| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL error when using CCDT |
« View previous topic :: View next topic » |
| Author |
Message
|
| pintrader |
 Posted: Thu Sep 25, 2014 6:23 am Post subject: SSL error when using CCDT |
 |
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
hi,
I have several channels defined on QMGR with SSL enabled . When i bring over the AMQCLCHL.TAB file to the clients, and setting the variables to run trigger monitor:
| Code: |
MQCHLLIB="/application"
export MQCHLLIB
MQCHLTAB="AMQCLCHL.TAB"
export MQCHLTAB
MQSSLKEYR="/var/mqm/ssl/mykeystore" #this is keystore at the client
export MQSSLKEYR
runmqtmc -m QMGR -q SOMECHANNEL.INITQ &
|
I encounter error:
AMQ9636: SSL distinguished name does not match peer name, channel 'SOMECHANNEL.CHANNEL'
I googled a bit, found
1) http://www-01.ibm.com/support/docview.wss?uid=swg1IV40268
2) http://www-01.ibm.com/support/docview.wss?uid=swg1IC98121
But I am not sure if it is the problem. My version is 7.5.0.3 (for client and QMGR) |
|
| Back to top |
|
 |
| hughson |
| Posted: Thu Sep 25, 2014 6:47 am Post subject: Re: SSL error when using CCDT |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| pintrader wrote: |
I encounter error:
AMQ9636: SSL distinguished name does not match peer name, channel 'SOMECHANNEL.CHANNEL' |
If you are encountering this error on the client side, there are two things you should look at here:-
- What does the error message in the client AMQERR01.LOG show as the peer name it's failed to match against
- What does the SSLPEER in the CLNTCONN definition in your CCDT contain?
If you are encountering this error on the queue manager side, there are two things you should look at here:-
- What does the error message in the queue manager AMQERR01.LOG show as the peer name it's failed to match against
- What does the SSLPEER in the SVRCONN definition in your CCDT contain?
Comparing these two pieces of information will show you why it didn't match.
With respect to the links you mention, are you using Multi-Instance queue managers or a DN with a UID attribute?
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Sep 25, 2014 6:48 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Look at the DN values in the Client's certificate and the queue manager's certificate, then compare those values to the SSLPEER values set in the CLNTCONN/SVRCONN pair.
And (IMHO) it's not a good idea leave the name of the CCDT as-is, it gets terribly confusing when you have a number of clients and is all to easy to over-write a file you really didn't want to.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pintrader |
| Posted: Thu Sep 25, 2014 7:40 am Post subject: Re: SSL error when using CCDT |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| hughson wrote: |
| pintrader wrote: |
I encounter error:
AMQ9636: SSL distinguished name does not match peer name, channel 'SOMECHANNEL.CHANNEL' |
If you are encountering this error on the client side, there are two things you should look at here:-
- What does the error message in the client AMQERR01.LOG show as the peer name it's failed to match against
- What does the SSLPEER in the CLNTCONN definition in your CCDT contain?
|
Hi, it happens on the client side
Here is my channel definitions on the QMGR side. I have different client apps at different hosts..Also, i have SDR and RCVR channels as well.
* svr connection
DEFINE channel(CHL.APP1) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH('...') SSLPEER('CN=host1')
DEFINE channel(CHL.APP2) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH('...') SSLPEER('CN=host1')
DEFINE channel(CHL.APP3) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH('...') SSLPEER('CN=host1')
DEFINE channel(CHL.APP4) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH('...') SSLPEER('CN=host2')
DEFINE channel(CHL.APP5) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH('...') SSLPEER('CN=host3')
DEFINE channel(CHL.APP6) CHLTYPE(SVRCONN) TRPTYPE(TCP) SSLCIPH('...') SSLPEER('CN=host3')
* client connection
DEFINE channel(CHL.APP1) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('x.x.x.x(1414)') QMNAME(QMGR) SSLCIPH('...') SSLPEER('CN=host1')
DEFINE channel(CHL.APP2) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('x.x.x.x(1414)') QMNAME(QMGR) SSLCIPH('...') SSLPEER('CN=host1')
DEFINE channel(CHL.APP3) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('x.x.x.x(1414)') QMNAME(QMGR) SSLCIPH('...') SSLPEER('CN=host1')
DEFINE channel(CHL.APP4) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('x.x.x.x(1414)') QMNAME(QMGR) SSLCIPH('...') SSLPEER('CN=host2')
DEFINE channel(CHL.APP6) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('x.x.x.x(1414)') QMNAME(QMGR) SSLCIPH('...') SSLPEER('CN=host3')
DEFINE channel(CHL.APP5) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('x.x.x.x(1414)') QMNAME(QMGR) SSLCIPH('...') SSLPEER('CN=host3')
DEFINE CHANNEL(SDR.CHANNEL) CHLTYPE(SDR) CONNAME('x.x.x.x(1414)') SSLCIPH('...') SSLPEER('CN=host7') ...
