| Author |
Message
|
| mqsme |
 Posted: Wed Nov 04, 2015 2:58 pm Post subject: AMQ9660: SSL key repository: password stash file absent or u |
 |
|
Acolyte
Joined: 16 Sep 2013
Posts: 51
|
Hi,
I did not enable SSL in the testing environment so no any key.kdb under ssl folder. It ran happily before however recently it keeps having following messages every 5 seconds. can you tell how to troubleshoot it?
Thanks very much.
----- amqrmrsa.c : 516 --------------------------------------------------------
11/04/2015 02:55:43 PM - Process(8148.3915) User(mqm) Program(amqrmppa)
Host(xxx.com)
AMQ9660: SSL key repository: password stash file absent or unusable.
EXPLANATION:
The SSL key repository cannot be used because MQ cannot obtain a password to
access it. Reasons giving rise to this error include:
(a) the key database file and password stash file are not present in the
location configured for the key repository,
(b) the key database file exists in the correct place but that no password
stash file has been created for it,
(c) the files are present in the correct place but the userid under which MQ is
running does not have permission to read them,
(d) one or both of the files are corrupt.
The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.
ACTION:
Ensure that the key repository variable is set to where the key database file
is. Ensure that a password stash file has been associated with the key database
file in the same directory, and that the userid under which MQ is running has
read access to both files. If both are already present and readable in the
correct place, delete and recreate them. Restart the channel.
----- amqccisa.c : 3464 -------------------------------------------------------
11/04/2015 02:55:43 PM - Process(8148.3915) User(mqm) Program(amqrmppa)
Host(xxx.com)
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program. |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Nov 05, 2015 1:31 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Check all your channels to see whether 'someone' has added a cipher spec into a definition, and the check/get checked all the channels connection to/from your queue manager as 'someone' may have done the same there.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Inisah |
| Posted: Thu Nov 05, 2015 1:52 am Post subject: |
|
|
Apprentice
Joined: 21 Mar 2014
Posts: 44
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Nov 05, 2015 9:30 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If the ownership of the key files is mqm:mqm make sure that the permissions are rw for user and group. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqsme |
| Posted: Thu Nov 05, 2015 11:06 am Post subject: |
|
|
Acolyte
Joined: 16 Sep 2013
Posts: 51
|
@exerk: i checked all my channels, even stopped all of them, still getting the error, so i also suspect it is 'someone' set it on the other side. and the error log only mention ??? as channel, i have no clue which channel is 'under attack'
@inisah: thanks for the link. but i did not use ssl, can't find solution from there.
I tried to refresh security but no luck
1 : dis qmgr sslev sslkeyr sslrkeyc
AMQ8408: Display Queue Manager details.
QMNAME(QMGR1) SSLEV(DISABLED)
SSLKEYR( ) SSLRKEYC(0)
@fjb_saper: sorry i do not use ssl in this testing environment, so do not set up any key.* files |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Nov 05, 2015 11:10 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqsme wrote: |
| sorry i do not use ssl in this testing environment, so do not set up any key.* files |
Why not set it up? Give this queue manager a self signed certificate in a key store; this will get you past this error. Obviously the channel in question still won't start (as whatever SSL configuration is in use won't tie up with the queue manager), but you should get an error about that mismatch that includes the channel name.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Inisah |
| Posted: Fri Nov 06, 2015 1:52 am Post subject: |
|
|
Apprentice
Joined: 21 Mar 2014
Posts: 44
|
| Quote: |
| : i checked all my channels, even stopped all of them, still getting the error, so i also suspect it is 'someone' set it on the other side. and the error log only mention ??? as channel, i have no clue which channel is 'under attack' [ |
You need to check the destination channel if SSL is enabled. We have seen errors with channels showing as ??? if they are not able to connect to that channel for some reason. [/quote] |
|
| Back to top |
|
|
| mqsme |
| Posted: Fri Nov 06, 2015 10:25 am Post subject: |
|
|
Acolyte
Joined: 16 Sep 2013
Posts: 51
|
| Yes, prefereably there is anyway can know which destination is SSL enabled. If no way to find on server level, last resort is to ask different destinations one by one, whether you have turned on SSL accidentally |
|
| Back to top |
|
|
| mqsme |
| Posted: Fri Nov 06, 2015 10:33 am Post subject: |
|
|
Acolyte
Joined: 16 Sep 2013
Posts: 51
|
@Victor: I just tried to setup key store. setup a new cert, placed key.kdb, key.rdb, key.stb, key.crl under MQM ssl folder, refresh security type(ss), but got following error. I tried to put same key.kdb in another server, it can openssl successfully in the other server. But i fail to openssl in this new server, there must be something missing...
$ openssl s_client -showcerts -connect xxx.com:1414
CONNECTED(00000003)
139935324751688:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
display qmgr shows SSLKEYR has already set to write path (/.../ssl/key) which is same as the other server.
still investigatng what's missing. |
|
| Back to top |
|
|
| Gaya3 |
| Posted: Fri Nov 06, 2015 11:30 am Post subject: |
|
|
Jedi
Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US
|
openssl do have its own params, there you can try with couple of more options.
what is the mq error stating, where is it happening
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die |
|
| Back to top |
|
|
|
|
