| Author |
Message
|
| anar |
 Posted: Fri Nov 25, 2011 7:46 am Post subject: SSLCAUTH(REQUIRED) AMQ9637: Channel is lacking a certificate |
 |
|
Apprentice
Joined: 28 Jun 2010
Posts: 31
|
Hi,
We got an MQ Server (version 7.0.1.4) on HP-UX.
And trying to setup SSL between clients and QMGR.
SSL setup between "IBM WebSphere MQ Explorer" and QMGR succeeded.
However, receiving the below pasted error message from C# .NET application while trying to "connect".
Got "RC4_SHA_US" as a sslchip on both sides.
Created CA and personal certificates and copied appropriate ones to both kdb's:
- on QMGR side [CA_cert + ibmwebspheremqqmgr.tsst.02 certificate]
- on client side [CA_cert + ibmwebspheremqmqm certificate]
If SSLCAUTH is OPTIONAL connection succeedes. Fails if REQUIRED.
Would be very grateful if anybody will put some light on a missing stuff.
Thanks in advance.
Best Regards,
Anar Veliyev
-------------------------------------------------------------
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is 'CHL.SSL.01' (if '????' it is unknown at this stage in the SSL
processing). The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.
If you have migrated from WebSphere MQ V5.3 to V6, it is possible that the
missing certificate is due to a failure during SSL key repository migration.
Check the relevant error logs. If these show that an orphan certificate was
encountered then you should obtain the relevant missing certification authority
(signer) certificates and then import these and the orphan certificate into the
WebSphere MQ V6 key repository, and then re-start the channel.
------------------------------------------------------------- |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Nov 25, 2011 7:52 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| you're running the code as the user "mqm" on the client side? |
|
| Back to top |
|
|
| anar |
| Posted: Fri Nov 25, 2011 8:18 am Post subject: |
|
|
Apprentice
Joined: 28 Jun 2010
Posts: 31
|
- how could that be "forced" ?
Should that be done at the "application context" level ? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Nov 25, 2011 9:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I did not give you an instruction.
I asked you a question.
You have indicated, by creating a certificate that is labelled "ibmqwebspheremqmqm", and putting this certificate into the client certificate store, that you will be EXECUTING THE CLIENT CODE AS THE USER "mqm".
I am asking you to *verify* that you have actually done this. I don't care how you do this, I will not provide information on how to do this - it should be dead simple and obvious.
If you do NOT intend to run the client code as the user 'mqm', then you need to change the label of the certificate to properly indicate the user that IS running your code.
If you labelled the certificate as "ibmwebspheremqmqm" because you did not know what to label the certificate as, then please go back and review the entire contents of the Clients section of the Info Center. Repeat reviewing this until you have a better idea of what you actually need to do. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Nov 25, 2011 9:13 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Oh, and if you don't understand how to determine what user is executing your program, then please take a good bottle of scotch to your windows desktop admins, and humbly beg them for additional training on the basics of the Windows OS and the basics of how .NET code and C# in particular gets executed.
If your windows admins don't like scotch, then please provide them a good bottle of whatever they do prefer. it could be lhasi, for all I know. |
|
| Back to top |
|
|
| anar |
| Posted: Fri Nov 25, 2011 9:30 am Post subject: |
|
|
Apprentice
Joined: 28 Jun 2010
Posts: 31
|
grateful for the light you shed on.
respect you for being of so professional on the issue.
seems you got angry or something.
thanks for time. |
|
| Back to top |
|
|
| anar |
| Posted: Fri Nov 25, 2011 9:36 am Post subject: |
|
|
Apprentice
Joined: 28 Jun 2010
Posts: 31
|
the question closed.
BR,
Anar Veliyev |
|
| Back to top |
|
|
| cgache |
| Posted: Thu Jul 18, 2013 3:01 am Post subject: |
|
|
Apprentice
Joined: 27 May 2013
Posts: 28
Location: Sydney, AUS
|
mqjeff is so helpful here. surprised his mother never told him the saying if you dont have anything nice to say then dont say nothing.
we're not all as experienced as you mqjeff, so a bit of patience would be highly appreciated, and if you cant find that patience, simply dont comment. thanks. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jul 18, 2013 5:13 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| cgache wrote: |
mqjeff is so helpful here. surprised his mother never told him the saying if you dont have anything nice to say then dont say nothing.
we're not all as experienced as you mqjeff, so a bit of patience would be highly appreciated, and if you cant find that patience, simply dont comment. thanks. |
Answer 1,000 posts, and then decide if I'm patient or not. |
|
| Back to top |
|
|
| cgache |
| Posted: Thu Jul 18, 2013 5:21 am Post subject: |
|
|
Apprentice
Joined: 27 May 2013
Posts: 28
Location: Sydney, AUS
|
| mqjeff wrote: |
| cgache wrote: |
mqjeff is so helpful here. surprised his mother never told him the saying if you dont have anything nice to say then dont say nothing.
we're not all as experienced as you mqjeff, so a bit of patience would be highly appreciated, and if you cant find that patience, simply dont comment. thanks. |
Answer 1,000 posts, and then decide if I'm patient or not. |
Funnily enough though, you did answer my question and solved my problem, thanks!  |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jul 18, 2013 5:24 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| cgache wrote: |
| mqjeff wrote: |
| cgache wrote: |
mqjeff is so helpful here. surprised his mother never told him the saying if you dont have anything nice to say then dont say nothing.
we're not all as experienced as you mqjeff, so a bit of patience would be highly appreciated, and if you cant find that patience, simply dont comment. thanks. |
Answer 1,000 posts, and then decide if I'm patient or not. |
Funnily enough though, you did answer my question and solved my problem, thanks! |
It's strange to consider that it might have been on purpose that I did that. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jul 18, 2013 5:38 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| cgache wrote: |
| we're not all as experienced as you mqjeff, so a bit of patience would be highly appreciated, and if you cant find that patience, simply dont comment. thanks. |
So I should stop commenting as well then by that measure.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
