| Author |
Message
|
| dextermbmq |
 Posted: Sat Jan 30, 2016 11:01 am Post subject: MQRC 2381 |
 |
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Hello Guys,
I am trying to set up SSL configuration and finally testing it with amqsputc. But I am getting MQRC 2381 error
C:\Users\abc>amqsputc rq CHLTB
Sample AMQSPUT0 start
MQCONN ended with reason code 2381
Below are the steps I have executed :
STEP 1 : Created CLNTCONN and SVRCONN CHANNEL and Set the MQCHLLIB and MQCHLTAB ENV VARIABLES :
define channel(TEST.SVRCONN) chltype(SVRCONN) TRPTYPE(TCP) SSLCAUTH(OPTIONAL) MCAUSER('mqm') SSLCIPH(DES_SHA_EXPORT)
define channel(TEST.SVRCONN) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('localhost(1429)') QMNAME(TEST) SSLCIPH(DES_SHA_EXPORT)
MQCHLIB and MQCHLTAB to respective values.
STEP 2 : KEY DB Configuration
AT SERVER : Creating a keyDB and adding a self signed certificate
runmqckm -keydb -create -db "E:\server\Server.kdb" -type cms -pw password -stash
runmqckm -cert -create -db "E:\server\Server.kdb" -label cert_server -size 1024 -type cms -expire 365 -dn "CN=CLIENT,O=PRS,C=US" -pw password
Extracting the certificate so that we may add to Clent KeyDB
runmqckm -cert -extract -db "E:\server\Server.kdb" -type cms -target "E:\export.arm" -format ascii -label cert_server -pw password
AT CLIENT SIDE :
runmqckm -keydb -create -db "E:\client\Client.kdb" -type cms -pw password -stash
runmqckm -cert -add -db "E:\client\Client.kdb" -type cms -file "E:\export.arm" -label cert_server -pw password
STEP 3 :
Setting MQSSLKEYR : E:\client\Client
alter qmgr SSLKEYR('E:\server\Server
KINDLY ASSIST AS TO WHAT IS CAUSING MQRC 2381
Thanks |
|
| Back to top |
|
 |
| exerk |
| Posted: Sat Jan 30, 2016 11:46 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Did you refresh security after altering the queue manager's SSLKEYR attribute?
If not do so, then move on to the next error you're likely to get. I suggest you read the Knowledge Centre appropriate to your MQ version in regard to SSL certificate requirements, e.g. certificate label names (big hint!).
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| umatharani |
| Posted: Sat Jan 30, 2016 8:14 pm Post subject: |
|
|
Apprentice
Joined: 23 Oct 2008
Posts: 39
|
The label names are very important.
Server side Example :
Qmgr: SSLQMGR
Label: ibmwebspheremqsslqmgr
Client Side:
User: root
Label: ibmwebspheremqroot
Thanks,
mahesh |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Sat Jan 30, 2016 10:51 pm Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Thanks a lot for the assistance. I have changed the label names as per the standard and MQRC 2381 error got resolved.
I am even able to put a message through AMQSPUTC client utility, however I have observed a strange behavior. The messages are getting put successfully but the CHANNEL STATUS does not show it as running.
Below are the channel definitions :
define channel(TEST.SVRCONN) CHLTYPE(SVRCONN) TRPTYPE(TCP) MCAUSER('MUSR_MQADMIN') SSLCAUTH(REQUIRED) SSLCIPH(DES_SHA_EXPORT)
define channel(TEST.SVRCONN) CHLTYPE(CLNTCONN) TRPTYPE(TCP) CONNAME('localhost(1480)') QMNAME(CHLTB) SSLCIPH(DES_SHA_EXPORT)
The channel TEST.SVRCONN should show as running status after we are able to put the message but its not showing as running
dis chs(TEST.SVRCONN)
1 : dis chs(TEST.SVRCONN)
AMQ8420: Channel Status not foun
end
2 : end
What could be the possible reason ?
(Although I am able to connect through RFHUTILC after configuring it for SSL. There I can see the Channel status as running
:
dis chs(TEST.SVRCONN) all
2 : dis chs(TEST.SVRCONN) all
AMQ8417: Display Channel Status details.
CHANNEL(TEST.SVRCONN) CHLTYPE(SVRCONN)
BUFSRCVD(12) BUFSSENT(11)
BYTSRCVD(1748) BYTSSENT(1564)
CHSTADA(2016-01-31) CHSTATI(13.02.41)
COMPHDR(NONE,NONE) COMPMSG(NONE,NONE)
COMPRATE(0,0) COMPTIME(0,0)
CONNAME(127.0.0.1) CURRENT
EXITTIME(0,0) HBINT(300)
JOBNAME(00001FF000001B60) LOCLADDR( )
LSTMSGDA(2016-01-31) LSTMSGTI(13.02.41)
MCASTAT(RUNNING) MCAUSER(MUSR_MQADMIN)
MONCHL(OFF) MSGS(9)
RAPPLTAG(ti\Desktop\ih03\rfhutilc.exe)
SSLCERTI(CN=swati-PC,OU=CT,O=PR,L=KU,ST=KR,PC=66,C=US)
SSLKEYDA( ) SSLKEYTI( )
SSLPEER(CN=swati-PC,OU=CT,O=PR,L=KU,ST=KR,PC=66,C=US)
SSLRKEYS(0) STATUS(RUNNING)
STOPREQ(NO) SUBSTATE(RECEIVE)
CURSHCNV(1) MAXSHCNV(10)
end
3 : end
Thanks in Advance for assistance
Regards |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Jan 31, 2016 3:53 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| umatharani wrote: |
The label names are very important.
