| Author |
Message
|
| abhinitrkl |
 Posted: Wed Dec 20, 2017 10:48 pm Post subject: SSL issue in MQ in IBM I-Series |
 |
|
Newbie
Joined: 20 Dec 2017
Posts: 4
|
Hi,
We have MQ installed on IBM I-series server and we are trying to use SSL for security purpose. The QMGR Of MQ on IBM I-Series is interacting with QMGR of MQ installed on AIX.
The Certificates (CA, .p12) were all created by MQ installed on AIX and were uploaded in I-Series side by using DCM. The .p12 certificate is using Certificate label ibmwebspeheremq<qmgr name> and the same has been configured in the I-Series side.
Sender Channel is at AIX side and Receiver Channel is at I-Series Side.
When trying to connect from AIX to I-Series, we are getting below error:
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
Cause . . . . . : The channel is lacking a certificate to use for the SSL
handshake. The channel name is '????' (if '????' it is unknown at this stage in
the SSL processing).
The remote host is '????'.
The channel did not start.
Recovery . . . : Make sure the appropriate certificates are correctly
configured in the key repositories for both ends of the channel.
We have checked everything and looks fine. Not sure what is going wrong or how to check the SSL Configurations in I-Series side (apparently MQCERTCHK doesn't work in I-Series side).
Kindly help.
Thanks
Abhi |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu Dec 21, 2017 1:52 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Where are you seeing that error, the AIX or iSeries side?
Have you had/got successfully running channels to/from the AIX queue manager to any other queue manager, before trying to connect the iSeries one?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Dec 21, 2017 6:03 am Post subject: Re: SSL issue in MQ in IBM I-Series |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| abhinitrkl wrote: |
Hi,
The .p12 certificate is using Certificate label ibmwebspeheremq<qmgr name> and the same has been configured in the I-Series side.
Sender Channel is at AIX side and Receiver Channel is at I-Series Side.
When trying to connect from AIX to I-Series, we are getting below error:
| Code: |
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
Cause . . . . . : The channel is lacking a certificate to use for the SSL
handshake. The channel name is '????' (if '????' it is unknown at this stage in
the SSL processing).
The remote host is '????'. |
Kindly help.
Thanks
Abhi |
You might want to check your spelling.
Apparently you have a misspelled label name for the certs:
it MUST read:
ibmwebspheremq and not ibmwebspeheremq
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| abhinitrkl |
| Posted: Thu Dec 21, 2017 8:04 am Post subject: SSL issue in MQ in IBM I-Series |
|
|
Newbie
Joined: 20 Dec 2017
Posts: 4
|
@ EXERK,
I am seeing this error at the I-series side in the MQ Error Log. At the AIX side there are apparently no logs which can tell the error.
We tried to first connect the channels without SSL and SSL Cipher and it worked fine. However when we added the SSL, the channels are not RUNNING. So I assume that it has to do something with SSL setup though I cannot figure out what exactly. Any thoughts/suggestions to check at I-series end ?
@fjb_saper,
Thanks for correction, the spelling mistake was only in my post in the forum and not in the MQ Setup  I did double check though.
_________________
Thanks & Regards
Abhi |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Dec 28, 2017 11:39 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
So the message is telling you the iSeries Qmgr cannot find the X.509 public cert to send back to the AIX sender channel to verify based on the label.
The Qmgr settings say what the default label is.
The channel could override the label...
In any case, make sure the Key Store shows you what the label is and that the Qmgr or channel label match.
You could list:- Qmgr settings
- Channel definition
- Key Store contents
|
|
| Back to top |
|
|
| abhinitrkl |
| Posted: Thu Dec 28, 2017 7:03 pm Post subject: |
|
|
Newbie
Joined: 20 Dec 2017
Posts: 4
|
Thanks guys, the issue has been resolved. Your comments were much appreciated.
Thanks
Abhi
_________________
Thanks & Regards
Abhi |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Dec 29, 2017 1:15 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| abhinitrkl wrote: |
| Thanks guys, the issue has been resolved... |
Would you care to tell us how?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| abhinitrkl |
| Posted: Fri Dec 29, 2017 2:36 am Post subject: |
|
|
Newbie
Joined: 20 Dec 2017
Posts: 4
|
I checked with IBM Support and they recommended to use *SYSTEM as keystore location instead of another keystore location (though they did also say that other keystore location should also work). So I reimported the certificate at the *SYSTEM in DCM, put *SYSTEM at the location in Queue Manager for the Keystore and then Assign the Certificate to the Queue Manager(as application) in DCM.
Restarted the channels and it worked
_________________
Thanks & Regards
Abhi |
|
| Back to top |
|
|
|
|
