| Author |
Message
|
| bare |
 Posted: Wed Apr 23, 2014 10:48 pm Post subject: MQRC_KEY_REPOSITORY_ERROR using MQClient7.5 |
 |
|
Newbie
Joined: 23 Apr 2014
Posts: 6
|
My MQ knowledge is very limited so I apologies for the ignorant questions.
I’ve installed MQ client (V7.5) on our application server and am attempting to connect to an existing channel on our MQ WebSphere server (V6.0).
I’ve created new queues which reference the existing channels. These channels make use of SSL.
I’ve attempted to use the following C# .Net code to connect to the new queues:
Hashtable mqProperties = new Hashtable();
mqProperties.Add(MQC.SSL_CIPHER_SPEC_PROPERTY, @"**CipherCode**");
mqProperties.Add(MQC.SSL_CERT_STORE_PROPERTY, @"D:\keystore");
mqProperties.Add(MQC.HOST_NAME_PROPERTY, “**websphere server IP address**”);
mqProperties.Add(MQC.CHANNEL_PROPERTY, “**channel name**”);
mqProperties.Add(MQC.PORT_PROPERTY, “** port queue manager is set up to use**”);
MQQueueManager mqQueueManager = new MQQueueManager(**Queue Manager Name**, mqProperties);
(items enclosed in ** have been replaced for privacy reasons. The keystore physical file is keystore.kdb)
I’m getting a MQRC_KEY_REPOSITORY_ERROR error in the logs for the application attempting to connect (CompCode: 2, Reason: 2381)
Any ideas what I’m doing wrong?
Do I need to specify the MQC.TRANSPORT_PROPERTY as MQC.TRANSPORT_MQSERIES_CLIENT?
Do I need to specify the MQC.SSL_PEER_NAME_PROPERTY? |
|
| Back to top |
|
 |
| zpat |
| Posted: Wed Apr 23, 2014 11:52 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Does the keystore have a password?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| bare |
| Posted: Thu Apr 24, 2014 12:01 am Post subject: |
|
|
Newbie
Joined: 23 Apr 2014
Posts: 6
|
| yes the keystore has a password |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Apr 24, 2014 12:34 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Just a guess - did you create a stash file for the keystore?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| bare |
| Posted: Thu Apr 24, 2014 3:29 am Post subject: |
|
|
Newbie
Joined: 23 Apr 2014
Posts: 6
|
| i didnt setup the channel and keystore, but ill check it out. so if there is a sth file i should copy it to the client machine? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Apr 24, 2014 6:24 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| bare wrote: |
| i didnt setup the channel and keystore, but ill check it out. so if there is a sth file i should copy it to the client machine? |
you have more than one error in there....
The keystore is in fact comprised of 4 files with the same name different suffix (kdb, sth, crl, ...) so even as a client, you will need the 4 files.
The certificate you are going to use should have the label ibmwebspheremq<username>.
You are specifiying a cert store (keystore) but you are not specifying a trust store. You should specfy both. They may point to the same file(s).
Have you tried the security wizard (support pack) to help you deal with SSL problems?
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bare |
| Posted: Thu Apr 24, 2014 12:14 pm Post subject: |
|
|
Newbie
Joined: 23 Apr 2014
Posts: 6
|
Ok so is it as simple as just copying the 4 files to the client server?
We have a windows service written in .net running on the MQ server itself which makes use the keystore in question. This all works. I noticed this code doesn't seem to use the MQC.SSL_CIPHER_SPEC_PROPERTY and MQC.SSL_CERT_STORE_PROPERTY properties. I'm assuming this is only required when connecting from another server using MQ client?
Where do I find the security wizard (support pack)?
Thanks for your patience. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Apr 25, 2014 12:16 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bare wrote: |
| I noticed this code doesn't seem to use the MQC.SSL_CIPHER_SPEC_PROPERTY and MQC.SSL_CERT_STORE_PROPERTY properties. I'm assuming this is only required when connecting from another server using MQ client? |
The fact those properties are 'missing' may be because the DotNet client is using a Client Channel Definition Table (CCDT) file, in which the CipherSpec is defined within the channel attributes, and the location of that CCDT and Key Store will be probably be defined in an mqclient.ini being used by the client; for more information see HERE. Speculation on my part of course!
| bare wrote: |
| Where do I find the security wizard (support pack)? |
It can be found HERE and comes from the general SupportPac page.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bare |
| Posted: Sun Apr 27, 2014 4:56 pm Post subject: |
|
|
Newbie
Joined: 23 Apr 2014
Posts: 6
|
I've copied all 4 files over and am now getting the following error in the logs:
28/04/2014 10:51:01 - Process(696.17) User(mqadmin) Program(amqrmppa.exe)
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is '<<channel>>' (if '????' it is unknown at this stage in the SSL
processing). The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.
If you have migrated from WebSphere MQ V5.3 to V6, it is possible that the
missing certificate is due to a failure during SSL key repository migration.
Check the relevant error logs. If these show that an orphan certificate was
encountered then you should obtain the relevant missing certification authority
(signer) certificates and then import these and the orphan certificate into the
WebSphere MQ V6 key repository, and then re-start the channel. |
|
| Back to top |
|
|
|
|
