| Author |
Message
|
| vlucian |
 Posted: Fri Apr 17, 2015 7:43 am Post subject: OCSPAuthentication and SSL stanza |
 |
|
Novice
Joined: 28 Jan 2011
Posts: 17
|
| We have a C++ aplication that used to run with MQ client 5.3 using STO file for the SSL connection. Now we upgraded MQ client to 7.1, changed the certificate to kdb (from jks) and tried to run the app. This application has an xml config file with some keys, including those for the MQ connection (ssl key repository, Cipherspec etc). The queue manager is trying to connect to is not under our control, neither the certificates. So, we started the application and received AMQ9716. After that we edited mqclient.ini adding SSL stanza and OCSPAuthentication=OPTIONAL and the error was AMQ9642. As I said, we provide sslkeyrepository location inside application's config file - without it the application try to connect directly (noSSL mode). Anyway, I let the variables in the config file but also I put the SSLKeyRepository line in mqclient.ini file. Same error AMQ9642. Any ideea about this? thanks |
|
| Back to top |
|
 |
| hughson |
| Posted: Fri Apr 17, 2015 8:22 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1916
Location: Bay of Plenty, New Zealand
|
What is the label of the certificate in your KDB file? And what is the user ID a under which you are running the application?
Thy certificate will be located by looking for a label called ibmwebspheremq<client-logged-on-userid> all folded to lower case, so the above two peices of information will help to detect whether it will be able to find the certificate to send.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| vlucian |
| Posted: Fri Apr 17, 2015 8:40 am Post subject: |
|
|
Novice
Joined: 28 Jan 2011
Posts: 17
|
Thanks for reply!
The label and user ID are different. On the other hand while the mq client was at version 5.3 and the application was using STO files everything was ok. Now, the same certificate (as I told you, we received jks file and convert it to sto for 5.3 and to kdb for 7.1) is not working anymore.
Also, we were told that others can succesufully use those jks certificates so I presume they are using java apps, this rule doesn't apply to java applications? |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Apr 17, 2015 8:50 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1916
Location: Bay of Plenty, New Zealand
|
Java works differently, and MQV5.3 on Windows is very different from any newer version.
Change the label in your KDB a to match the expected label based on your user ID and retry. Let us know the results. 
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| vlucian |
| Posted: Fri Apr 17, 2015 8:56 am Post subject: |
|
|
Novice
Joined: 28 Jan 2011
Posts: 17
|
Ok, unfortunately I only can do it next week. One last question, can I change label when I convert the jks to kdb or do I need to convert, export personal certificate and then reimport and change label?
thanks again. |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Apr 17, 2015 1:14 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1916
Location: Bay of Plenty, New Zealand
|
|
| Back to top |
|
|
| vlucian |
| Posted: Mon Apr 20, 2015 12:51 am Post subject: |
|
|
Novice
Joined: 28 Jan 2011
Posts: 17
|
| ... and it worked! thanks a lot! |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Apr 20, 2015 1:30 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1916
Location: Bay of Plenty, New Zealand
|
|
| Back to top |
|
|
|
|
