ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SSL issue in MQ in IBM I-Series

Post new topic  Reply to topic
 SSL issue in MQ in IBM I-Series « View previous topic :: View next topic » 
Author Message
abhinitrkl
PostPosted: Wed Dec 20, 2017 10:48 pm    Post subject: SSL issue in MQ in IBM I-Series Reply with quote

Newbie

Joined: 20 Dec 2017
Posts: 4

Hi,

We have MQ installed on IBM I-series server and we are trying to use SSL for security purpose. The QMGR Of MQ on IBM I-Series is interacting with QMGR of MQ installed on AIX.
The Certificates (CA, .p12) were all created by MQ installed on AIX and were uploaded in I-Series side by using DCM. The .p12 certificate is using Certificate label ibmwebspeheremq<qmgr name> and the same has been configured in the I-Series side.
Sender Channel is at AIX side and Receiver Channel is at I-Series Side.
When trying to connect from AIX to I-Series, we are getting below error:
AMQ9637: Channel is lacking a certificate.

EXPLANATION:

Cause . . . . . : The channel is lacking a certificate to use for the SSL
handshake. The channel name is '????' (if '????' it is unknown at this stage in
the SSL processing).

The remote host is '????'.

The channel did not start.
Recovery . . . : Make sure the appropriate certificates are correctly
configured in the key repositories for both ends of the channel.


We have checked everything and looks fine. Not sure what is going wrong or how to check the SSL Configurations in I-Series side (apparently MQCERTCHK doesn't work in I-Series side).

Kindly help.

Thanks
Abhi
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Dec 21, 2017 1:52 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Where are you seeing that error, the AIX or iSeries side?

Have you had/got successfully running channels to/from the AIX queue manager to any other queue manager, before trying to connect the iSeries one?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Dec 21, 2017 6:03 am    Post subject: Re: SSL issue in MQ in IBM I-Series Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

abhinitrkl wrote:
Hi,

The .p12 certificate is using Certificate label ibmwebspeheremq<qmgr name> and the same has been configured in the I-Series side.
Sender Channel is at AIX side and Receiver Channel is at I-Series Side.
When trying to connect from AIX to I-Series, we are getting below error:
Code:
AMQ9637: Channel is lacking a certificate.

EXPLANATION:

Cause . . . . . :   The channel is lacking a certificate to use for the SSL
handshake. The channel name is '????' (if '????' it is unknown at this stage in
the SSL processing).

The remote host is '????'.



Kindly help.

Thanks
Abhi

You might want to check your spelling.
Apparently you have a misspelled label name for the certs:
it MUST read:
ibmwebspheremq and not ibmwebspeheremq
Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
abhinitrkl
PostPosted: Thu Dec 21, 2017 8:04 am    Post subject: SSL issue in MQ in IBM I-Series Reply with quote

Newbie

Joined: 20 Dec 2017
Posts: 4

@ EXERK,

I am seeing this error at the I-series side in the MQ Error Log. At the AIX side there are apparently no logs which can tell the error.
We tried to first connect the channels without SSL and SSL Cipher and it worked fine. However when we added the SSL, the channels are not RUNNING. So I assume that it has to do something with SSL setup though I cannot figure out what exactly. Any thoughts/suggestions to check at I-series end ?


@fjb_saper,
Thanks for correction, the spelling mistake was only in my post in the forum and not in the MQ Setup I did double check though.
_________________
Thanks & Regards
Abhi
Back to top
View user's profile Send private message
JosephGramig
PostPosted: Thu Dec 28, 2017 11:39 am    Post subject: Reply with quote

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

So the message is telling you the iSeries Qmgr cannot find the X.509 public cert to send back to the AIX sender channel to verify based on the label.

The Qmgr settings say what the default label is.
The channel could override the label...

In any case, make sure the Key Store shows you what the label is and that the Qmgr or channel label match.

You could list:
  • Qmgr settings
  • Channel definition
  • Key Store contents
Back to top
View user's profile Send private message AIM Address
abhinitrkl
PostPosted: Thu Dec 28, 2017 7:03 pm    Post subject: Reply with quote

Newbie

Joined: 20 Dec 2017
Posts: 4

Thanks guys, the issue has been resolved. Your comments were much appreciated.

Thanks
Abhi
_________________
Thanks & Regards
Abhi
Back to top
View user's profile Send private message
exerk
PostPosted: Fri Dec 29, 2017 1:15 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

abhinitrkl wrote:
Thanks guys, the issue has been resolved...

Would you care to tell us how?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
abhinitrkl
PostPosted: Fri Dec 29, 2017 2:36 am    Post subject: Reply with quote

Newbie

Joined: 20 Dec 2017
Posts: 4

I checked with IBM Support and they recommended to use *SYSTEM as keystore location instead of another keystore location (though they did also say that other keystore location should also work). So I reimported the certificate at the *SYSTEM in DCM, put *SYSTEM at the location in Queue Manager for the Keystore and then Assign the Certificate to the Queue Manager(as application) in DCM.

Restarted the channels and it worked
_________________
Thanks & Regards
Abhi
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » SSL issue in MQ in IBM I-Series
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.