MQSeries.net :: View topic - WebSphere MQ 6.0.2 (HPUX) SSL channel GSKitSSL error

JimmyTsai · Posted: Tue Oct 05, 2010 2:04 am Post subject:

| Host Name :- mxqas (HP-UX B.11.23) |
| PIDS :- 5724H7208 |
| LVLS :- 6.0.2.1 |
| Product Long Name :- WebSphere MQ for HP-UX (Itanium platform) |

ACTION:
None.
-------------------------------------------------------------------------------
10/05/10 11:38:25 - Process(5482.1) User(mqm) Program(runmqchl_nd)
AMQ9620: Internal error on call to SSL function on channel 'MXQAS.TO.MXDEV'.

EXPLANATION:
An error indicating a software problem was returned from a function which is
used to provide SSL support. The error code returned was '701'. The function
call was 'gsk_attribute_set_enum - GSK_NIST_DES_FIPS_DEPRECATION'. The channel
is 'MXQAS.TO.MXDEV'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.
ACTION:
Collect the items listed in the 'Problem determination' section of the System
Administration manual and contact your IBM support center.
----- amqccisa.c : 1306 -------------------------------------------------------
10/05/10 11:38:25 - Process(5482.1) User(mqm) Program(runmqchl_nd)
AMQ9999: Channel program ended abnormally.

-------------------------------------------------------------------------------
10/05/10 11:39:25 - Process(5498.1) User(mqm) Program(runmqchl_nd)
AMQ9620: Internal error on call to SSL function on channel 'MXQAS.TO.MXDEV'.

EXPLANATION:
An error indicating a software problem was returned from a function which is
used to provide SSL support. The error code returned was '701'. The function
call was 'gsk_attribute_set_enum - GSK_NIST_DES_FIPS_DEPRECATION'. The channel
is 'MXQAS.TO.MXDEV'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.
ACTION:
Collect the items listed in the 'Problem determination' section of the System
Administration manual and contact your IBM support center.
----- amqccisa.c : 1306 -------------------------------------------------------
10/05/10 11:39:25 - Process(5498.1) User(mqm) Program(runmqchl_nd)
AMQ9999: Channel program ended abnormally.

EXPLANATION:
Channel program 'MXQAS.TO.MXDEV' ended abnormally.
ACTION:
Look at previous error messages for channel program 'MXQAS.TO.MXDEV' in the
error files to determine the cause of the failure.
----- amqrccca.c : 773 --------------------------------------------------------
10/05/10 11:30:53 - Process(5347.1) User(mqm) Program(amqrcmla)
AMQ6175: The system could not dynamically load the shared library
'/opt/mqm/lib64/amqccgsk_r'. The system returned error message 'Unable to find
library '/usr/lib/nls/loc/hpux64/locales.1/C'.'. The queue manager will
continue without this module.

EXPLANATION:
This message applies to UNIX systems. The shared library
'/opt/mqm/lib64/amqccgsk_r' failed to load correctly due to a problem with the
library.
ACTION:
Check the file access permissions and that the file has not been corrupted.

----- amqxufnx.c : 1158 -------------------------------------------------------
10/05/10 11:30:53 - Process(5347.1) User(mqm) Program(amqrcmla)
AMQ9220: The GSKitSSL communications program could not be loaded.

EXPLANATION:
The attempt to load the GSKitSSL library or procedure 'amqccgsk_r' failed with
error code 536895861.
ACTION:
Either the library must be installed on the system or the environment changed
to allow the program to locate it.
----- amqccisa.c : 1557 -------------------------------------------------------
10/05/10 11:31:25 - Process(5350.1) User(mqm) Program(amqrcmla)
AMQ6175: The system could not dynamically load the shared library
'/opt/mqm/lib64/amqccgsk_r'. The system returned error message 'Unable to find
library '/usr/lib/nls/loc/hpux64/locales.1/C'.'. The queue manager will
continue without this module.

EXPLANATION:
This message applies to UNIX systems. The shared library
'/opt/mqm/lib64/amqccgsk_r' failed to load correctly due to a problem with the library.
ACTION:
Check the file access permissions and that the file has not been corrupted.
----- amqxufnx.c : 1158 -------------------------------------------------------
10/05/10 11:31:25 - Process(5350.1) User(mqm) Program(amqrcmla)
AMQ9220: The GSKitSSL communications program could not be loaded.

