| Author |
Message
|
| uditara |
 Posted: Mon Jul 28, 2014 7:33 am Post subject: SSL Issue - Post migration of WMQ 7.0.1.10 to 7.5 |
 |
|
Apprentice
Joined: 18 Nov 2013
Posts: 36
|
Hi All,
We recently migrate our queue managers from V7..0.1.10 to V7.5.0.3.
Post migration, all queue manager and objects are up and running
During testing with weblogic/websphere based application those are connecting our queue mangers using SSL and they are getting below error exception while connect to queue managers using server connection channel (SSL) :-
SystemErr R Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host '192.168.1.19(5531)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2; RC=2397;
AMQ9641: Remote CipherSpec error for channel 'SVNQMGW.SVN.SVRCON' to host ''.[3=SVNQMGW.SVN.SVRCON]]=192.168.1.19(5531),=RemoteConnection.analyseErrorSegment]
We are seeing this behaviour after queue manager migration from V7.0.10 to V7.5.0
Non-ssl based applications are connecting to queue manager without any changes.
Can somone please have a look into this SSL issue and let us know is there any difference in SLL configuration in queue manager V7.0.1.11 and V7.5....
FYI...This one way SSL authentication - queue manager SSL certificated shared to all client application to connect using SSL certificate.
Thanks,
UdiTar |
|
| Back to top |
|
 |
| JosephGramig |
| Posted: Mon Jul 28, 2014 9:52 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Hi UdiTar,
The error 2397 0x0000095d MQRC_JSSE_ERROR would indicate there is a miss match between the client cipher and server. I would guess this is a result of your upgrade (and a correction to the cipher code).
What level is the MQ Client at?
For WAS, MQ Client is delivered as part of the product as a Resource Adapter so use this link to determine the level. |
|
| Back to top |
|
|
| uditara |
| Posted: Tue Jul 29, 2014 2:44 am Post subject: |
|
|
Apprentice
Joined: 18 Nov 2013
Posts: 36
|
Hi Joseph,
Thanks for quick respond.
There is no mismatch between MQ client cipher and MQ server cipher as same cipher certificate was running smoothly before upgrade/migrate....It was smoothly running in MQ 7.0.1.10.
The application client is using WebSphere Application Server 7.0 - MQ connection factory to connect queue manager. There is nothing change at client side also post migration.
Thanks,
UdiTar..... |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Jul 29, 2014 3:04 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
A couple of questions:
1. Prior to the migration of the queue manager, was OCSP enabled or disabled?
2. What errors, if any, are you seeing in the queue manager log?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Jul 29, 2014 4:53 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
UdiTar,
I had this same problem when upgrading the same versions/components. In my case, IBM MQ corrected a flaw in the SSL negotiation in version 7.5.0.1 and that is what broke WAS 7.0 even though maintenance had been applied to WAS.
The Resource Adapter was not actually getting updated. Please read this and see if it applies to you.
I believe the upgrade of the MQ server has exposed a defect at the client. Also, ensure your WAS maintenance is reasonably up to date. |
|
| Back to top |
|
|
| uditara |
| Posted: Wed Jul 30, 2014 4:13 am Post subject: |
|
|
Apprentice
Joined: 18 Nov 2013
Posts: 36
|
Application client running WAS 7.0.0.33 and MQ Resource Adapter level is 7.0.1.12.
Prior to migration 7.5.0.2 from 7.0.1.11 - OSCP is disabled, right now also disabled.
Queue Manager logs :-
----- amqcccxa.c : 3945 -------------------------------------------------------
07/25/14 19:35:25 - Process(22020174.923) User(esbadmin) Program(amqrmppa)
Host(SVNQMGW11) Installation(Installation1)
VRMF(7.5.0.3) QMgr(SVNQMGW)
AMQ9999: Channel 'SVNQMGW.SVN.SVRCON' to host '10.77.111.12 (10.77.111.12)' ended
abnormally.
EXPLANATION:
The channel program running under process ID 22020174 for channel 'SVNQMGW.SVN.SVRCON'
ended abnormally. The host name is '10.77.111.12 (10.77.111.12)'; in some cases
the host name cannot be determined and so is shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.
