| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Trouble SSL Connection SSG Client to a QManager on Unix |
« View previous topic :: View next topic » |
| Author |
Message
|
| selenneg |
 Posted: Mon Apr 09, 2012 2:37 pm Post subject: Trouble SSL Connection SSG Client to a QManager on Unix |
 |
|
Newbie
Joined: 24 Jun 2011
Posts: 5
|
Hi,
This is the first time we use SSL and we want to setup ssl connection one-side with an external MQClient.
We have MQV7.1 and the QManager is running on Unix platform. We have the server side.
What we did:
On the QManager:
CHLAUTH(DISABLED) <- that's because the client get the MQRC2035
SSLCRLNL( )
SSLEV(DISABLED)
SSLKEYR(/var/mqm/qmgrs/QMT01/ssl/key)
SSLRKEYC(0)
We also create a SVRCONN channel specifying SSLCIPH and SSLCAUTH parameters.
For SSL, we used runmqckm command to create key repository, self-signed certificate and extract certificate.
Create Key repository
| Quote: |
runmqckm -keydb -create -db "/var/mqm/qmgrs/QMT01/ssl/key.kdb" -pw "pwd01" -type cms -expire 5000 -stash |
Create Self-signed certificate
| Quote: |
| runmqckm -cert -create -db "/var/mqm/qmgrs/QMT01/ssl/key.kdb" -pw "pwd01" -label "redmqm" -dn "CN=mydomain.com, OU=Sistemas, O=MyCompany., L=Mexico, ST=Mexico, C=MX" -expire 5000 |
Extract certificate
| Quote: |
runmqckm -cert -extract -db "/var/mqm/qmgrs/QMT01/ssl/key.kdb" -pw "pwd01" -label "redmqm" -target "/var/mqm/qmgrs/QMT01/ssl/qmt01.crt" -format ascii |
We cannot view the client side because they are an external entity. We sent them the self-signed certified created in order they added it to their key repository.
Additionally, we add client certificate into our key repository:
| Quote: |
runmqckm -cert -add -db "/var/mqm/qmgrs/QMT01/ssl/key.kdb" -pw "3tru5c05" -label "citigroup" -file "ssg-citigroupsoasit-pub.cer" -format ascii
runmqckm -cert -add -db "/var/mqm/qmgrs/QMT01/ssl/key.kdb" -pw "3tru5c05" -label "citiverisignsgc" -file "VeriSign-Class3-EVSSLSGC-Inter.cer" -format ascii
runmqckm -cert -add -db "/var/mqm/qmgrs/QMT01/ssl/key.kdb" -pw "3tru5c05" -label "citiverisigng5" -file "VeriSignClass3-G5-rootca.cer" -format ascii |
But we cannot establish the connection.
The error we get on the server side:
| Quote: |
----- amqrmrsa.c : 878 --------------------------------------------------------
04/09/12 04:08:53 PM - Process(8847.146) User(mqm) Program(amqrmppa)
Host(ptprep01) Installation(Installation1)
VRMF(7.1.0.0) QMgr(QMT01)
AMQ9716: Remote SSL certificate revocation status check failed for channel
'????'.
EXPLANATION:
WebSphere MQ failed to determine the revocation status of the remote SSL
certificate for one of the following reasons:
(a) The channel was unable to contact any of the CRL servers or OCSP responders
for the certificate.
(b) None of the OCSP responders contacted knows the revocation status of the
certificate.
(c) An OCSP response was received, but the digital signature of the response
could not be verified.
The details of the certificate in question are
'[Class=]GSKVALMethod::X509[Issuer=]CN=VeriSign Class 3 Public Primary
Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use
only,OU=VeriSign Trust Network,O=VeriSign\,
Inc.,C=US[#=]XXXXXXX[Subject=]CN=VeriS'.
The channel name is '????'. In some cases the channel name cannot be determined
and so is shown as '????'. The channel did not start.
WebSphere MQ does not allow the channel to start unless the certificate
revocation status can be determined.
ACTION:
If the certificate contains an AuthorityInfoAccess extension, ensure that the
OCSP server named in the certificate extension is available and is correctly
configured.
If the certificate contains a CrlDistributionPoint extension, ensure that the
CRL server named in the certificate extension is available and is correctly
configured.
If you have specified any CRL or OCSP servers to WebSphere MQ, check that those
servers are available and are correctly configured.
Ensure that the local key repository has the necessary SSL certificates to
verify the digital signature of the response from the OCSP server. |
And the client error is:
| Quote: |
17:09:28mqerror8484764 0x80e00107mq-qm (CTO-TMXMQManager): Queue Manager Error: 'mydomain.com:1414' 'QMT01'. Reason code - 2538
17:09:28mqerror8484764 0x80e0015fmq-qm (CTO-TMXMQManager): test connection failed (2538)
|
Help, please, to solve this.
Thx. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Mon Apr 09, 2012 3:10 pm Post subject: Re: Trouble SSL Connection SSG Client to a QManager on Unix |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| selenneg wrote: |
And the client error is:
| Quote: |
17:09:28mqerror8484764 0x80e00107mq-qm (CTO-TMXMQManager): Queue Manager Error: 'mydomain.com:1414' 'QMT01'. Reason code - 2538
17:09:28mqerror8484764 0x80e0015fmq-qm (CTO-TMXMQManager): test connection failed (2538)
|
Help, please, to solve this.
Thx. |
When you researched (on google, for example) ReasonCode 2538, what did it tell you was the reason? What did it suggest you try to resolve the problem? What did you check? What were the results?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| selenneg |
| Posted: Mon Apr 09, 2012 3:58 pm Post subject: |
|
|
Newbie
Joined: 24 Jun 2011
Posts: 5
|
The reason code description is:
2538 (09EA) (RC2538): MQRC_HOST_NOT_AVAILABLE
Explanation
An MQCONN call was issued from a client to connect to a queue manager but the attempt to allocate a conversation to the remote system failed. Common causes of this reason code are:
•The listener has not been started on the remote system.
•The connection name in the client channel definition is incorrect.
•The network is currently unavailable.
But we checked all and:
- The listener is running on the server
- The connection name in the client channel definition is correct.
- The network is available. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Apr 09, 2012 8:28 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You did not follow convention.
The qmgr's certificate MUST be labelled ibmwebspheremq<qmgrname in lower case> so in your case ibmwebspheremqqmt01..., you might also want to make it the default certificate in the store...
By the way I find it easier for the internal security team to sign my certificates. (They run an openssl CA)... Self signed makes it so complicated for the cert exchanges... With and internal CA you have to add SSLPEER however....
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Apr 10, 2012 12:19 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
And even if everything was perfect and there were no errors anywhere, it still would not work because of this: AMQ9716: Remote SSL certificate revocation status check failed for channel.
Look through the manual for OCSP, what it is, what it does, how it's used by WMQ, and what you need to do in regard to it.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 10, 2012 9:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Last but not least, I don't know if for a qmgr a CN with a hostname makes any sense?
Does that mean the channel will stop working if you replatform the qmgr or just change the hostname??
You would have thought you wanted to have a CN with the qmgr name... or QMID...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