EXPLANATION:
The attempt to load the GSKitSSL library or procedure 'amqccgsk_r' failed with
error code 536895861.
ACTION:
Either the library must be installed on the system or the environment changed
to allow the program to locate it.
----- amqccisa.c : 1557 -------------------------------------------------------

Here are the script :

Create SSL client key database on mxqas
gsk7capicmd_64 -keydb -create -db "/var/mqm/qmgrs/MXQAS/ssl/MXQAS.kdb" -pw clientpass -type cms -expire 365 -stash -fips
Create SSL server key database on mxdev
gsk7capicmd_64 -keydb -create -db "/var/mqm/qmgrs/MXDEV/ssl/MXDEV.kdb" -pw serverpass -type cms -expire 365 -stash -fips
SSL client certificate setup on mxqas
gsk7capicmd_64 -cert -create -db "/var/mqm/qmgrs/MXQAS/ssl/MXQAS.kdb" -pw clientpass -label ibmwebspheremqmxqas -dn "CN=MXQAS,OU=ERPQAS,O=MXIC,L=HsinChu,ST=HsinChu,C=TW" -expire 365 -fips -sigalg sha1

gsk7capicmd_64 -cert -list -db "/var/mqm/qmgrs/MXQAS/ssl/MXQAS.kdb" -pw clientpass -fips
SSL server certificate setup on mxdev
gsk7capicmd_64 -cert -create -db "/var/mqm/qmgrs/MXDEV/ssl/MXDEV.kdb" -pw serverpass -label ibmwebspheremqmxdev -dn "CN=MXDEV,OU=ERPDEV,O=MXIC,L=HsinChu,ST=HsinChu,C=TW" -expire 365 -fips -sigalg sha1

gsk7capicmd_64 -cert -list -db "/var/mqm/qmgrs/MXDEV/ssl/MXDEV.kdb" -pw serverpass -fips
Copy the public SSL client certificate to the SSL server side
gsk7capicmd_64 -cert -extract -db "/var/mqm/qmgrs/MXQAS/ssl/MXQAS.kdb" -pw clientpass -label ibmwebspheremqmxqas -target MXQAS.crt -format ascii -fips

FTP MXQAS.crt in ASCII mode from mxqas to mxdev.

gsk7capicmd_64 -cert -add -db "/var/mqm/qmgrs/MXDEV/ssl/MXDEV.kdb" -pw serverpass -label ibmwebspheremqmxqas -file MXQAS.crt -format ascii -fips

gsk7capicmd_64 -cert -list -db "/var/mqm/qmgrs/MXDEV/ssl/MXDEV.kdb" -pw serverpass -fips
Copy the public SSL server certificate to the SSL client side
gsk7capicmd_64 -cert -extract -db "/var/mqm/qmgrs/MXDEV/ssl/MXDEV.kdb" -pw serverpass -label ibmwebspheremqmxdev -target MXDEV.crt -format ascii -fips

FTP MXDEV.crt in ASCII mode from mxdev to mxqas.

gsk7capicmd_64 -cert -add -db "/var/mqm/qmgrs/MXQAS/ssl/MXQAS.kdb" -pw clientpass -label ibmwebspheremqmxdev -file MXDEV.crt -format ascii -fips

gsk7capicmd_64 -cert -list -db "/var/mqm/qmgrs/MXQAS/ssl/MXQAS.kdb" -pw clientpass -fips
MQSC commands for SSL client side queue manager MXQAS
NOTE: The step below is optional because SSLKEYR may already be set.

ALTER QMGR SSLKEYR('/var/mqm/qmgrs/MXQAS/ssl/MXQAS')

NOTE: The step below is optional because SSLFIPS may already be set.

ALTER QMGR SSLFIPS(YES)

DEFINE CHANNEL('MXQAS.TO.MXDEV') CHLTYPE(SDR) TRPTYPE(TCP) XMITQ('MXDEV_SSL') CONNAME('mxdev(1414)') SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA) SSLPEER('CN=MXDEV,OU=ERPDEV,O=MXIC,L=HsinChu,ST=HsinChu,C=TW') REPLACE

DEFINE QL(MXDEV_SSL) USAGE(XMITQ)
MQSC commands for SSL server side queue manager MXDEV
NOTE: The step below is optional because SSLKEYR may already be set.

ALTER QMGR SSLKEYR('/var/mqm/qmgrs/MXDEV/ssl/MXDEV')

NOTE: The step below is optional because SSLFIPS may already be set.

ALTER QMGR SSLFIPS(YES)

DEFINE CHANNEL('MXQAS.TO.MXDEV') CHLTYPE(RCVR) TRPTYPE(TCP) SSLCIPH(TLS_RSA_WITH_AES_128_CBC_SHA) SSLCAUTH(REQUIRED) SSLPEER('CN=MXQAS,OU=ERPQAS,O=MXIC,L=HsinChu,ST=HsinChu,C=TW') REPLACE
MQSC commands for both queue managers
REFRESH SECURITY TYPE(SSL)
MQSC commands for SSL client side queue manager MXQAS
START CHANNEL('MXQAS.TO.MXDEV')