ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » sender channe that's in retrying, it reports SSl error AMQ96

Post new topic  Reply to topic
 sender channe that's in retrying, it reports SSl error AMQ96 « View previous topic :: View next topic » 
Author Message
riyaz_tak
PostPosted: Mon Jul 07, 2014 1:24 am    Post subject: sender channe that's in retrying, it reports SSl error AMQ96 Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Hi

We have customer whose sender channel is in retry state after outage.
They are trying to send the message but getting below Error in their MQ error log :

AMQ9638: SSL communications error for channel 'XXXXXX'.

EXPLANATION:

Cause . . . . . : An unexpected SSL communications error occurred for a channel, as reported in the preceding messages. The channel is 'XXXXX';in some cases its name cannot be determined and so is shown as '????'. The channel did not start.
Recovery . . . : Investigate the problem reported in the preceding
messages. Review the local and remote console logs for reports of network
errors. Correct the errors and restart the channel.


We are not receiving any request from them and there is no entry in our MQ logs.

They are able to telnet our system.
We are using wmq 7.0.1.11 and solaris 10.

Could you please suggest probable reason for this error?

Regards
Riyaz
Back to top
View user's profile Send private message
exerk
PostPosted: Mon Jul 07, 2014 2:17 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

What was the nature of the outage, and what changes were made during the outage?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Jul 07, 2014 4:51 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

you say they are able to telnet to your system. But are they able to telnet to your MQ port?
Channel auth records would not apply as stated you are still at 7.0.1
As asked by my colleague, what changed during the interval?
- ips, network config, vpn tunnels, NAT, firewalls, routing, content of /etc/hosts, etc... ???

_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
smdavies99
PostPosted: Mon Jul 07, 2014 5:23 am    Post subject: Reply with quote

Jedi Council

Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.

Outage + SSL leads me to ask, 'Did anything change in the Keystore files'?
Were they restored from a backup?' Have they become corrupt?

At the very least these questions should be discounted.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995

Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions.
Back to top
View user's profile Send private message
riyaz_tak
PostPosted: Mon Jul 07, 2014 9:06 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Hi All

Thanks for the reply.
No changes were done in the outage.client simply restarted the MQ.
We also didn't make any changes.
As of now we have turn off the SSL encryption to resume the messaging.
I checked certificate at our end and it's not corrupted either.
There is no network issue.
We are using gsk7bas 7.0.4.45,gsk7bas64 7.0.4.45 and WMQ 7.0.1.11 on Solaris 10 box.
Please let me know know if you need more information on this.

Regards
Riyaz
Back to top
View user's profile Send private message
MQsysprog
PostPosted: Mon Jul 07, 2014 9:57 pm    Post subject: Reply with quote

Centurion

Joined: 24 Feb 2014
Posts: 116

Hi

from the Knowledge center :

http://www-01.ibm.com/support/knowledgecenter/?lang=en#!/SSFKSJ_7.0.1/com.ibm.mq.csqzax.doc/mo11700_.htm?cp=SSFKSJ_7.0.1%2F1-14-0-5-3-9

http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.0.1/com.ibm.mq.csqzax.doc/mo11700_.htm?cp=SSFKSJ_7.0.1%2F1-14-0-5-3-9

we see that at 7.0.1 and following ,MQ should give us a reason code
for this failure ...
Have you been able to find it or to recreate this type of failure in a test
enviroment ?
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Tue Jul 08, 2014 5:21 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA

If nothing changed and this is a restart, then maybe you just happened to get caught at the moment a Certificate expired.

Look at the details of both Qmgrs certificates.
Code:
gsk7cmd -cert -details -label <QmgrLabel> -db keystore.kdb

I'm assuming you have mutual authentication specified on the channels SSL params.
Back to top
View user's profile Send private message AIM Address
riyaz_tak
PostPosted: Tue Jul 08, 2014 8:47 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

@JosephGramig Certificate has not expired.I have already checked.Any other idea?
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Wed Jul 09, 2014 4:36 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA

If none of the certs expired and the keystore passwd didn't expire, then something did change. This would not just passively fail for no reason. Is there any kind of cert revocation component configured?

What error did you get in your Qmgr's error log?

You and they should be able to build a second set of channels just for testing.
Back to top
View user's profile Send private message AIM Address
riyaz_tak
PostPosted: Wed Jul 09, 2014 4:53 am    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

QM's error log at client end:

AMQ9638: SSL communications error for channel 'XXXXXX'.

EXPLANATION:

Cause . . . . . : An unexpected SSL communications error occurred for a channel, as reported in the preceding messages. The channel is 'XXXXX';in some cases its name cannot be determined and so is shown as '????'. The channel did not start.
Recovery . . . : Investigate the problem reported in the preceding
messages. Review the local and remote console logs for reports of network
errors. Correct the errors and restart the channel.

We didn't get any error log at our end.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Wed Jul 09, 2014 5:02 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.

A simple test: remove SSL from the channel definitions. Do the channels go to RUNNING without SSL?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Wed Jul 09, 2014 8:54 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA

bruce2359 wrote:
A simple test: remove SSL from the channel definitions. Do the channels go to RUNNING without SSL?

riyaz_talk did say they removed SSL to resume...

Please display both channel definitions...
Back to top
View user's profile Send private message AIM Address
riyaz_tak
PostPosted: Wed Jul 09, 2014 9:52 pm    Post subject: Reply with quote

Voyager

Joined: 05 Jan 2012
Posts: 92

Hi

Below is the channel definition at our end .I don't have client channel definition.

define channel ('channel_name') +
chltype (rcvr) +
trptype (tcp) +
sslcauth (required) +
sslciph (RC4_MD5_EXPORT) +
mcauser ('rubbish') +
maxmsgl (65536) +
scyexit ('/u1/mqu/lib/exit.so(secExit)') +
scydata ('cfg/sec.cfg') +
sslpeer ('CN=xxx,O=xxxx,ST=xxx,C=XX')
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Jul 11, 2014 4:45 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY

I see there is a security exit on the channel.
Did an upgrade happen at any of the channel endpoints?
Does the security exit need to be changed / upgraded /recompiled in any way?

Does the channel work with the security exit and no SSL?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Inisah
PostPosted: Tue Jul 29, 2014 5:48 am    Post subject: Reply with quote

Apprentice

Joined: 21 Mar 2014
Posts: 44

Did you try 'REFRESH SECURITY' at both sender and receiver ends?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » sender channe that's in retrying, it reports SSl error AMQ96
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.