| Author |
Message
|
| mqjeff |
 Posted: Fri Oct 10, 2014 4:49 am Post subject: |
 |
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
It's possible the environment variables are case-sensitive, that mqchllib is not the same as MQCHLLIB.
Also, you may need to export them instead of just setting them. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri Oct 10, 2014 6:08 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Did you set the qmgr's keystore and do refresh security type(ssl)? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| yasaboy |
| Posted: Sun Oct 12, 2014 8:41 pm Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
| fjb_saper wrote: |
| Did you set the qmgr's keystore and do refresh security type(ssl)? |
Hi,
Yes I have created the Key Database in the default location of the key Repository of the Queue manager which is
| Code: |
dis qmgr
AMQ8408: Display Queue Manager details.
SSLKEYR(/var/mqm/qmgrs/testQM1/ssl/key)
SSLRKEYC(0) STATACLS(QMGR)
STATCHL(OFF) STATINT(1800)
STATMQI(OFF) STATQ(OFF)
|
I have done the REFRESH SECURITY in the queue manager as well. Really stuck with this for a week now.
still the error,
| Code: |
| MQCONN ended with reason code 2058 |
for amqsputc. Does the amqsputc code refer to channel table while connecting to remote queue manager ?
So is my settings in QMgr machine ( 172.xx.xx.xx )
| Code: |
| CHANNEL(SSL.CLIENTS) CHLTYPE(CLNTCONN) CONNAME(172.xx.xx.xx(22xxx)) |
correct ? |
|
| Back to top |
|
|
| yasaboy |
| Posted: Sun Oct 12, 2014 9:05 pm Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Hi again,
I have created a customized code which uses the CONNX to connect to queue manager. It runs like follows
Script_Name <Q_Name> <QM_Name> <IP> <port> <channel>
So it gave an error
MQCONNX ended with reason code 2393
So i checked the error log of the client and QMgr machine.
client end
| Code: |
The remote end of channel 'SSL.CLIENTS' on host '172.xx.xx.xx
(172.xx.xx.xx)(22xxx)' has had a CipherSpec error. The channel did not start.
ACTION:
Review the error logs on the remote system to discover the problem with the CipherSpec. |
So I looked the remote end and it said
| Code: |
AMQ9639: Remote channel 'SSL.CLIENTS' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'SSL.CLIENTS' did not specify a CipherSpec when the local
channel expected one to be specified.
The remote host is '172.yy.yy.yyy (172.yy.yy.yyy)'.
The channel did not start.
ACTION:
Change the remote channel 'SSL.CLIENTS' on host '172.yy.yy.yyy (172.yy.yy.yyy)'
to specify a CipherSpec so that both ends of the channel have matching
CipherSpecs. |
anyway the channel attributes are like this
| Code: |
dis CHANNEL(SSL.CLIENTS)
AMQ8414: Display Channel details.
CHANNEL(SSL.CLIENTS) CHLTYPE(SVRCONN)
SSLCAUTH(OPTIONAL) SSLCIPH(TRIPLE_DES_SHA_US)
SSLPEER( ) TRPTYPE(TCP)
AMQ8414: Display Channel details.
CHANNEL(SSL.CLIENTS) CHLTYPE(CLNTCONN)
SHARECNV(10) SSLCIPH(TRIPLE_DES_SHA_US)
SSLPEER( ) TPNAME( )
TRPTYPE(TCP) USERID( ) |
|
|
| Back to top |
|
|
| exerk |
| Posted: Sun Oct 12, 2014 10:16 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
And you're running that script as the same user to which the client key store belongs?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Oct 13, 2014 1:24 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| yasaboy wrote: |
I have created a customized code which uses the CONNX to connect to queue manager. It runs like follows
Script_Name <Q_Name> <QM_Name> <IP> <port> <channel>
anyway the channel attributes are like this
| Code: |
dis CHANNEL(SSL.CLIENTS)
AMQ8414: Display Channel details.
CHANNEL(SSL.CLIENTS) CHLTYPE(SVRCONN)
SSLCAUTH(OPTIONAL) SSLCIPH(TRIPLE_DES_SHA_US)
SSLPEER( ) TRPTYPE(TCP)
AMQ8414: Display Channel details.
CHANNEL(SSL.CLIENTS) CHLTYPE(CLNTCONN)
SHARECNV(10) SSLCIPH(TRIPLE_DES_SHA_US)
SSLPEER( ) TPNAME( )
TRPTYPE(TCP) USERID( ) |
|
If you are coding the channel name directly in your MQCONNX then it is not using the CLNTCONN definition that you are showing us here. You must make sure that you code the SSLCipherSpec in your MQCONNX along with your channel name.
Or alternatively, if you wish to use the CLNTCONN from your CCDT file, you must ensure that you have a QMNAME in the CLNTCONN definition and that your connect to that queue manager, i.e. when you run amqsputc that you give the name of the queue manager that is specified in your CLNTCONN definition.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| yasaboy |
| Posted: Mon Oct 13, 2014 2:06 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
| hughson wrote: |
If you are coding the channel name directly in your MQCONNX then it is not using the CLNTCONN definition that you are showing us here. You must make sure that you code the SSLCipherSpec in your MQCONNX along with your channel name.
Or alternatively, if you wish to use the CLNTCONN from your CCDT file, you must ensure that you have a QMNAME in the CLNTCONN definition and that your connect to that queue manager, i.e. when you run amqsputc that you give the name of the queue manager that is specified in your CLNTCONN definition.
