| Author |
Message
|
| smeunier |
 Posted: Wed Apr 20, 2011 11:10 am Post subject: V7 Broker Explorer using SSL connection issues |
 |
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
Why does this have to be so difficult. What part am I missing?!
I'm trying to connect to a V7 Message Broker using the message broker explorer. For starters, I'm just trying to do one way SSL authentication. I have created a trustStore and imported the brokers QM SSL CA into the clients repository. This all went OK.
No I'm trying to create a remote broker connection, specify the hostname,QM and port, then specify a SVRCONN channel (STEVESSL.SVRCONN) which has a CipherSpec of RC4_MD5_US specified. On the Remote Broker connection Wizard, I specify a CipherSuite of: SSL_RSA_RC4_128_MD5, identify the trustStore location and click Finish to connect. What I get is:
| Code: |
AMQ9639: Remote channel 'STEVESSL.SVRCONN' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'STEVESSL.SVRCONN' did not specify a CipherSpec when the local
channel expected one to be specified. The channel did not start.
ACTION:
Change the remote channel 'STEVESSL.SVRCONN' to specify a CipherSpec so that
both ends of the channel have matching CipherSpecs. |
I am not using client connection channels, so I did not think I would need a Channel Table, and before connection, I'm asked if I will connect using one, so there must be some intelligence there to look only at the SVRCONN configuration.
Which makes this part of the message
| Code: |
Remote channel 'STEVESSL.SVRCONN' did not specify a CipherSpec when the local
channel expected one to be specified. |
confusing. By local channel, what is it referring to?
Pure non-SSL connectivity works, but I cant figure where the error may be with the SSL portion.
Any help would/could be appreciated. Once I have the simple one-way communications working,then I should be able to add two way. I have followed the documentation as close as one could possibly, but cannot get past this.
[/code] |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Apr 20, 2011 11:32 am Post subject: Re: V7 Broker Explorer using SSL connection issues |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Ok, accept I've not personally tried SSL with WMBv7. But theoretically:
| smeunier wrote: |
| No I'm trying to create a remote broker connection, specify the hostname,QM and port, then specify a SVRCONN channel (STEVESSL.SVRCONN) which has a CipherSpec of RC4_MD5_US specified. |
This seems to contradict:
| smeunier wrote: |
| I am not using client connection channels |
as a SVRCONN is the server side of a SVRCONN / CLNTCONN pair. Now I accept that if you just have a MQSERVER pointing to a SVRCONN the CLNTCONN is auto-defined.
But this brings me to the point:
| smeunier wrote: |
| I did not think I would need a Channel Table |
In my world, clients using SSL have to use CCDT or MQCONNX because on an auto-defined channel there's no facility to specify the cypher spec. But like I said, my world doesn't currently include connecting to WMBv7 with SSL. So I could be barking up entirely the wrong tree.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Apr 20, 2011 11:38 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Except that both Broker Explorer and Broker Toolkit are built in Java, and thus don't use MQCONNX.
smeunier - Can you establish an MQExplorer connection to the remote qmgr that uses SSL? That's the first place to start. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 20, 2011 11:47 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| Except that both Broker Explorer and Broker Toolkit are built in Java, and thus don't use MQCONNX. |
Well I'm not going to speak knowledgeably on anything Java related am I? 
I was attempting to illustrate my point with analogy. Java would require analgesic. For my head.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 20, 2011 8:36 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
OK I did establish the SSL connection using the broker explorer:
Here is how I did it:
Make sure you can establish an SSL client connection with a tool like MO71, or RFHUtilc (use latest version and click the conn button for SSL parms)...
This means your qmgr and client setups (keystore, truststores) etc are correct. Copy your CMS repository/repositories to JKS ones for use with the Broker Explorer.
Set the relevant cipherspec on the SVRCONN channel.
In the broker explorer:
- Use define remote broker
- Fill in host, qmgr name and port and click on NEXT
- Fill in corresponding ciphersuite and path to keystore (jks) and truststore (jks) (you have to type the ".jks" at the end).
I trust you looked up the ciphersuite in the InfoCenter for the correspondence to the Cipherspec.
Before you can click next or finish you may have to set the password for each of the stores
- Click finish
- Enter passwords as required
- You MAY get a popup asking about a channel table -- answer by clicking NO
This would mean that the explorer tried first the qmgr connection to the broker's qmgr (this is SSL FIPS and fails because the Explorer preference is set to non fips... It will then try the broker defined connections...
