ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Facing MQRC 2399 issue with one way ssl

Post new topic  Reply to topic
 Facing MQRC 2399 issue with one way ssl « View previous topic :: View next topic » 
Author Message
srikanthc60
PostPosted: Fri May 27, 2016 10:19 am    Post subject: Facing MQRC 2399 issue with one way ssl Reply with quote

Voyager

Joined: 21 Jul 2013
Posts: 79

Hi all,

We have websphere JMS client connecting to MQ 7.0.1.12 queue manager with one way SSL. While connecting websphere is getting MQRC 2399. Both MQ and Websphere are using COMODO certs.

Below is the error in websphere logs

Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2399;AMQ9204: Connection to host 'hostname(port)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=
2399;AMQ9640: SSL invalid peer name, channel '?', attribute 'STREET (x2)'. [5=STREET (x2)]],3=hostname(port),5=RemotePeerName.setValue]

I tried to add client certificate DN to SSLPEER of SVRCONN channel. But end up with the following error.

AMQ8243: SSLPEER definition wrong.

Below is the sample DN value of client certificate.

CN=dnsname,OU=xxxx,OU=xxxx,OU=xxx,O=xx,STREET=xxxxxxxx,L=xxxx,ST=xx,PC=xx,C=xx

I found that STREET value is not supported by MQ version. But the same is running successfully on other lower environment

Any help is appreciated!! Thanks
Back to top
View user's profile Send private message
hughson
PostPosted: Sun May 29, 2016 7:22 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Please show us the error that the SVRCONN channel wrote in the QMgr AMQERR01.LOG

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
srikanthc60
PostPosted: Sun May 29, 2016 8:13 pm    Post subject: Reply with quote

Voyager

Joined: 21 Jul 2013
Posts: 79

Here is the error from QMGR error log


----- amqrmrsa.c : 595 --------------------------------------------------------
05/29/16 19:51:54 - Process(18677790.68255) User(mqm) Program(amqrmppa)
Host(hostanme)
AMQ9665: SSL connection closed by remote end of channel '????'.

EXPLANATION:
The SSL connection was closed by the remote end of the channel during the SSL
handshake. The channel is '????'; in some cases its name cannot be determined
and so is shown as '????'. The channel did not start.
ACTION:
Check the remote end of the channel for SSL-related errors. Fix them and
restart the channel.
----- amqccisa.c : 6621 -------------------------------------------------------
05/29/16 19:51:54 - Process(18677790.68255) User(mqm) Program(amqrmppa)
Host(hostanme)
AMQ9492: The TCP/IP responder program encountered an error.

EXPLANATION:
The responder program was started but detected an error.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
----- amqrmrsa.c : 595 --------------------------------------------------------
Back to top
View user's profile Send private message
srikanthc60
PostPosted: Sun May 29, 2016 8:35 pm    Post subject: Reply with quote

Voyager

Joined: 21 Jul 2013
Posts: 79

Forgot to mention that, in lower environments MQ has self signed certificate but websphere is using COMODO
Back to top
View user's profile Send private message
hughson
PostPosted: Sun May 29, 2016 9:32 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

From your AMQERR01.LOG message it would seem that it is the client that is rejecting the connection. Can you tell us the client version, and Java version.

srikanthc60 wrote:
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2399;AMQ9204: Connection to host 'hostname(port)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=
2399;AMQ9640: SSL invalid peer name, channel '?', attribute 'STREET (x2)'. [5=STREET (x2)]],3=hostname(port),5=RemotePeerName.setValue]

It does rather seem like it doesn't like STREET.

srikanthc60 wrote:
Below is the sample DN value of client certificate.

CN=dnsname,OU=xxxx,OU=xxxx,OU=xxx,O=xx,STREET=xxxxxxxx,L=xxxx,ST=xx,PC=xx,C=xx

I found that STREET value is not supported by MQ version. But the same is running successfully on other lower environment

When you say the same is running successfully on another environment, does the DN contain STREET there too?

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
srikanthc60
PostPosted: Sun May 29, 2016 10:24 pm    Post subject: Reply with quote

Voyager

Joined: 21 Jul 2013
Posts: 79

Thanks for the reply Morag!!

Client was connecting from Websphere 8.5 using JMS. i need to know the jar files version for MQ JMS which client is using.

MQ Server has the Java 1.6.0

Does the client need to upgrade the MQ JMS classes to match MQ server?

In lower env,which has the self signed certificate in MQ, there is NO STREET attribute in DN
Back to top
View user's profile Send private message
hughson
PostPosted: Mon May 30, 2016 12:05 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

srikanthc60 wrote:
I found that STREET value is not supported by MQ version.

It seems you had your answer all along.

At first you said:-
srikanthc60 wrote:
But the same is running successfully on other lower environment

and then later corrected it to:-
srikanthc60 wrote:
In lower env,which has the self signed certificate in MQ, there is NO STREET attribute in DN

So it is clear that the STREET attribute is indeed making the difference.

srikanthc60 wrote:
Does the client need to upgrade the MQ JMS classes to match MQ server?

It is not necessary for them to match. What is necessary is for them to be at a level that supports the STREET attribute. You said you found that it was not supported, did the resource that told you that say which version did support it? You need to ensure both client and queue manager are at least at that value.

Alternatively, you can get certificates that don't include the STREET attribute.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
srikanthc60
PostPosted: Mon May 30, 2016 12:11 am    Post subject: Reply with quote

Voyager

Joined: 21 Jul 2013
Posts: 79

Thank-you very much!!!
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon May 30, 2016 10:02 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

@Morag

Would it be sufficient not to check the STREET attribute in the SSL PEER?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Mon May 30, 2016 2:22 pm    Post subject: Re: Facing MQRC 2399 issue with one way ssl Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

The OP said:-
srikanthc60 wrote:
I tried to add client certificate DN to SSLPEER of SVRCONN channel. But end up with the following error.

AMQ8243: SSLPEER definition wrong.

which I read to mean he was unsuccessful in putting STREET into the DN, and also that it was failing before he tried that.

Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Mon May 30, 2016 7:50 pm    Post subject: Re: Facing MQRC 2399 issue with one way ssl Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20695
Location: LI,NY

hughson wrote:
The OP said:-
srikanthc60 wrote:
I tried to add client certificate DN to SSLPEER of SVRCONN channel. But end up with the following error.

AMQ8243: SSLPEER definition wrong.

which I read to mean he was unsuccessful in putting STREET into the DN, and also that it was failing before he tried that.

Cheers
Morag

Not quite my take on it. I read that to mean that he could not test for STREET in the SSLPEER and that would make total sense as the IBM setup does not care for the information. It does not necessarily mean that the cert is not valid, nor that it cannot be used. (I would expect that the street value appears under some weird number as detail info on the cert.

I would not expect that to be on the server cert but more on the client cert, which is what the OP said... and that would make it 2 way SSL...

So my question is: if you drop the unsupported attributes (STREET) from the SSLPEER check of the DN does it work fine or do you hit other road blocks with this specific cert?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Facing MQRC 2399 issue with one way ssl
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.