ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » mqrc 2393

Post new topic  Reply to topic Goto page 1, 2  Next
 mqrc 2393 « View previous topic :: View next topic » 
Author Message
shashivarungupta
PostPosted: Wed Oct 20, 2010 7:28 am    Post subject: mqrc 2393 Reply with quote

Grand Master

Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.

Hi All,

I have got an issue, that the client is facing !
He's getting mqrc 2393 whenever they are trying to connect the qmgr say 'TEST' using amqscnxc

command is correct with the flags.
SSL cert is fine, because the same cert is being used by other applications to connect to the same qmgr.
SSL Values on channel, SVRCONN and Client Conn are fine.

Could you please suggest where could be the problem.

Code:
display channel(A)
     1 : display channel(A)
AMQ8414: Display Channel details.
   CHANNEL(A)                 CHLTYPE(SVRCONN)
   ALTDATE(2010-07-28)                     ALTTIME(18.05.49)
   COMPHDR(NONE)                           COMPMSG(NONE)
   DESCR( )                                HBINT(300)
   KAINT(AUTO)                             MAXMSGL(4194304)
   MCAUSER( )                              MONCHL(QMGR)
   RCVDATA( )                              RCVEXIT( )
   SCYDATA( )                              SCYEXIT( )
   SENDDATA( )                             SENDEXIT( )
   SSLCAUTH(OPTIONAL)                      SSLCIPH(TRIPLE_DES_SHA_US)
   SSLPEER( )                              TRPTYPE(TCP)
AMQ8414: Display Channel details.
   CHANNEL(A)                 CHLTYPE(CLNTCONN)
   ALTDATE(2010-10-20)                     ALTTIME(09.55.35)
   COMPHDR(NONE)                           COMPMSG(NONE)
   CONNAME(a.b.c.d(1414))              DESCR( )
   HBINT(300)                              KAINT(AUTO)
   LOCLADDR( )                             MAXMSGL(4194304)
   MODENAME( )                             PASSWORD( )
   QMNAME(TEST)                         RCVDATA( )
   RCVEXIT( )                              SCYDATA( )
   SCYEXIT( )                              SENDDATA( )
   SENDEXIT( )                             SSLCIPH(TRIPLE_DES_SHA_US)
   SSLPEER( )                              TPNAME( )
   TRPTYPE(TCP)                            USERID( )


----- amqrmrsa.c : 487 --------------------------------------------------------
10/20/10 10:51:49 - Process(434388.1969) User(mqm) Program(amqrmppa)
AMQ9639: Remote channel 'A' did not specify a CipherSpec.

EXPLANATION:
Remote channel 'A' did not specify a CipherSpec when the local
channel expected one to be specified. The channel did not start.
ACTION:
Change the remote channel 'A' to specify a CipherSpec so that both
ends of the channel have matching CipherSpecs.
----- amqcccxa.c : 2498 -------------------------------------------------------
10/20/10 10:51:49 - Process(434388.1969) User(mqm) Program(amqrmppa)
AMQ9999: Channel program ended abnormally.

EXPLANATION:
Channel program 'A' ended abnormally.
ACTION:
Look at previous error messages for channel program 'A' in the
error files to determine the cause of the failure.


Server having mq version as
Name: WebSphere MQ
Version: 6.0.2.8
CMVC level: p600-208-090930
BuildType: IKAP - (Production)
_________________
*Life will beat you down, you need to decide to fight back or leave it.


Last edited by shashivarungupta on Wed Oct 20, 2010 12:00 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail
exerk
PostPosted: Wed Oct 20, 2010 10:47 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Try actually reading what the log is telling you, because it's crystal clear to me why it's not working...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
shashivarungupta
PostPosted: Wed Oct 20, 2010 11:45 am    Post subject: Reply with quote

Grand Master

Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.

exerk wrote:
Try actually reading what the log is telling you, because it's crystal clear to me why it's not working...


2393 0x00000959 MQRC_SSL_INITIALIZATION_ERROR

from the error log "..Remote channel 'A' did not specify a CipherSpec when the local channel expected one to be specified..."
and you can see on 'A' channels, cipher is mentioned !
Remote Channel 'A', I think its talking abt the server conn channel i.e. remote to client application.

_________________
*Life will beat you down, you need to decide to fight back or leave it.
Back to top
View user's profile Send private message Send e-mail
fjb_saper
PostPosted: Wed Oct 20, 2010 12:20 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Review your SSL manual. Obviously you do have the cipherspec on both ends of the channel... but still something is wrong and missing. If you make no headway open a PMR.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
exerk
PostPosted: Wed Oct 20, 2010 12:21 pm    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Switch on and think!

Your log states:

Quote:
AMQ9639: Remote channel 'A' did not specify a CipherSpec.


The parameters for amqscnxc are:

Quote:
amqscnxc [-x ConnName [-c SvrconnChannelName]] [QMgrName]

_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Oct 20, 2010 12:24 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

exerk wrote:
Switch on and think!

Your log states:

Quote:
AMQ9639: Remote channel 'A' did not specify a CipherSpec.


The parameters for amqscnxc are:

Quote:
amqscnxc [-x ConnName [-c SvrconnChannelName]] [QMgrName]


I sure hope they use a channel table to test amqscnxc. Otherwise the result is as expected!
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
exerk
PostPosted: Wed Oct 20, 2010 12:48 pm    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

fjb_saper wrote:
...I sure hope they use a channel table to test amqscnxc. Otherwise the result is as expected!


