| Author |
Message
|
| bkiran2020 |
 Posted: Thu Apr 07, 2016 7:05 am Post subject: SSL self signed certificate setup issue |
 |
|
Master
Joined: 20 Jan 2011
Posts: 243
Location: US
|
runmqckm -keydb -create -db "/var/mqm/qmgrs/MQ1/ssl/qmgr1.kdb" -pw password -type cms -stash
runmqckm -keydb -create -db "/var/mqm/qmgrs/MQ2/ssl/qmgr2.kdb" -pw password -type cms -stash
*** Create a certificate to be signed for QMGR1 ***
runmqckm -cert -create -db "/var/mqm/qmgrs/MQ1/ssl/qmgr1.kdb" -pw password -label ibmwebspheqMQ1 -dn "CN=Qmgr1,O=IBM,OU=Hursley blog,L=Hursley,C=UK"
*** Extract the public key for QMGR1 for use with other queue managers ***
runmqckm -cert -extract -db "/var/mqm/qmgrs/MQ1/ssl/qmgr1.kdb" -pw password -label ibmwebspheqMQ1 -target "/var/mqm/qmgrs/MQ1/ssl/qmgr1cert.arm"
*** Create a certificate to be signed for QMGR2 ***
runmqckm -cert -create -db "/var/mqm/qmgrs/MQ2/ssl/qmgr2.kdb" -pw password -label ibmwebspheqMQ2 -dn "CN=Qmgr2,O=IBM,OU=Hursley blog,L=Hursley,C=UK"
*** Extract the public key for QMGR1 for use with other queue managers ***
runmqckm -cert -extract -db "/var/mqm/qmgrs/MQ2/ssl/qmgr2.kdb" -pw password -label ibmwebspheqMQ2 -target "/var/mqm/qmgrs/MQ2/ssl/qmgr2cert.arm"
*** add the public key for QMGR2 to the QMGR1 key repository ***
runmqckm -cert -add -db "/var/mqm/qmgrs/MQ1/ssl/qmgr1.kdb" -pw password -label ibmwebspheqMQ2 -file "/var/mqm/qmgrs/MQ2/ssl/qmgr2cert.arm"
*** add the public key for QMGR1 to the QMGR2 key repository ***
runmqckm -cert -add -db "/var/mqm/qmgrs/MQ2/ssl/qmgr2.kdb" -pw password -label ibmwebspheqMQ1 -file "/var/mqm/qmgrs/MQ1/ssl/qmgr1cert.arm"
runmqckm -cert -list all -db "/var/mqm/qmgrs/MQ1/ssl/qmgr1.kdb" -pw password -type cms
runmqckm -cert -list all -db "/var/mqm/qmgrs/MQ2/ssl/qmgr2.kdb" -pw password -type cms
AMQ8408: Display Queue Manager details.
QMNAME(MQ1)
SSLKEYR(/var/mqm/qmgrs/MQ1/ssl/qmgr1)
AMQ8408: Display Queue Manager details.
QMNAME(MQ2)
SSLKEYR(/var/mqm/qmgrs/MQ2/ssl/qmgr2)
AMQ8417: Display Channel Status details.
CHANNEL(MQ1.MQ2) CHLTYPE(SDR)
CONNAME(LOCALHOST(5656)) CURRENT
RQMNAME( ) STATUS(BINDING)
SUBSTATE(NAMESERVER) XMITQ(MQ1.XMITQ)
Error log
amqcrhna.c : 553 --------------------------------------------------------
04/07/2016 07:57:56 AM - Process(5189.1) User(mqm) Program(runmqchl)
Host(ubuntu) Installation(Installation1)
VRMF(8.0.0.4) QMgr(MQ1)
AMQ9209: Connection to host 'localhost (127.0.0.1)(5656)' for channel 'MQ1.MQ2'
closed.
EXPLANATION:
An error occurred receiving data from 'localhost (127.0.0.1)(5656)' over
TCP/IP. The connection to the remote host has unexpectedly terminated.
The channel name is 'MQ1.MQ2'; in some cases it cannot be determined and so is
shown as '????'.
ACTION:
Tell the systems administrator.
----- amqccita.c : 4113 -------------------------------------------------------
04/07/2016 07:54:05 AM - Process(3088.25) User(mqm) Program(amqrmppa)
Host(ubuntu) Installation(Installation1)
VRMF(8.0.0.4) QMgr(MQ2)
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is '????' (if '????' it is unknown at this stage in the SSL processing).
The remote host is '????'.
The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.
