| Author |
Message
|
| samsansam |
 Posted: Thu Mar 20, 2014 8:52 am Post subject: Channel in retry after implementing 2048 cert. |
 |
|
Apprentice
Joined: 19 Mar 2014
Posts: 41
|
Version: 6.0.2.11
We are upgrading certs from 1024 to 2048 bit. Once we did this the sender channel on our end went into retry and gave this error
User(mqm) Program(runmqchl_nd)
AMQ9633: Bad SSL certificate for channel 'Channel 1'.
EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated, or
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system, or
(c) it was found in a Certification Revocation List (CRL) on an LDAP server.
(d) a CRL was specified but the CRL could not be found on the LDAP server.
The channel is 'Channel 1'; in some cases its name cannot be
determined and so is shown as '????'. The channel did not start.
ACTION:
Check which of the three possible causes applies on your system. Correct the
error, and restart the channel.
On the remote end they see this error code CSQX634E.
I am able to put the old .kdb file back and it works, it only errors out when switching to the new cert.
Could it be because the version of MQ doesn't support 2048?
Any info will help. Thanks |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Mar 20, 2014 9:18 am Post subject: Re: Channel in retry after implementing 2048 cert. |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| samsansam wrote: |
| Could it be because the version of MQ doesn't support 2048? |
Given how old (and unsupported) that version of WMQ is, I would not be surprised to discover that was the case.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| samsansam |
| Posted: Thu Mar 20, 2014 10:45 am Post subject: |
|
|
Apprentice
Joined: 19 Mar 2014
Posts: 41
|
| Do you know of any documentation to confirm this? The root and intermediate are 2048, its just the qmgr cert that only works with the old 1024 cert. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Mar 20, 2014 11:19 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| samsansam wrote: |
| Do you know of any documentation to confirm this? The root and intermediate are 2048, its just the qmgr cert that only works with the old 1024 cert. |
I wouldn't know where to find any v6 documentation which talks about maximum supported key size.
I also wouldn't know why, even if the SSL worked, you'd still be using a queue manager so far out of support.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Mar 20, 2014 11:45 am Post subject: Re: Channel in retry after implementing 2048 cert. |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| samsansam wrote: |
| ...I am able to put the old .kdb file back and it works, it only errors out when switching to the new cert... |
And the new key store contains the required CA certs, for both yours and their certificate? And their end also?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Mar 20, 2014 12:22 pm Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
And WMQ 6.0 also uses an old GS Kit which certainly does not support certs of the size you are trying. The manual also tells you to use the GS Kit that came with MQ to maintain the Qmgr's key store.
The hint was "Upgrade Bro". |
|
| Back to top |
|
|
| samsansam |
| Posted: Thu Mar 20, 2014 10:32 pm Post subject: |
|
|
Apprentice
Joined: 19 Mar 2014
Posts: 41
|
ExerÂ
Yes the new key store contains the required CA certs for both side.
JosphGramig
I wish I can upgrade but it is not my decision.
GS kit did create the cert with 2048 bit but I couldn't make it work with this Version: 6.0.2.11.
I know we are missing one patch 6.0.2.12, but not sure if that will help.
Is there anyway to know if 2048 bit will work with the version we have?
Can someone provide me with steps to put ssl in both ends! I know the steps, just incase I missed something. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Mar 20, 2014 10:54 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| samsansam wrote: |
ExerÂ
Yes the new key store contains the required CA certs for both side... |
Your key store may do so but what about the 'other' end? Are you using the same CA as that which signed the 1024 bit certs, and if so, did that CA re-issue their signer certs or are you using the ones you had previously when using the 1024 bit certs?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| samsansam |
| Posted: Fri Mar 21, 2014 5:30 am Post subject: |
|
|
Apprentice
Joined: 19 Mar 2014
Posts: 41
|
| Exerk, I have tried both. First the newly issued signers that are 2048, then with the old which are also 2048. The only time it works is when I delete the qmgr cert and then go back and add it. I doibt that is the correct way though. |
|
| Back to top |
|
|
|
|