Why do I get the feeling that is not the case?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
shashivarungupta
PostPosted: Thu Oct 21, 2010 2:13 am    Post subject: Reply with quote

Grand Master

Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.

exerk wrote:

The parameters for amqscnxc are:

Quote:
amqscnxc [-x ConnName [-c SvrconnChannelName]] [QMgrName]

Yes.. I did consult the link given (but thanks exerk):
http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/index.jsp?topic=/com.ibm.mq.csqzal.doc/fg17940_.htm
and they tried connecting over the server conn channel that I gave them for just testing purpose, without ssl. and they successfully got the connection.

fjb_saper wrote:
..I sure hope they use a channel table to test

Yes, for their application I have provided them the CDT and that looks good to me. ( because the channel definitions that I've given above are looking good )
I have also provided them the self signed cert so that they can place it in their db. ( that cert is also being used by other apps. and its working fine for them that means cert is good too ).
But just for the testing they were using 'amqscnxc' from command prompt as their attempt of connection over qmgr TEST was not successful.

_________________
*Life will beat you down, you need to decide to fight back or leave it.
Back to top
View user's profile Send private message Send e-mail
shashivarungupta
PostPosted: Thu Oct 21, 2010 2:19 am    Post subject: Reply with quote

Grand Master

Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.

exerk wrote:

Your log states:
Quote:
AMQ9639: Remote channel 'A' did not specify a CipherSpec.


Yes , when I did see this note in error logs then I checked multiple times and even recreated the server conn and client conn channels with ssl on them and provided the new CDT to them.
(Before doing this I deleted the server conn. channel and client conn definition from table successfully).
_________________
*Life will beat you down, you need to decide to fight back or leave it.
Back to top
View user's profile Send private message Send e-mail
exerk
PostPosted: Thu Oct 21, 2010 4:33 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

So your application people just specified amqscnxc * (where * is the queue manager name) ?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
shashivarungupta
PostPosted: Thu Oct 21, 2010 7:20 am    Post subject: Reply with quote

Grand Master

Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.

exerk wrote:
So your application people just specified amqscnxc * (where * is the queue manager name) ?


Nope.. for testing on the simple channel which does not have ssl on it.. for that they specified as :
amqscnxc -x a.b.c.d -c TEST.SVRCONN TEST
where TEST is the name of the qmgr
TEST.SVRCONN is the server connection channel.

And using this command, they got the connection over TEST., without error.

BUT what they are doing on Application program, they know better !
What I know is/are, they have specified the env. variables on windows, for the location of cert, mq env. variables , they have also created the key.jks/.kdb where they are put in that cert and specified the location in env. variables, set the env. variables for .tab file and its path.
_________________
*Life will beat you down, you need to decide to fight back or leave it.
Back to top
View user's profile Send private message Send e-mail
exerk
PostPosted: Thu Oct 21, 2010 8:25 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

shashivarungupta wrote:
exerk wrote:
So your application people just specified amqscnxc * (where * is the queue manager name) ?


Nope.. for testing on the simple channel which does not have ssl on it.. for that they specified as :
amqscnxc -x a.b.c.d -c TEST.SVRCONN TEST
where TEST is the name of the qmgr
TEST.SVRCONN is the server connection channel.

And using this command, they got the connection over TEST., without error.

BUT what they are doing on Application program, they know better !
What I know is/are, they have specified the env. variables on windows, for the location of cert, mq env. variables , they have also created the key.jks/.kdb where they are put in that cert and specified the location in env. variables, set the env. variables for .tab file and its path.


So the chances are they just repeated the command, or maybe put amqscnxc -x a.b.c.d -c A TEST, and got the result you have. If no one with knowledge told them not to do it, do you think they were aware of the difference
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
shashivarungupta
PostPosted: Thu Oct 21, 2010 9:45 am    Post subject: Reply with quote

Grand Master

Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.

exerk wrote:
shashivarungupta wrote:
exerk wrote:
So your application people just specified amqscnxc * (where * is the queue manager name) ?


Nope.. for testing on the simple channel which does not have ssl on it.. for that they specified as :
amqscnxc -x a.b.c.d -c TEST.SVRCONN TEST
where TEST is the name of the qmgr
TEST.SVRCONN is the server connection channel.

And using this command, they got the connection over TEST., without error.

BUT what they are doing on Application program, they know better !
What I know is/are, they have specified the env. variables on windows, for the location of cert, mq env. variables , they have also created the key.jks/.kdb where they are put in that cert and specified the location in env. variables, set the env. variables for .tab file and its path.


So the chances are they just repeated the command, or maybe put amqscnxc -x a.b.c.d -c A TEST, and got the result you have. If no one with knowledge told them not to do it, do you think they were aware of the difference


hmm...yes chances are there but one of'em said that they used that command for TEST.SVRCONN .
And I'm sure that they are not much aware about the amqscnxc and that's why I have also provided them above link for that command. And I believe they would get the diff. that it is directly calling connection request over qmgr using server conn. instead of client conn channel/tab file and diff. of ssl between 'A' and 'TEST.SVRCONN' is there too.
_________________
*Life will beat you down, you need to decide to fight back or leave it.
Back to top
View user's profile Send private message Send e-mail
exerk
PostPosted: Thu Oct 21, 2010 9:50 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

So get them to try amqscnxc TEST and see what happens...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
shashivarungupta
PostPosted: Thu Oct 21, 2010 10:49 am    Post subject: Reply with quote

Grand Master

Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.

exerk wrote:
So get them to try amqscnxc TEST and see what happens...

Yes...I've asked them but let see what they give now...
Thanks exerk.
_________________
*Life will beat you down, you need to decide to fight back or leave it.
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum Index » IBM MQ Security » mqrc 2393
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.