| Author |
Message
|
| hopfe_de |
 Posted: Tue Mar 04, 2003 6:49 am Post subject: Problems with SSL AND SVRCONN Channels |
 |
|
Acolyte
Joined: 03 Mar 2002
Posts: 58
Location: Frankfurt, Germany
|
Everytime I try to connect with the MQMONNTP (Support Pack MO71), via a Serverconnection Channel with SSL i get these Errormessage on the server
| Code: |
Der ferne Kanal 'MQNT2.SVRCONN.SSL' gab keine CipherSpec an.
Der ferne Kanal 'MQNT2.SVRCONN.SSL' gab keine CipherSpec an, obwohl diese vom lokalen Kanal erwartet wurde. Der Kanal wurde nicht gestartet.
Ändern Sie Kanal 'MQNT2.SVRCONN.SSL' so, dass eine CipherSpecs angegeben wird und beide Kanalenden übereinstimmende CipherSpecs haben. |
and Error connecting via client to 'MQNT2' RC(2393) SSL initialisaion error on my client.
thx
hopfe |
|
| Back to top |
|
 |
| kolban |
| Posted: Tue Mar 04, 2003 7:11 am Post subject: |
|
|
Grand Master
Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA
|
I are a dumb American 
Can you translate the error messages to English for me?
 |
|
| Back to top |
|
|
| hopfe_de |
| Posted: Tue Mar 04, 2003 7:31 am Post subject: Translation |
|
|
Acolyte
Joined: 03 Mar 2002
Posts: 58
Location: Frankfurt, Germany
|
| Quote: |
The remote channel ' MQNT2.SVRCONN.SSL ' did not indicate a CipherSpec.
The remote channel ' MQNT2.SVRCONN.SSL ' did not indicate CipherSpec, although this was expected by the local channel. The channel was not started.
Change for channel ' MQNT2.SVRCONN.SSL ' in such a way that a CipherSpecs is indicated and both channel ends agreeing CipherSpecs to have. |
i hope that helps
Last edited by hopfe_de on Wed Mar 05, 2003 12:01 am; edited 1 time in total |
|
| Back to top |
|
|
| kolban |
| Posted: Tue Mar 04, 2003 10:40 am Post subject: |
|
|
Grand Master
Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA
|
What does the channel definition for MQNT2.SVRCONN.SSL look like?
Run runmqsc
DISPLAY CHANNEL(MQNT2.SVRCONN.SSL) CHLTYPE(SVRCON)
and post results. |
|
| Back to top |
|
|
| hopfe_de |
| Posted: Tue Mar 04, 2003 11:40 pm Post subject: SVRCONN |
|
|
Acolyte
Joined: 03 Mar 2002
Posts: 58
Location: Frankfurt, Germany
|
Serversystem: WinNT 4.0 SP6.0a MQSeries Queuemanager 5.3
Client: WinNT4.0 SP6.0a MQSeries Client V5.3
Output: DISPLAY CHANNEL(MQNT2.SVRCONN.SSL) CHLTYPE(SVRCONN) ALL
| Code: |
AMQ8414: Details zu DISPLAY CHL werden angezeigt.
CHANNEL(MQNT2.SVRCONN.SSL) CHLTYPE(SVRCONN)
TRPTYPE(TCP) DESCR(C/S-Connection IBM-Monitor VH)
SCYEXIT( ) MAXMSGL(4194304)
SCYDATA( ) HBINT(300)
SSLCIPH(TRIPLE_DES_SHA_US) SSLCAUTH(REQUIRED)
MCAUSER( ) ALTDATE(2003-03-04)
ALTTIME(12.09.14) SSLPEER()
SENDEXIT( )
RCVEXIT( )
SENDDATA( )
RCVDATA( )
|
Output Qmgr: amqmcert -l -m MQNT2
| Code: |
'CURRENT_USER' wird für Standardsystemspeicher verwendet.
Liste der Zertifikatsspeicher:
WebSphere MQ-Speicher (MQNT2):
------------------------------
00001: GlobalSign Root CA, GlobalSign Root CA
00002: GlobalSign Class 1 CA, GlobalSign Primary Class 1 CA
00003: * myadrr@amb-informatik.de, GlobalSign Class 1 CA
00004: GlobalSign Primary Class 1 CA, GlobalSign Root CA
00005: GlobalSign Root CA, Root SGC Authority
Zugeordnetes Zertifikat des WebSphere MQ-WS-Managers (MQNT2):
Name: myaddr@amb-informatik.de
CA: GlobalSign Class 1 CA
|
Output Client amqmcert -l
| Code: |
'CURRENT_USER' wird für Standardsystemspeicher verwendet.
Zugeordnetes MQ-Clientzertifikat:
Name: myaddr@amb-informatik.de
CA: GlobalSign Class 1 CA
Liste der Zertifikatsspeicher:
WebSphere MQ-Clientspeicher (D:\Daten\cert\all_usr):
----------------------------------------------------
02001: GlobalSign Root CA, Root SGC Authority
02002: GlobalSign Class 1 CA, GlobalSign Primary Class 1 CA
02003: GlobalSign Root CA, GlobalSign Root CA
02004: * myadrr@amb-informatik.de, GlobalSign Class 1 CA
02005: GlobalSign Primary Class 1 CA, GlobalSign Root CA |
|
|
| Back to top |
|
|
| kolban |
| Posted: Wed Mar 05, 2003 6:39 am Post subject: |
|
|
Grand Master
Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA
|
That was an excellent posting. I loved the way you took the time to lay it out. Just perfect.
