| Author |
Message
|
| pintrader |
 Posted: Tue Sep 16, 2014 11:11 pm Post subject: strange SSL connection issue |
 |
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
hi
I have a strange issue with SSL wonder if anyone has encountered before.
I have sender channel(S) and receiver channel(R).
Both are configured for SSL. They are working fine, until something happened to the unix server I have to restart the QMGR. Now the sender channel is still working as before. However, now the remote site is not able to establing SSL connection to the receiver channel. The error at remote site says "tcp connection timeout".
At the receiving end, there was no error in the error log. The strange thing is , when i disabled SSL and use normal connection, the receiver channels can start and can establish with remote. Hence i had deduced there's something wrong with SSL. (or maybe is the network.?)
Hope you can shed some light.
thanks |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Sep 17, 2014 4:42 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
unlikely to be the network if the standard connection goes through fine.
Check however with the firewall team as they can distinguish between normal and SSL traffic...
Also check that all the certs are in place in the qmgr's truststore. Especially the signer chain of the partner... If need be use refresh security type (SSL).
Also check the SSL Peer setup.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| pintrader |
| Posted: Wed Sep 17, 2014 5:46 am Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| fjb_saper wrote: |
unlikely to be the network if the standard connection goes through fine.
Check however with the firewall team as they can distinguish between normal and SSL traffic...
Also check that all the certs are in place in the qmgr's truststore. Especially the signer chain of the partner... If need be use refresh security type (SSL).
Also check the SSL Peer setup.
Have fun :innocent: |
hi thanks for the tips. Actually the sender channels and receiver channels are using the same keystore and peer and cipher. The sender channel's SSL works and the status is RUNNING and i am able to send message across. That's why i eliminated the possibility of SSL configuration errors. Besides if there are SSL errors, they should be reflected in the logs. but so far, there are nothing in the logs that pertains to SSL.
I have even restarted the QMGR, and also recreated the receiver channels. however the problem persist. Have already escalated to the firewall team.
thanks |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Sep 18, 2014 4:52 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Also: it is bad practice to use the same certs for different qmgrs.
Each qmgr should have it's own cert.
If you have a lot of them to do, don't use a self-signed cert, set up your own CA (for free) and use CA signed certs (signed by your own CA).
Most enterprises have an internal CA. Speak to your security team.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| pintrader |
| Posted: Thu Sep 18, 2014 5:21 am Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| fjb_saper wrote: |
Also: it is bad practice to use the same certs for different qmgrs.
Each qmgr should have it's own cert.
If you have a lot of them to do, don't use a self-signed cert, set up your own CA (for free) and use CA signed certs (signed by your own CA).
Most enterprises have an internal CA. Speak to your security team.
Have fun :innocent: |
hi thanks
actually its like this:
MyQMGR ===sender channel ==> OtherQMGR
MyQMGR <==receiver channel== OtherQMGR
MyQMGR is already signed with CA has i have imported the cert. OtherQMGR also has a cert
I have exchanged both QMGR's certs. I don't understand what do you mean by "use the same cert for different managers" because I only have 2 QMGRs
the sender channel and receiver channel for MyQMGR I have defined SSLCIPH to be the same, and SSLPEER(CN=OtherQMGR...) . Their channel definitions are the same. So if the sender channel doesn't have SSL problems, by right the receiving shouldn't have too.
thanks. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Sep 18, 2014 5:24 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
The SSLPEER needs to be different on each side.
On the receiver side of MyQMGR, SSLPEER needs to be set to allow OtherQMGR.
On the receiver side of OtherQMGR, SSLPEER needs to be set to allow MyQMGR.
They don't need to match.
It's not clear that this would make a difference between "after restart" and "after normal operation", however. Perhaps you hadn't restarted the channel after enabling SSL, and it was still running in normal mode until you restarted? |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Sep 18, 2014 6:12 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| pintrader wrote: |
| ...I have exchanged both QMGR's certs... |
Please clarify this - do you mean?