Server side Example :
Qmgr: SSLQMGR
Label: ibmwebspheremqsslqmgr
Client Side:
User: root
Label: ibmwebspheremqroot
Thanks,
mahesh |
True for all SSL-capable versions prior to V8.0 but not necessarily true thereafter...
| dextermbmq wrote: |
| ...The channel TEST.SVRCONN should show as running status after we are able to put the message but its not showing as running... |
A SVRCONN is only active for the life of the connection. Try the AMQSPUTC utility again but stay connected, i.e. do not put a message and hit enter twice, then check status.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| umatharani |
| Posted: Sun Jan 31, 2016 7:47 am Post subject: |
|
|
Apprentice
Joined: 23 Oct 2008
Posts: 39
|
|
| Back to top |
|
|
| tczielke |
| Posted: Sun Jan 31, 2016 9:02 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
|
| Back to top |
|
|
| dextermbmq |
| Posted: Mon Feb 01, 2016 2:22 am Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Hello,
Thanks for providing all the assistance.
I was able to successfully configure SSL through CMS type of repository. But when I tried with JKS type of KEYDB(repository) , its again giving MQRC 2381. Also, I tried to take the TRACE but my Trace directory is empty , i dont see the trace files there ?
Do we need to change our approach for JKS repositry ?
Also, In WINDOWS do we need to manually configure something to get the TRACE files in TRACE directory?
Thanks in advance |
|
| Back to top |
|
|
| umatharani |
| Posted: Mon Feb 01, 2016 4:01 am Post subject: |
|
|
Apprentice
Joined: 23 Oct 2008
Posts: 39
|
Hi,
I think JKS is normally used by the java apps/clients.
You can enable MQ trace with the following command for
the queue manager and non java apps.
strmqtrc -e -tall -tdetail
Thanks,
mahesh |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Feb 01, 2016 4:06 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| dextermbmq wrote: |
| ...But when I tried with JKS type of KEYDB(repository) , its again giving MQRC 2381... |
Just to clarify, you switched only the client-end to a JKS key repository?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| tczielke |
| Posted: Mon Feb 01, 2016 5:39 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
For -p option for strmqtrc on Windows, it probably should have been AMQSPUTC.EXE. Sorry, I tend to think in a "Unix" state of mind . . . 
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Mon Feb 01, 2016 6:33 am Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Hello All,
Thanks for persisting.
To answer exerk's question - I have used the CLient repositry as JKS type. I did not touch the Server KEYDB. Its still in CMS format.
I was able to take the TRACE for amqsputc through ::
strmqtrc -t api -p amqsputc -d all
and the content is as follows ::
Operating System : Windows Ver 6.1 (5) Home Basic x64 Edition, Build 7601: SP1
Product Long Name : WebSphere MQ for Windows
Version : 7.0.1.3 Level : p701-103-100818
UTC Date : 2016/02/01: Time : 14:23:37.245
LCL Date : 2016/02/01: Time : 19:53:37.245 India Standard Time
Counter TimeStamp PID.TID Ident Data
============================================================
000804E1 19:53:37.258781 8796.1 RSESS:000001 !! - __________
000804E2 19:53:37.258844 8796.1 RSESS:000001 !! - MQCONN <<
000804E3 19:53:37.258949 8796.1 RSESS:000001 !! - Name : Input Parm
000804E4 19:53:37.258963 8796.1 RSESS:000001 !! - Hconn:
000804E5 19:53:37.258975 8796.1 RSESS:000001 Data:-
000804E5 19:53:37.258975 8796.1 RSESS:000001 0x0017FB54 FF FF FF FF : ÿÿÿÿ
000804E6 19:53:37.258993 8796.1 RSESS:000001 !! - ConnectOpts: NULL
000804E7 19:53:37.259005 8796.1 RSESS:000001 !! - Compcode:
000804E8 19:53:37.259015 8796.1 RSESS:000001 Data:-
000804E8 19:53:37.259015 8796.1 RSESS:000001 0x0017FB4C 02 00 00 00 : ....
000804E9 19:53:37.259032 8796.1 RSESS:000001 !! - Reason:
000804EA 19:53:37.259042 8796.1 RSESS:000001 Data:-
000804EA 19:53:37.259042 8796.1 RSESS:000001 0x0017FB5C 4D 09 00 00 |
|
| Back to top |
|
|
| tczielke |
| Posted: Mon Feb 01, 2016 7:39 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Feb 02, 2016 5:58 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Reserve the JKS repository strictly for java applications... or when otherwise directed to do so (IIB integration nodes) 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