- If a 10 second wait does not bring the popups for passwords click Finish again.
- After the popups for passwords you should be connected and able to access the brokers and export the *.broker file
WARNING: Do not attempts SSL with SSL FIPS set to YES at the MQ Explorer preferences level. So far I could not make it work for the broker, although it works like a charm for MQ.
I tried the correct FIPS cipherspec and corresponding cipher suite ... did not work with preference set to FIPS and it just did not work. (Have a PMR open)
Do not try to use SSL with define remote broker using *.broker file. Did not work for me either. Had to use the wizard as described above.
If I remember correctly it works for the toolkit though... (*.broker file).
Have another PMR open for mqsideploy with SSL. It does not ask for the passwords... and I can't find how to pass them to the process... , however deploying through the Broker Explorer using SSL works fine for me.
Short from using the java config API passing the correct -Djavax.net.ssl.... values I am waiting on the PMR for the command line deployment tool (mqsideploy) to be fixed.
From memory:
Cipherspec used: FIPS_RSA_WITH_3DES_EDE_CBC_SHA
Ciphersuite used: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
I also used SSL PEER specifying the client side DN attributes on the MQ server side of the channel and the MQ Server DN attributes on the MQ Explorer SSL setup. Worked like a charm.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Wed May 18, 2011 3:29 am Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
I am in the same boat in implementing SSL with my broker explorer in connecting to remote brokers. When I google for "Broker explorer + ssl", this thread got more useful/ helpful info than any other link. Didn't find any info on IBM info center in this regard.
I am using MQ/ MB Explorer v7 on Windows(desktop) and MQ manager v7.0.1.4, MB 7002 on Linux.
I followed exactly the same steps what you suggested above:
First I tried implementing 2 way SSL in connecting MQ managers with a self signed certificate as a CA and used CCDT for the SSL implementation for MQ.
Now trying to use SSL for connecting to remote brokers:
| Quote: |
In the broker explorer:
- Connect to remote broker
- Fill in host, qmgr name and port and click on NEXT
- Fill in corresponding ciphersuite and path to keystore (jks) and truststore (jks) (you have to type the ".jks" at the end).
Before you can click next or finish you may have to set the password for each of the stores
- Click finish
- Enter passwords as required
- You MAY get a popup asking about a channel table -- answer by clicking NO
This would mean that the explorer tried first the qmgr connection to the broker's qmgr (this is SSL FIPS and fails because the Explorer preference is set to non fips... It will then try the broker defined connections...
|
Here I am getting an error popup: Queue Manager QM1 is not available for client connection due to an SSL configuration error.(AMQ4199). Is this error popup expected/ did you also get this error?.
After this I got the 'Finish' button as you mentioned below..
| Quote: |
If a 10 second wait does not bring the popups for passwords click Finish again.
After the popups for passwords you should be connected and able to access the brokers and export the *.broker file
|
I defined both SVRCONN/ CLNTCONN channels to generate CCDT for using SSL with MQExplorer to connect to MQ managers. I used the CipherSpec as TRIPLE_DES_SHA_US on the Client channels definitions and I am providing 'SSL_RSA_WITH_3DES_EDE_CBC_SHA' as Cipher Suite in my Broker Explorer. My broker explorer is able to connect to remote broker only with the Cipher Suite 'SSL_RSA_WITH_3DES_EDE_CBC_SHA'. I tried with different Cipher Suites but nothing else is working..it says SSL connection error.
Not sure whether SSL_RSA_WITH_3DES_EDE_CBC_SHA on my MBExplorer connection wizard is somehow is related to TRIPLE_DES_SHA_US as CipherSpec on client channel definition. Do you know why it is so?.
Thanks for your help. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed May 18, 2011 12:17 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Check out the CipherSpec - CipherSuite correspondence table in the Using Java infocenter.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Sat May 21, 2011 12:12 pm Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
Thanks.
I implemented one way ssl between MQExplorer and Queue manager(I created a self signed cert on QMgr and added it to the MQExplorer keydb).
I followed the above steps in adding remote broker to my MQExplorer.
If I disconnect from broker(by right click on broker) and try to (re)connect to broker, its asking for keydb password. I am able to connect to broker even if I click on 'cancel' button(without providing password) in the password popup. Whereas MQ connection is working properly.