----- amqrmrsa.c : 898 --------------------------------------------------------
07/25/14 19:43:38 - Process(22020174.927) User(esbadmin) Program(amqrmppa)
Host(SVNQMGW11) Installation(Installation1)
VRMF(7.5.0.3) QMgr(SVNQMGW)
AMQ9639: Remote channel 'SVNQMGW.SVN.SVRCON' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'SVNQMGW.SVN.SVRCON' did not specify a CipherSpec when the local channel
expected one to be specified.
The remote host is '10.77.111.12 (10.77.111.12)'.
The channel did not start.
ACTION:
Change the remote channel 'SVNQMGW.SVN.SVRCON' on host '10.77.111.12 (10.77.111.12)' to
specify a CipherSpec so that both ends of the channel have matching
CipherSpecs.
-----------------------------------------------------------------------------------
07/25/14 21:32:07 - Process(22020174.992) User(esbadmin) Program(amqrmppa)
Host(SVNQMGW11) Installation(Installation1)
VRMF(7.5.0.3) QMgr(SVNQMGW)
AMQ9639: Remote channel 'SVNQMGW.SVN.SVRCON' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'SVNQMGW.SVN.SVRCON' did not specify a CipherSpec when the local channel
expected one to be specified.
The remote host is '10.77.111.12 (10.77.111.12)'.
The channel did not start.
ACTION:
Change the remote channel 'SVNQMGW.SVN.SVRCON' on host '10.77.111.12 (10.77.111.12)' to
specify a CipherSpec so that both ends of the channel have matching
CipherSpecs.
----- amqcccxa.c : 3945 -------------------------------------------------------
07/25/14 21:32:07 - Process(22020174.992) User(esbadmin) Program(amqrmppa)
Host(SVNQMGW11) Installation(Installation1)
VRMF(7.5.0.3) QMgr(SVNQMGW)
AMQ9999: Channel 'SVNQMGW.SVN.SVRCON' to host '10.77.111.12 (10.77.111.12)' ended
abnormally.
EXPLANATION:
The channel program running under process ID 22020174 for channel 'SVNQMGW.SVN.SVRCON'
ended abnormally. The host name is '10.77.111.12 (10.77.111.12)'; in some cases
the host name cannot be determined and so is shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.
----- amqrmrsa.c : 898 --------------------------------------------------------
07/26/14 13:14:38 - Process(22020174.1011) User(esbadmin) Program(amqrmppa)
Host(SVNQMGW11) Installation(Installation1)
VRMF(7.5.0.3) QMgr(SVNQMGW)
AMQ9639: Remote channel 'SVNQMGW.SVN.SVRCON' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'SVNQMGW.SVN.SVRCON' did not specify a CipherSpec when the local channel
expected one to be specified.
The remote host is '10.77.111.12 (10.77.111.12)'.
The channel did not start.
ACTION:
Change the remote channel 'SVNQMGW.SVN.SVRCON' on host '10.77.111.12 (10.77.111.12)' to
specify a CipherSpec so that both ends of the channel have matching
CipherSpecs.
The exception throwing for all SSL based server connection channel and application client is the same.
Note - When I disated the CipherSpec from MQ Server connection channel then application clients are able to connect to the queue manager without any error exception..
Thanks,
UdiTar |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Jul 30, 2014 5:04 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I don't remember seeing a mention whether this was an IBM JVM or a sun JVM...
@7.5.02 and 7.5.0.3 if using a non IBM JVM and using SSL (JMS) request the fix in a PMR. You will need a fix for JMS and SSL to work with a non IBM JVM.
This might apply to java and SSL as well.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Jul 30, 2014 5:47 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
FJ,
UdiTar said WAS 7.0 was in use, so I would have to think that is the IBM JVM.
UdiTar,
| Quote: |
AMQ9639: Remote channel 'SVNQMGW.SVN.SVRCON' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'SVNQMGW.SVN.SVRCON' did not specify a CipherSpec when the local channel
expected one to be specified. |
Are you sure nothing changed? This seems pretty clear. |
|
| Back to top |
|
|
|
|
