| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ SSL |
« View previous topic :: View next topic » |
| Author |
Message
|
| newtown |
 Posted: Wed Jun 04, 2003 7:24 pm Post subject: MQ SSL |
 |
|
Novice
Joined: 03 Feb 2003
Posts: 16
|
Hi
I am working on a MQ project which requires to have MQ SSL connectivity. I am having problems in MQ SSL communication b/w Qmgr on AIX and other on W2k
I had enabled the cipher @ both ends, and added SSLkeys to both Qmgrs.
The error is shown as below is under the Qmgr Log file..
AMQ9660 SSL key repository: password stash file absent or unusable.
Explanation: The SSL key repository cannot be used because MQ cannot obtain a password to access it. Reasons giving rise to this error include:
(a) the key database file and password stash file are not present in the location configured for the key repository,
(b) the key database file exists in the correct place but that no password stash file has been created for it,
(c) the files are present in the correct place but the userid under which MQ is running does not have permission to read them,
(d) one or both of the files are corrupt.
The channel is '&3'; in some cases its name cannot be determined and so is shown as '????'. The channel did not start.
User Response: Ensure that the key repository variable is set to where the key database file is. Ensure that a password stash file has been associated with the key database file in the same directory, and that the userid under which MQ is running has read access to both files. If both are already present and readable in the correct place, delete and recreate them. Restart the channel.
I had created the CMS key database three times, and verified that stash is set correctly, yet have the same problems; thought it could be AIX security issued, not that case, have verified that also. 
I am wondering @ this moment why this happening... I had followed the online documentation yet not very helpful…
Has anybody experience this case, that I am currently facing, it quite urgent @ this stage...Pls help if any one out there can advice or share their experience on MQ SSL.
cheers
newtown |
|
| Back to top |
|
 |
| harwinderr |
| Posted: Mon Jun 16, 2003 3:25 am Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
Hi
I was also facing the similar kind of problem on a Linux to Linux box; though now it is solved.
Few suggestions:
Just make sure that you have the password stash file in the same directory in which you have your database file and it has proper read permissions for the user.
Another peculiar thing I noticed that if the database file and the stash file are placed in a directory other than the default directory (/var/mqm/qmgrs/qm1/ssl) the same error crops up. So, I had to place the files in the default location only. So it you are placing the files in some other location, try copying them to the default location and check out the result. Hope it works 
cheers,
Harwinder |
|
| Back to top |
|
|
| rmah |
| Posted: Tue Dec 16, 2008 4:59 pm Post subject: |
|
|
Centurion
Joined: 04 May 2007
Posts: 142
|
| harwinderr wrote: |
Hi
I was also facing the similar kind of problem on a Linux to Linux box; though now it is solved.
Few suggestions:
Just make sure that you have the password stash file in the same directory in which you have your database file and it has proper read permissions for the user.
Another peculiar thing I noticed that if the database file and the stash file are placed in a directory other than the default directory (/var/mqm/qmgrs/qm1/ssl) the same error crops up. So, I had to place the files in the default location only. So it you are placing the files in some other location, try copying them to the default location and check out the result. Hope it works
cheers,
Harwinder |
Hi,
I'm having the same problem. I am trying to connect a Windows qm to a Linux qm - the Windows qm is throwing the error above, saying the stash file is not presen or unusable. What permissions should the stash file and kdb file have?
The kdb and stash file are in the same directory.
Thanks! 
_________________
MQ 6.0.2.3
Broker 6.0.0.7
for Linux |
|
| Back to top |
|
|
| zhanghz |
| Posted: Tue Dec 16, 2008 9:18 pm Post subject: |
|
|
Disciple
Joined: 17 Jun 2008
Posts: 186
|
kdb and stash files same name, in the same directory, the directory should be the one specified in SSLKEYR attribute of the QMGR. The SSLKEYR specifies the full path of the kdb file without the ".kdb" extention name, for example, the SSLKEYR is "C:\QMGRS\QM1\SSL\key" if the kdb file used for this qmgr is "C:\QMGRS\QM1\SSL\key.kdb".
Might need to refresh security type(ssl) or restart qmgr after the change. |
|
| Back to top |
|
|
| rmah |
| Posted: Thu Jan 15, 2009 3:18 pm Post subject: |
|
|
Centurion
Joined: 04 May 2007
Posts: 142
|
| zhanghz wrote: |
kdb and stash files same name, in the same directory, the directory should be the one specified in SSLKEYR attribute of the QMGR. The SSLKEYR specifies the full path of the kdb file without the ".kdb" extention name, for example, the SSLKEYR is "C:\QMGRS\QM1\SSL\key" if the kdb file used for this qmgr is "C:\QMGRS\QM1\SSL\key.kdb".
Might need to refresh security type(ssl) or restart qmgr after the change. |
Hi,
I'm having the same trouble. My queue manager is on a Windows 2003 R2 box.
The error is:
1/15/2009 15:10:50 - Process(6788.24) User(MUSR_MQADMIN) Program(amqrmppa.exe)
AMQ9660: SSL key repository: password stash file absent or unusable.
EXPLANATION:
The SSL key repository cannot be used because MQ cannot obtain a password to
access it. Reasons giving rise to this error include:
(a) the key database file and password stash file are not present in the
location configured for the key repository,
(b) the key database file exists in the correct place but that no password
stash file has been created for it,
(c) the files are present in the correct place but the userid under which MQ is
running does not have permission to read them,
(d) one or both of the files are corrupt.
The channel is 'to.mqhub_01'; in some cases its name cannot be determined and
so is shown as '????'. The channel did not start.
ACTION:
Ensure that the key repository variable is set to where the key database file
is. Ensure that a password stash file has been associated with the key database
file in the same directory, and that the userid under which MQ is running has
read access to both files. If both are already present and readable in the
correct place, delete and recreate them. Restart the channel.
If I have this in the SSLKEY property:
C:\Program Files\IBM\WebSphere MQ\qmgrs\CAP02REPL\ssl\key
I get this error:
1/15/2009 15:17:15 - Process(6788.34) User(MUSR_MQADMIN) Program(amqrmppa.exe)
AMQ9642: No SSL certificate for channel 'to.mqhub_01'.
EXPLANATION:
The channel 'to.mqhub_01' did not supply a certificate to use during SSL
handshaking, but a certificate is required by the remote queue manager. The
channel did not start.
ACTION:
Ensure that the key repository of the local queue manager or MQ client contains
an SSL certificate which is associated with the queue manager or client.
Alternatively, if appropriate, change the remote channel definition so that its
SSLCAUTH attribute is set to OPTIONAL and it has no SSLPEER value set.
If you have migrated from WebSphere MQ V5.3 to V6, it is possible that the
missing certificate is due to a failure during SSL key repository migration.
Check the relevant error logs. If these show that an orphan certificate was
encountered then you should obtain the relevant missing certification authority
(signer) certificates and then import these and the orphan certificate into the
WebSphere MQ V6 key repository, and then re-start the channel.
If I have this:
C:\Program Files\IBM\WebSphere MQ\qmgrs\CAP02REPL\ssl\key.kdb
I get this error:
AMQ9660: SSL key repository: password stash file absent or unusable.
Help? Thanks!
_________________
MQ 6.0.2.3
Broker 6.0.0.7
for Linux |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