I am expecting everytime I connect to MQ manager & broker, it should ask for keydb password in my explorer. I see this behaviour with MQmanagers but NOT with brokers. Once brokers are added to MQExplorer, no need to provide the password everytime when you connect. I am looking for a password authentication everytime I connect to broker(though it is already to my explorer earlier).
Can you please let me know whether I am missing anything?.
Thanks. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat May 21, 2011 5:27 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
My guess is that you are not requesting for client authentication and only enforcing SSL or checking that the server SSLPEER matches what is expected.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Sat May 21, 2011 6:22 pm Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
I created only SVRCONN channel and not a CLNTCONN channel. I just created the SVRCONN channel with SSLCIPH(TRIPLE_DES_SHA_US) SSLCAUTH(OPTIONAL). I am trying to implement 1 way SSL. Created the self signed cert on QMgr, extracted it and add to client(MQExplorer) keydb(no CA cert created on client side).
Do I need to have a 2 way SSL for the broker to authenticate(create CA cert(self signed) and add it to Qmgr keydb)?.
What do I need to make a broker to authenticate everytime I connect to broker from my explorer?.
Thanks. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat May 21, 2011 10:14 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Sam Uppu wrote: |
I created only SVRCONN channel and not a CLNTCONN channel. I just created the SVRCONN channel with SSLCIPH(TRIPLE_DES_SHA_US) SSLCAUTH(OPTIONAL). I am trying to implement 1 way SSL. Created the self signed cert on QMgr, extracted it and add to client(MQExplorer) keydb(no CA cert created on client side).
Do I need to have a 2 way SSL for the broker to authenticate(create CA cert(self signed) and add it to Qmgr keydb)?.
What do I need to make a broker to authenticate everytime I connect to broker from my explorer?.
Thanks. |
You don't HAVE to. You authenticate like you would with a qmgr... after all it's a SVRCONN channel. We do both way authentication where both sides check the SSLPEER values...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Sun May 22, 2011 7:24 am Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
| fjb_saper wrote: |
| Sam Uppu wrote: |
I created only SVRCONN channel and not a CLNTCONN channel. I just created the SVRCONN channel with SSLCIPH(TRIPLE_DES_SHA_US) SSLCAUTH(OPTIONAL). I am trying to implement 1 way SSL. Created the self signed cert on QMgr, extracted it and add to client(MQExplorer) keydb(no CA cert created on client side).
Do I need to have a 2 way SSL for the broker to authenticate(create CA cert(self signed) and add it to Qmgr keydb)?.
What do I need to make a broker to authenticate everytime I connect to broker from my explorer?.
Thanks. |
You don't HAVE to. You authenticate like you would with a qmgr... after all it's a SVRCONN channel. We do both way authentication where both sides check the SSLPEER values...
Have fun |
I like the both way(2 way) authentication but only thing what I dont like is you need to provide password 2 times(1 for trust store + 1 for personal cert) every time you (re)connect to MQ/ Broker. I wanted to provide the password only once which is why I wanted to go with 1 way SSL. But for me with 1 way SSL, I no need to provide the password for the broker connection once it is added to explorer. Whereas with 2 way SSL, its asking for password 2 times and without the password, it wont let me connect to broker which is a good thing. I was expecting the the same thing with 1 way SSL.. i.e., when try to connect to broker(already added to explorer), it should ask for password only once and without providing password, it should not let me connect to broker.
You are saying 1 way authentication should behave the same way for Broker just like for MQ manager but why its not working for me?. Any inputs would be greatly appreciated.
Thanks. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun May 22, 2011 5:18 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Not necessarily. Look at the difference of behavior between keystore and truststore.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqaugi |
| Posted: Tue Aug 09, 2011 3:59 am Post subject: maybe a solution |
|
|
Newbie
Joined: 09 Aug 2011
Posts: 1
|
Recently we had the same problem with MQExplorer und the Broker Addon.
The problem was caused by starting MQE directly from this path:
..IBM/WebSphere MQ/eclipseSDK33/eclipse
But if we started MQ from this path:
..IBM/MQ Explorer V7/bin/strmqcfg.cmd
we got a error AMQ4199 and were asked to login another time, but then it worked! |
|
| Back to top |
|
|
|
|