COuld you please help to bring the channel to running status |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Apr 07, 2016 7:14 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Did you "refresh security type(ssl)" after doing all that?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu Apr 07, 2016 8:34 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
If you are using the default label naming standard then:
ibmwebspheqMQ1
should be:
ibmwebspheremqMQ1
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| bkiran2020 |
| Posted: Thu Apr 07, 2016 5:15 pm Post subject: |
|
|
Master
Joined: 20 Jan 2011
Posts: 243
Location: US
|
| tczielke wrote: |
If you are using the default label naming standard then:
ibmwebspheqMQ1
should be:
ibmwebspheremqMQ1 |
I have re-create every thing with correct label name but getting same error. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Apr 08, 2016 12:04 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bkiran2020 wrote: |
| tczielke wrote: |
If you are using the default label naming standard then:
ibmwebspheqMQ1
should be:
ibmwebspheremqMQ1 |
I have re-create every thing with correct label name but getting same error. |
You still have not answered my question...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Apr 08, 2016 12:05 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| tczielke wrote: |
If you are using the default label naming standard then:
ibmwebspheqMQ1
should be:
ibmwebspheremqMQ1 |
Should that not be all lower-case for non-z/OS ?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Apr 08, 2016 2:11 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
and the key size has not been specified. I believe minimum key size these days is 2048... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bkiran2020 |
| Posted: Fri Apr 08, 2016 2:36 am Post subject: |
|
|
Master
Joined: 20 Jan 2011
Posts: 243
Location: US
|
| exerk wrote: |
| bkiran2020 wrote: |
| tczielke wrote: |
If you are using the default label naming standard then:
ibmwebspheqMQ1
should be:
ibmwebspheremqMQ1 |
I have re-create every thing with correct label name but getting same error. |
You still have not answered my question... |
yes ..i have issued refresh security type(ssl) cmd |
|
| Back to top |
|
|
| tczielke |
| Posted: Fri Apr 08, 2016 4:13 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
| exerk wrote: |
| tczielke wrote: |
If you are using the default label naming standard then:
ibmwebspheqMQ1
should be:
ibmwebspheremqMQ1 |
Should that not be all lower-case for non-z/OS ? |
Yes, you are correct.
I should have said:
| Quote: |
ibmwebspheqMQ1
should be:
ibmwebspheremqmq1
|
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Apr 08, 2016 4:32 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bkiran2020 wrote: |
| yes ..i have issued refresh security type(ssl) cmd |
So, you have:
1. Created a Self-Signed certificate with the correct label name, case (assuming MQ version is less than 8.0), and key length in each key store?
2. You extracted each Self-Signed certificate and added it to the 'other' key store as a Signer Certificate?
3. You ensured each queue manager's SSLKEYR attribute correctly states where its key store is located?
4. You refreshed SSL security in each queue manager?
5. Your channel SSL attributes are set with the same cipher spec at each end?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bkiran2020 |
| Posted: Fri Apr 08, 2016 10:20 am Post subject: |
|
|
Master
Joined: 20 Jan 2011
Posts: 243
Location: US
|
| exerk wrote: |
| bkiran2020 wrote: |
| yes ..i have issued refresh security type(ssl) cmd |
So, you have:
1. Created a Self-Signed certificate with the correct label name, case (assuming MQ version is less than 8.0), and key length in each key store?
2. You extracted each Self-Signed certificate and added it to the 'other' key store as a Signer Certificate?
3. You ensured each queue manager's SSLKEYR attribute correctly states where its key store is located?
4. You refreshed SSL security in each queue manager?
5. Your channel SSL attributes are set with the same cipher spec at each end? |
I have changed the label name as suggested.
used this SSLCIPH(ECDHE_ECDSA_AES_128_CBC_SHA256)
at rcvr side I can see the below errors:
----- amqrmrsa.c : 930 --------------------------------------------------------
04/08/2016 11:10:11 AM - Process(3088.92) User(mqm) Program(amqrmppa)
Host(ubuntu) Installation(Installation1)
VRMF(8.0.0.4) QMgr(MQ2)
AMQ9616: The CipherSpec proposed is not enabled on the server.
EXPLANATION:
The SSL or TLS subsystem at the server end of a channel been configured in such
a way that it has rejected the CipherSpec proposed by an SSL or TLS client.
This rejection occurred during the secure socket handshake (i.e. it happened
before the proposed CipherSpec was compared with the CipherSpec in the server
channel definition).
This error most commonly occurs when the choice of acceptable CipherSpecs has
been limited in one of the following ways:
(a) The server queue manager SSLFipsRequired attribute is set to YES and the
channel is using a CipherSpec which is not FIPS-certified on the server.
