Author |
Message
|
srikanthc60 |
Posted: Fri May 27, 2016 10:19 am Post subject: Facing MQRC 2399 issue with one way ssl |
|
|
Voyager
Joined: 21 Jul 2013 Posts: 79
|
Hi all,
We have websphere JMS client connecting to MQ 7.0.1.12 queue manager with one way SSL. While connecting websphere is getting MQRC 2399. Both MQ and Websphere are using COMODO certs.
Below is the error in websphere logs
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2399;AMQ9204: Connection to host 'hostname(port)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=
2399;AMQ9640: SSL invalid peer name, channel '?', attribute 'STREET (x2)'. [5=STREET (x2)]],3=hostname(port),5=RemotePeerName.setValue]
I tried to add client certificate DN to SSLPEER of SVRCONN channel. But end up with the following error.
AMQ8243: SSLPEER definition wrong.
Below is the sample DN value of client certificate.
CN=dnsname,OU=xxxx,OU=xxxx,OU=xxx,O=xx,STREET=xxxxxxxx,L=xxxx,ST=xx,PC=xx,C=xx
I found that STREET value is not supported by MQ version. But the same is running successfully on other lower environment
Any help is appreciated!! Thanks |
|
Back to top |
|
 |
hughson |
Posted: Sun May 29, 2016 7:22 pm Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
Please show us the error that the SVRCONN channel wrote in the QMgr AMQERR01.LOG
Cheers
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
 |
srikanthc60 |
Posted: Sun May 29, 2016 8:13 pm Post subject: |
|
|
Voyager
Joined: 21 Jul 2013 Posts: 79
|
Here is the error from QMGR error log
----- amqrmrsa.c : 595 --------------------------------------------------------
05/29/16 19:51:54 - Process(18677790.68255) User(mqm) Program(amqrmppa)
Host(hostanme)
AMQ9665: SSL connection closed by remote end of channel '????'.
EXPLANATION:
The SSL connection was closed by the remote end of the channel during the SSL
handshake. The channel is '????'; in some cases its name cannot be determined
and so is shown as '????'. The channel did not start.
ACTION:
Check the remote end of the channel for SSL-related errors. Fix them and
restart the channel.
----- amqccisa.c : 6621 -------------------------------------------------------
05/29/16 19:51:54 - Process(18677790.68255) User(mqm) Program(amqrmppa)
Host(hostanme)
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
----- amqrmrsa.c : 595 -------------------------------------------------------- |
|
Back to top |
|
 |
srikanthc60 |
Posted: Sun May 29, 2016 8:35 pm Post subject: |
|
|
Voyager
Joined: 21 Jul 2013 Posts: 79
|
Forgot to mention that, in lower environments MQ has self signed certificate but websphere is using COMODO |
|
Back to top |
|
 |
hughson |
Posted: Sun May 29, 2016 9:32 pm Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
From your AMQERR01.LOG message it would seem that it is the client that is rejecting the connection. Can you tell us the client version, and Java version.
srikanthc60 wrote: |
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2399;AMQ9204: Connection to host 'hostname(port)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=
2399;AMQ9640: SSL invalid peer name, channel '?', attribute 'STREET (x2)'. [5=STREET (x2)]],3=hostname(port),5=RemotePeerName.setValue] |
It does rather seem like it doesn't like STREET.
srikanthc60 wrote: |
Below is the sample DN value of client certificate.
CN=dnsname,OU=xxxx,OU=xxxx,OU=xxx,O=xx,STREET=xxxxxxxx,L=xxxx,ST=xx,PC=xx,C=xx
I found that STREET value is not supported by MQ version. But the same is running successfully on other lower environment |
When you say the same is running successfully on another environment, does the DN contain STREET there too?
Cheers
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
 |
srikanthc60 |
Posted: Sun May 29, 2016 10:24 pm Post subject: |
|
|
Voyager
Joined: 21 Jul 2013 Posts: 79
|
Thanks for the reply Morag!!
Client was connecting from Websphere 8.5 using JMS. i need to know the jar files version for MQ JMS which client is using.
MQ Server has the Java 1.6.0
Does the client need to upgrade the MQ JMS classes to match MQ server?
In lower env,which has the self signed certificate in MQ, there is NO STREET attribute in DN |
|
Back to top |
|
 |
hughson |
Posted: Mon May 30, 2016 12:05 am Post subject: |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
srikanthc60 wrote: |
I found that STREET value is not supported by MQ version. |
It seems you had your answer all along.
At first you said:-
srikanthc60 wrote: |
But the same is running successfully on other lower environment |
and then later corrected it to:-
srikanthc60 wrote: |
In lower env,which has the self signed certificate in MQ, there is NO STREET attribute in DN |
So it is clear that the STREET attribute is indeed making the difference.
srikanthc60 wrote: |
Does the client need to upgrade the MQ JMS classes to match MQ server? |
It is not necessary for them to match. What is necessary is for them to be at a level that supports the STREET attribute. You said you found that it was not supported, did the resource that told you that say which version did support it? You need to ensure both client and queue manager are at least at that value.
Alternatively, you can get certificates that don't include the STREET attribute.
Cheers
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
 |
srikanthc60 |
Posted: Mon May 30, 2016 12:11 am Post subject: |
|
|
Voyager
Joined: 21 Jul 2013 Posts: 79
|
|
Back to top |
|
 |
fjb_saper |
Posted: Mon May 30, 2016 10:02 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
@Morag
Would it be sufficient not to check the STREET attribute in the SSL PEER?  _________________ MQ & Broker admin |
|
Back to top |
|
 |
hughson |
Posted: Mon May 30, 2016 2:22 pm Post subject: Re: Facing MQRC 2399 issue with one way ssl |
|
|
 Padawan
Joined: 09 May 2013 Posts: 1959 Location: Bay of Plenty, New Zealand
|
The OP said:-
srikanthc60 wrote: |
I tried to add client certificate DN to SSLPEER of SVRCONN channel. But end up with the following error.
AMQ8243: SSLPEER definition wrong. |
which I read to mean he was unsuccessful in putting STREET into the DN, and also that it was failing before he tried that.
Cheers
Morag _________________ Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
Back to top |
|
 |
fjb_saper |
Posted: Mon May 30, 2016 7:50 pm Post subject: Re: Facing MQRC 2399 issue with one way ssl |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
hughson wrote: |
The OP said:-
srikanthc60 wrote: |
I tried to add client certificate DN to SSLPEER of SVRCONN channel. But end up with the following error.
AMQ8243: SSLPEER definition wrong. |
which I read to mean he was unsuccessful in putting STREET into the DN, and also that it was failing before he tried that.
Cheers
Morag |
Not quite my take on it. I read that to mean that he could not test for STREET in the SSLPEER and that would make total sense as the IBM setup does not care for the information. It does not necessarily mean that the cert is not valid, nor that it cannot be used. (I would expect that the street value appears under some weird number as detail info on the cert.
I would not expect that to be on the server cert but more on the client cert, which is what the OP said... and that would make it 2 way SSL...
So my question is: if you drop the unsupported attributes (STREET) from the SSLPEER check of the DN does it work fine or do you hit other road blocks with this specific cert?  _________________ MQ & Broker admin |
|
Back to top |
|
 |
|