| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Not able to setup SSL between client and Q Manager |
« View previous topic :: View next topic » |
| Author |
Message
|
| shalabh1976 |
 Posted: Tue Jan 24, 2012 1:20 am Post subject: Not able to setup SSL between client and Q Manager |
 |
|
Partisan
Joined: 18 Jul 2002
Posts: 381
Location: Gurgaon, India
|
Environment:
jmsclient: Windows XP
MQ v7.1
Q Manager: AIX v6.1
Problem: Not able to setup SSL between client (on Windows) and Q Manager (on UNIX) channel
What I did: I used runmqckm command to create key repository, self-signed certificate and extract certificate.
gsk7cmd is not running on this server so I used runmqckm.
following were the commands:
Create Key repository
runmqckm -keydb -create -db /var/mqm/qmgrs/QMEIGS5/ssl/key1.kdb -pw ibm -type cms -stash
Create Self-signed certificate
runmqckm -cert -create -db "/var/mqm/qmgrs/QMEIGS5/ssl/key1.kdb" -pw ibm -label ibmwebspheremqqmeigs5 -dn "CN=QM1,O=IBM,C=US" -expire 365
Extract certificate
runmqckm -cert -extract -db "/var/mqm/qmgrs/QMEIGS5/ssl/key1.kdb" -pw ibm -label ibmwebspheremqqmeigs5 -target certqm.der -format binary
Add Client certificate
runmqckm -cert -add -db "/var/mqm/qmgrs/QMEIGS5/ssl/key1.kdb" -pw ibm -label jmsclient -file certjms.der -format binary
In above commands: jmsclient was the label name I assigned to the client certificate, and certjms.der was the extracted client certificate.
I transferred the client certificate from Windows to AIX and Q Manager certificate from AIX to Windows using WinSCP, and transfer type as Binary
Then in the local Windows system using strmqikm, I created a Keystore
and generated the self-signed certificate.
I transferred the client certificate from Windows to AIX and Q Manager certificate from AIX to Windows using WinSCP, and transfer type as Binary
Add Client certificate
runmqckm -cert -add -db "/var/mqm/qmgrs/QMEIGS5/ssl/key1.kdb" -pw ibm -label jmsclient -file certjms.der -format binary
Created a truststore in local Windows system, added the Q manager's certificate in the truststore.
Then I added the ciphersuite as NULL_MD5 at both client and Channel end.
Added the respective SSLPEER.
Error Message:
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1 ALERT: fatal, description = handshake_failure
main, WRITE: TLSv1 Alert, length = 2
_________________
Shalabh
IBM Cert. WMB V6.0
IBM Cert. MQ V5.3 App. Prog.
IBM Cert. DB2 9 DB Associate |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Jan 24, 2012 1:37 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
And what's in the queue manager log?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| shalabh1976 |
| Posted: Tue Jan 24, 2012 2:26 am Post subject: |
|
|
Partisan
Joined: 18 Jul 2002
Posts: 381
Location: Gurgaon, India
|
Thanks for the clue. From qmgr error log it was visible that password stash file was not accessible.
I replicated the above steps and verified the outcome, and eventually it's working now.
Thanks aton!!!
_________________
Shalabh
IBM Cert. WMB V6.0
IBM Cert. MQ V5.3 App. Prog.
IBM Cert. DB2 9 DB Associate |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jan 24, 2012 2:28 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Always a good idea to check both ends... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