(b) The server queue manager EncryptionPolicySuiteB attribute has been set to a
value other than NONE and the channel is using a CipherSpec which does not
meet the server's configured Suite B security level.
(c) The protocol used by the channel has been deprecated. Note that IBM may
need to deprecate a protocol via product maintenance in response to a
security vulnerability, for example SSLv3 has been deprecated. Continued use
of SSLv3 protocol is not recommended but may be enabled by setting
environment variable AMQ_SSL_V3_ENABLE=TRUE.
The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.
The remote host name is 'localhost (127.0.0.1)'.
ACTION:
Analyse why the proposed CipherSpec was not enabled on the server. Alter the
client CipherSpec, or reconfigure the server to accept the original client
CipherSpec. Restart the channel.
This message might occur after applying WebSphere MQ maintenance because the
FIPS and Suite B standards are updated periodically. When such changes occur,
WebSphere MQ is also updated to implement the latest standard. As a result, you
might see changes in behavior after applying maintenance. For more information
about the versions of FIPS and Suite B standards enforced by WebSphere MQ,
refer to the readme:
http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg27006097 |
|
| Back to top |
|
|
| bkiran2020 |
| Posted: Tue Apr 12, 2016 10:16 am Post subject: |
|
|
Master
Joined: 20 Jan 2011
Posts: 243
Location: US
|
| bkiran2020 wrote: |
| exerk wrote: |
| bkiran2020 wrote: |
| yes ..i have issued refresh security type(ssl) cmd |
So, you have:
1. Created a Self-Signed certificate with the correct label name, case (assuming MQ version is less than 8.0), and key length in each key store?
2. You extracted each Self-Signed certificate and added it to the 'other' key store as a Signer Certificate?
3. You ensured each queue manager's SSLKEYR attribute correctly states where its key store is located?
4. You refreshed SSL security in each queue manager?
5. Your channel SSL attributes are set with the same cipher spec at each end? |
I have changed the label name as suggested.
used this SSLCIPH(ECDHE_ECDSA_AES_128_CBC_SHA256)
at rcvr side I can see the below errors:
----- amqrmrsa.c : 930 --------------------------------------------------------
04/08/2016 11:10:11 AM - Process(3088.92) User(mqm) Program(amqrmppa)
Host(ubuntu) Installation(Installation1)
VRMF(8.0.0.4) QMgr(MQ2)
AMQ9616: The CipherSpec proposed is not enabled on the server.
EXPLANATION:
The SSL or TLS subsystem at the server end of a channel been configured in such
a way that it has rejected the CipherSpec proposed by an SSL or TLS client.
This rejection occurred during the secure socket handshake (i.e. it happened
before the proposed CipherSpec was compared with the CipherSpec in the server
channel definition).
This error most commonly occurs when the choice of acceptable CipherSpecs has
been limited in one of the following ways:
(a) The server queue manager SSLFipsRequired attribute is set to YES and the
channel is using a CipherSpec which is not FIPS-certified on the server.
(b) The server queue manager EncryptionPolicySuiteB attribute has been set to a
value other than NONE and the channel is using a CipherSpec which does not
meet the server's configured Suite B security level.
(c) The protocol used by the channel has been deprecated. Note that IBM may
need to deprecate a protocol via product maintenance in response to a
security vulnerability, for example SSLv3 has been deprecated. Continued use
of SSLv3 protocol is not recommended but may be enabled by setting
environment variable AMQ_SSL_V3_ENABLE=TRUE.
The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.
The remote host name is 'localhost (127.0.0.1)'.
ACTION:
Analyse why the proposed CipherSpec was not enabled on the server. Alter the
client CipherSpec, or reconfigure the server to accept the original client
CipherSpec. Restart the channel.
This message might occur after applying WebSphere MQ maintenance because the
FIPS and Suite B standards are updated periodically. When such changes occur,
WebSphere MQ is also updated to implement the latest standard. As a result, you
might see changes in behavior after applying maintenance. For more information
about the versions of FIPS and Suite B standards enforced by WebSphere MQ,
refer to the readme:
http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg27006097 |
Could you please help
 |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Apr 12, 2016 12:58 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bkiran2020 wrote: |
Could you please help
|
Apparently not.....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bkiran2020 |
| Posted: Tue Apr 12, 2016 1:33 pm Post subject: |
|
|
Master
Joined: 20 Jan 2011
Posts: 243
Location: US
|
| Vitor wrote: |
| bkiran2020 wrote: |
Could you please help
|
Apparently not..... |
Iam using MQ v8 development edition |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Apr 12, 2016 2:15 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You are using a default key size. Do you know what hat default is??
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
