQDE
-> OK entered messages on console were sent
Thanks a lot for your attention and sharp advices.
Bye,
Bruno |
|
| Back to top |
|
|
|
|
