| Author |
Message
|
| mfiorel1 |
 Posted: Thu Aug 31, 2017 1:11 pm Post subject: Managed .NET Client Connecting with SSL. MQ version 8.0 |
 |
|
Newbie
Joined: 18 Aug 2017
Posts: 7
|
I'm receiving the below error when connecting from my .NET client application. No errors are shown on the server:
Remote host '10.158.193.51(1416)' not available, retry later.
The attempt to allocate a conversation using TCP/IP to host '10.158.193.51(1416)' for channel (Exception) was not successful. However the error may be a transitory one and it may be possible to successfully allocate a TCP/IP conversation later.
When I remove the SSL_CIPHER_SPEC property, the connection does reach the server, and I get the below in the server logs (makes sense).
AMQ9639: Remote channel 'CHANNEL_SSL' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'CHANNEL_SSL' did not specify a CipherSpec when the local
channel expected one to be specified.
The remote host is 'wpidvwtest02 (10.158.193.152)'.
The channel did not start.
ACTION:
Change the remote channel 'CHANNEL_SSL' on host 'wpidvwtest02 (10.158.193.152)'
to specify a CipherSpec so that both ends of the channel have matching
CipherSpecs.
I sense this is not a networking issue given that I can connect to other QMs from the same machine. Are there special consideration I need to make connecting to MQ via SSL with a Managed .NET Client? I'm specifying all the necessary properties : SSL_CIPHER_SPEC_PROPERTY, SSL_CERT_STORE_PROPERTY, and TRANSPORT_PROPERTY = TRANSPORT_MQSERIES_MANAGED. |
|
| Back to top |
|
 |
| hughson |
| Posted: Thu Aug 31, 2017 2:46 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
SSL in .NET in a managed environment is very different from SSL in .NET using the C client underneath (non-managed).
This blog post details what you should do. How does what it says compare to what you did?
MQ v8: SSL connection in Managed MQ .NET
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| tczielke |
| Posted: Fri Sep 01, 2017 4:47 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
It might help from a debugging standpoint to also set up a non-encrypted channel and see what RPRODUCT value is being displayed in the DIS CHSTATUS on the SVRCONN side. It would help determine if you are really managed, non-managed, the C client, etc.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| mfiorel1 |
| Posted: Fri Sep 01, 2017 7:27 am Post subject: |
|
|
Newbie
Joined: 18 Aug 2017
Posts: 7
|
Thanks Morag - i followed the config steps based on the blog post. I made no coding changes, and passed in *SYSTEM as my keyrepository. Connection works with SSLCAUTH(OPTIONAL), but I get AMQ9637 with SSLCAUTH(REQUIRED). The below blog post almost exactly identifies this problem and says I must generate my keys with the RSA signature algorithm, and that the java keytool (which I use) may not do this.
http://www-01.ibm.com/support/docview.wss?uid=swg21425309 |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Sep 01, 2017 3:53 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
What happens when you do as the tech note suggests? Does it fix your problem?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Sep 02, 2017 8:26 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mfiorel1 wrote: |
Thanks Morag - i followed the config steps based on the blog post. I made no coding changes, and passed in *SYSTEM as my keyrepository. Connection works with SSLCAUTH(OPTIONAL), but I get AMQ9637 with SSLCAUTH(REQUIRED). The below blog post almost exactly identifies this problem and says I must generate my keys with the RSA signature algorithm, and that the java keytool (which I use) may not do this.
http://www-01.ibm.com/support/docview.wss?uid=swg21425309 |
The question is more like following:
How do you create your client private key when your repository is *SYSTEM? (and that is more a Micro$oft question... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