1. You have sent your CA certs for inclusion within OtherQMGR key store (and vice versa), or;
2. You have exported MyQMGR personal certificate and sent that for inclusion in OtherQMGR key store (and vice versa).
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pintrader |
| Posted: Thu Sep 18, 2014 7:16 pm Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| mqjeff wrote: |
The SSLPEER needs to be different on each side.
On the receiver side of MyQMGR, SSLPEER needs to be set to allow OtherQMGR.
On the receiver side of OtherQMGR, SSLPEER needs to be set to allow MyQMGR.
They don't need to match.
It's not clear that this would make a difference between "after restart" and "after normal operation", however. Perhaps you hadn't restarted the channel after enabling SSL, and it was still running in normal mode until you restarted? |
hi mqjeff, thanks. Actually it was working fine , both sender and receivers with SSL, until some maintenance was done and MyQMGR goes down. Now only my receiver channels could not comms with OtherQMGR on SSL. Normal connection without SSL is fine. As fjb mentioned, i suspect also some SSL traffic is being filtered coming from OtherQMGR.. |
|
| Back to top |
|
|
| pintrader |
| Posted: Thu Sep 18, 2014 7:19 pm Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| exerk wrote: |
| pintrader wrote: |
| ...I have exchanged both QMGR's certs... |
Please clarify this - do you mean?
1. You have sent your CA certs for inclusion within OtherQMGR key store (and vice versa), or;
2. You have exported MyQMGR personal certificate and sent that for inclusion in OtherQMGR key store (and vice versa). |
hi exerk, thanks. yes, both QMGRs have each other's certs. This is no problem as they are working fine before there was one maintenance done on the machines. (I have mentioned in my first post that something happened to the unix server , was later found out to be maintenance. ) . Right now the strange thing is if my SSL is corrupted, there should be errors in the MyQMGR error logs, or OtherQMGR's log, but they don't have any errors. (My Sender channels remain working with SSL). |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Sep 18, 2014 9:41 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
After maintenance? Does this include enabling channel auth records?
Have you checked that the channel auth records allow a connection from the remote IP with the remote qmgr name?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Sep 18, 2014 9:45 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| pintrader wrote: |
| exerk wrote: |
| pintrader wrote: |
| ...I have exchanged both QMGR's certs... |
Please clarify this - do you mean?
1. You have sent your CA certs for inclusion within OtherQMGR key store (and vice versa), or;
2. You have exported MyQMGR personal certificate and sent that for inclusion in OtherQMGR key store (and vice versa). |
hi exerk, thanks. yes, both QMGRs have each other's certs. This is no problem as they are working fine before there was one maintenance done on the machines. (I have mentioned in my first post that something happened to the unix server , was later found out to be maintenance. ) . Right now the strange thing is if my SSL is corrupted, there should be errors in the MyQMGR error logs, or OtherQMGR's log, but they don't have any errors. (My Sender channels remain working with SSL). |
So, number 2 then, which prompts the question of why?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pintrader |
| Posted: Fri Sep 19, 2014 12:16 am Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| fjb_saper wrote: |
After maintenance? Does this include enabling channel auth records?
Have you checked that the channel auth records allow a connection from the remote IP with the remote qmgr name? :innocent: |
hi fjb, i have set channel auth rec before, that's why it was working before the servers went down for maintenance. So i should re-define the channel auth records?
besides, if its authentication or authorization errors on channel, then any errors would have been recorded as well? However, i see nothing on server and the sender side.
Also, if I turn off SSL on receiver channels, it is able to connect with OtherQMGR. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Sep 19, 2014 8:47 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If your ssl is not misconfigured, the only thing I can think of is the firewall selectively not allowing SSL through...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| pintrader |
| Posted: Fri Sep 19, 2014 5:10 pm Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| fjb_saper wrote: |
| If your ssl is not misconfigured, the only thing I can think of is the firewall selectively not allowing SSL through... :innocent: |
hi fjb, yes, that's what i thought too after you mentioned it. have already asked relevant parties to check. thanks for going through this with me. appreciate. |
|
| Back to top |
|
|
|
|