DEFINE CHANNEL(RCVR.CHANNEL) CHLTYPE(RCVR) SSLCIPH('...') SSLPEER('CN=host7') ....
My APP1,APP2 and APP3 are all running in the same machine (host1). I am doing this trigger monitoring on host1 currently for APP1.
1) The QMGR CSR was created with -dn CN=myQMGR.domain.com. The error at the client mq log at "host1" says "The distinguised name SERIALNUMER=AA:BB:CC:DD
CN=myQMGR.domain.com contained in the SSL cert for the remote end of the channel does not match the local SSL PEER name for the channel CHL.APP5 "
my APP5 application is at host3, not host1. So i am not sure why its using CHL.APP5 . Not sure if my environment variable is set correctly.
2) how do you see the SSLPEER in CCDT , as its a binary file? I guess you can view from my channel definition above?
I am not using multi instance QMGR. Just one QMGR. and the DN is using host name. not UID.
Why is it that MQSERVER variable cannot be used for SSL channel? I have used the amqssslc command to test SSL connection with MQSERVER set to the respective channel, ie export MQSERVER="CHL.APP1/TCP/x.x.x.x(1414)" and it works.
thanks for the help
Last edited by pintrader on Thu Sep 25, 2014 7:57 am; edited 1 time in total |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Sep 25, 2014 7:48 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
You need the queue manager DN values in the CLNTCONN definition SSLPEER attribute, and the client DN values in the SVRCONN definition SSLPEER attribute.
Moving this to the Security Forum...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| pintrader |
| Posted: Thu Sep 25, 2014 7:59 am Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
| exerk wrote: |
You need the queue manager DN values in the CLNTCONN definition SSLPEER attribute, and the client DN values in the SVRCONN definition SSLPEER attribute.
Moving this to the Security Forum... |
hi, thanks. That means for example,
DEFINE channel(CHL.APP1) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('x.x.x.x(1414)') QMNAME(QMGR) SSLCIPH('...') SSLPEER('CN=myQMGR.domain.com')
right?
thanks |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Sep 25, 2014 8:06 am Post subject: Re: SSL error when using CCDT |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| pintrader wrote: |
Hi, it happens on the client side
* client connection
DEFINE channel(CHL.APP5) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('x.x.x.x(1414)') QMNAME(QMGR) SSLCIPH('...') SSLPEER('CN=host3')
I am doing this trigger monitoring on host1 currently for APP1.
1) The QMGR CSR was created with -dn CN=myQMGR.domain.com. The error at the client mq log at "host1" says "The distinguised name SERIALNUMER=AA:BB:CC:DD
CN=myQMGR.domain.com contained in the SSL cert for the remote end of the channel does not match the local SSL PEER name for the channel CHL.APP5 " |
So your client channel is comparing CN=host3 with CN=myQMGR.domain.com and telling you they don't match. You need to set the SSLPEER on your CLNTCONNs to contain a filter that will match the queue manager's certificate.
| pintrader wrote: |
| 2) how do you see the SSLPEER in CCDT , as its a binary file? |
You can either use MO71's MQSCX tool, or if you have MQ V8, then runmqsc -n will also do it.
| pintrader wrote: |
| I am not using multi instance QMGR. Just one QMGR. and the DN is using host name. not UID. |
OK - so those APARs are N/A. Also, we have discovered your problem above anyway. It is a configuration error.
| pintrader wrote: |
| Why is it that MQSERVER variable cannot be used for SSL channel? |
Because there is no-where to put the SSLCIPH value.
| pintrader wrote: |
| I have used the amqssslc command to test SSL connection with MQSERVER set to the respective channel, ie export MQSERVER="CHL.APP1/TCP/x.x.x.x(1414)" and it works. |
I'm afraid you are concluding an inaccurate fact there. amqssslc programatically provides all the channel attributes, so it will ignore the MQSERVER environment variable. If you remove the setting of the MQSERVER environment variable and try running amqssslc again you will see it still works.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