Looking at the information, I believe the problem is that your MQ Client does not have associated with it a CipherSpec that it should send to the MQServer.
You must have an MQSeries AMQCHLTAB.DAT file containing a correctly configured CLNTCONN definition with the attributes needed for connection.
Can you confirm that you have a CLNTCONN channel definition on the client machine. Can you also post a dump of the MQ environment variables in effect at the client when the client application is executed? |
|
| Back to top |
|
|
| hopfe_de |
| Posted: Wed Mar 05, 2003 10:24 am Post subject: Enviroment |
|
|
Acolyte
Joined: 03 Mar 2002
Posts: 58
Location: Frankfurt, Germany
|
Output SET (environment variables):
| Code: |
LOGONSERVER=\\B04F3E
MQCHLLIB=D:\Daten
MQCHLTAB=AMQCLCHL.TAB
MQSSLKEYR=D:\Daten\cert\all_usr
MQ_JAVA_DATA_PATH=D:\PROG\MQSeries
MQ_JAVA_INSTALL_PATH=D:\PROG\MQSeries\Java
NET_USE=c:\winnt\system32\net use |
My Clientconnection Table: D:\Daten\Amqclchl.tab
Output: DISPLAY CHANNEL(MQNT2.SVRCONN.SSL) CHLTYPE(CLNTCONN) ALL
| Code: |
AMQ8414: Details zu DISPLAY CHL werden angezeigt.
CHANNEL(MQNT2.SVRCONN.SSL) CHLTYPE(CLNTCONN)
TRPTYPE(TCP) DESCR( )
QMNAME(MQNT2) MODENAME( )
TPNAME( ) SCYEXIT( )
MAXMSGL(4194304) SCYDATA( )
USERID( ) PASSWORD( )
CONNAME(b0163f(1414)) HBINT(300)
SSLCIPH(TRIPLE_DES_SHA_US) LOCLADDR( )
ALTDATE(2003-03-05) ALTTIME(16.42.04)
SSLPEER()
SENDEXIT( )
RCVEXIT( )
SENDDATA( )
RCVDATA( )
|
|
|
| Back to top |
|
|
| kolban |
| Posted: Wed Mar 05, 2003 11:04 am Post subject: |
|
|
Grand Master
Joined: 22 May 2001
Posts: 1072
Location: Fort Worth, TX, USA
|
Okay ... another guess ...
the cipher spec ... TRIPLE_DES_SHA_US
Isn't that US only and not for export? Do you (as a European install) have the ability to use that cipher? |
|
| Back to top |
|
|
| hopfe_de |
| Posted: Thu Mar 06, 2003 12:38 am Post subject: Cipher |
|
|
Acolyte
Joined: 03 Mar 2002
Posts: 58
Location: Frankfurt, Germany
|
The cipher spec isn't the Problem i also tried NULL_MD5, RC_MD5_EXPORT AND RC4_56_SHA_EXPORT1024 with the same result.
How can I ckeck if the Clientconn-Table is correctly used?
Kolban have you ever try to use ssl with MQMONNTP (Support Pack MO71)? |
|
| Back to top |
|
|
| hopfe_de |
| Posted: Thu Mar 06, 2003 5:17 am Post subject: SSL-Certificate |
|
|
Acolyte
Joined: 03 Mar 2002
Posts: 58
Location: Frankfurt, Germany
|
Running these small java program
| Code: |
import javax.swing.text.html.ListView;
import com.ibm.mq.*;
public class SSLTest {
private String qManager ="MQNT2";
private MQQueueManager qMgr;
public SSLTest() {
try{
MQEnvironment.hostname = "b0163f";
MQEnvironment.channel ="MQNT2.SVRCONN.SSL";
MQEnvironment.port=1414;
MQEnvironment.sslCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA";
MQEnvironment.sslPeerName="MQNT2";
qMgr =new MQQueueManager(qManager);
qMgr.disconnect();
}
catch (MQException ex) {
System.out.println("MQSeries Fehler CC: "+ ex.completionCode +" RC: "+ex.reasonCode);
System.out.println("SSL Error: "+ex.getCause());
}
}
public static void main(String[] args) {
new SSLTest();
}
}
|
I got these error-message:
| Quote: |
MQJE001: MQException aufgetreten: Beendigungscode 2, Ursache 2397
MQJE056: Fehler bei Anfangsfestlegung
MQJE001: Beendigungscode 2, Ursache 2397
MQSeries Fehler CC: 2 RC: 2397
SSL Error: javax.net.ssl.SSLHandshakeException: Could not find trusted certificate |
How can use SSL with a Test-certificate wich i have created with makecert? |
|
| Back to top |
|
|
| hopfe_de |
| Posted: Mon Mar 10, 2003 1:09 am Post subject: Error |
|
|
Acolyte
Joined: 03 Mar 2002
Posts: 58
Location: Frankfurt, Germany
|
After i have changed my certificates i get these, Error:
| Quote: |
MQJE001: MQException aufgetreten: Beendigungscode 2, Ursache 2397
MQJE056: Fehler bei Anfangsfestlegung
MQJE001: Beendigungscode 2, Ursache 2397
MQSeries Fehler CC: 2 RC: 2397
SSL Error: javax.net.ssl.SSLException: error while writing to socket |
|
|
| Back to top |
|
|
|
|