Cheers
Morag |
Thanks for the info,
So I changed my CLNTCONN
| Code: |
| alter channel(SSL.CLIENTS) CHLTYPE(CLNTCONN) QMNAME(testQM1) |
AMQ8414: Display Channel details.
CHANNEL(SSL.CLIENTS) CHLTYPE(CLNTCONN)
AFFINITY(PREFERRED) ALTDATE(2014-10-13)
ALTTIME(15.12.35) CLNTWGHT(0)
COMPHDR(NONE) COMPMSG(NONE)
CONNAME(172.xx.xx.xx(22xxx)) DEFRECON(NO)
DESCR( ) HBINT(300)
KAINT(AUTO) LOCLADDR( )
MAXMSGL(4194304) MODENAME( )
PASSWORD( ) QMNAME(TESTQM1)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCIPH(TRIPLE_DES_SHA_US)
SSLPEER( ) TPNAME( )
TRPTYPE(TCP) USERID( )
testQM1 is shown as TESTQM1 when I do a "dis channel" ? Still my error doesn't change 2058. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Oct 13, 2014 2:08 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| yasaboy wrote: |
So I changed my CLNTCONN
| Code: |
| alter channel(SSL.CLIENTS) CHLTYPE(CLNTCONN) QMNAME(testQM1) |
testQM1 is shown as TESTQM1 when I do a "dis channel" ? |
If your queue manager is supposed to be testQM1 in that case, please ensure that you put quotes round it when you use ALTER CHANNEL
| Code: |
| alter channel(SSL.CLIENTS) CHLTYPE(CLNTCONN) QMNAME('testQM1') |
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| yasaboy |
| Posted: Mon Oct 13, 2014 2:07 pm Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
| hughson wrote: |
If your queue manager is supposed to be testQM1 in that case, please ensure that you put quotes round it when you use ALTER CHANNEL
Cheers
Morag |
Hi,
Thank you very much for this peace of info madam, It worked actually for the first time amqsputc went from error 2058 and 2393 to something else.
| Code: |
amqsputc TEST.INQUEUE1 testQM1
Sample AMQSPUT0 start
MQCONN ended with reason code 2035 |
Now I think the error is with the privacy of the QM. But still couldn't figure out
error log:
| Code: |
AMQ9557: Queue Manager User ID initialization failed.
EXPLANATION:
The call to initialize the User ID failed with CompCode 2 and Reason 2035.
----- amqrmrsa.c : 898 --------------------------------------------------------
10/14/2014 03:24:28 AM - Process(16242.21) User(devXX) Program(amqzlaa0)
Host(sgx-env-app-06) Installation(Installation1)
VRMF(7.5.0.2) QMgr(testQM1)
AMQ5653: The user 'devYY' is not defined.
EXPLANATION:
The system call getpwnam("devYY") failed with errno -1.
ACTION:
Create the user 'devYY' and retry the operation. |
|
|
| Back to top |
|
|
| yasaboy |
| Posted: Mon Oct 13, 2014 10:27 pm Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Hi could resolve the issue of 2035 as well now using simple chalauth commands.
Now the amqsputc is working and messages are populated to the queue in the remote queue manager. Thanks for the help  |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Oct 14, 2014 3:55 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| yasaboy wrote: |
| Hi could resolve the issue of 2035 as well now using simple chalauth commands. |
What simple chlauth commands?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| tczielke |
| Posted: Tue Oct 14, 2014 4:28 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
[/quote]AMQ5653: The user 'devYY' is not defined.
EXPLANATION:
The system call getpwnam("devYY") failed with errno -1.
| Quote: |
That looks like a v8 CONNAUTH check, to me. |
|
|
| Back to top |
|
|
| hughson |
| Posted: Tue Oct 14, 2014 3:15 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| tczielke wrote: |
| yasaboy wrote: |
AMQ5653: The user 'devYY' is not defined.
EXPLANATION:
The system call getpwnam("devYY") failed with errno -1.
|
That looks like a v8 CONNAUTH check, to me. |
Looks more like the client user ID was flowed and not recognised, and using CHLAUTH to map the connection to a different MCAUSER sorted it out.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| tczielke |
| Posted: Tue Oct 14, 2014 3:46 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| Thanks for the correction. I read too much into that getpwnam part of the message, and thought that was being done for a password look up on the user id. |
|
| Back to top |
|
|
| yasaboy |
| Posted: Tue Oct 14, 2014 9:17 pm Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
| hughson wrote: |
| tczielke wrote: |
| yasaboy wrote: |
AMQ5653: The user 'devYY' is not defined.
EXPLANATION:
The system call getpwnam("devYY") failed with errno -1.
|
That looks like a v8 CONNAUTH check, to me. |
Looks more like the client user ID was flowed and not recognised, and using CHLAUTH to map the connection to a different MCAUSER sorted it out.
Cheers
Morag |
Hi,
Sorry for delay in reply I got stuck with converting oneway SSL connection to two-way. Now its also fixed and working.
What I did for the error 2035 was
| Code: |
SET CHLAUTH('SSL.CLIENTS') TYPE(BLOCKUSER) USERLIST('TROBWUZHERE') ACTION(ADD)
and
SET CHLAUTH('SSL.CLIENTS') TYPE(USERMAP) CLNTUSER('devYY') ADDRESS('172.yy.yy.yyy') MCAUSER('mqm') |
|
|
| Back to top |
|
|
|
|
