ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportChannel not starting - SSL connection

Post new topicReply to topic
Channel not starting - SSL connection View previous topic :: View next topic
Author Message
Abhi
PostPosted: Sun Jan 20, 2019 10:10 pm Post subject: Channel not starting - SSL connection Reply with quote

Novice

Joined: 10 Mar 2011
Posts: 14

Hi,

I'm trying to set up SSL communication between 2 QMs using self signed certificate. I already had the QMs and sender and receiver channels in place. Since the key repo was missing the sender channel was not starting. I performed below steps (based on the manual) on sending side QM:

    1. I created the key repo containing the key.kdb file
    2. Associated the key repo to QM using SSLKEYR attribute
    3. I created a self signed certificate and added to key.kdb
    4. Extracted the public part of certificate and shared with receiving side (external QM)
    5. Added the certificate I got from receiving side party to the key.kdb on our side.
    6. Sender channel was already created and was in retrying state hence refreshed security on sending side QM.


Now still I see the channel is in retrying state.
DISPLAY CHS(SENDER.CHANNEL) SSLPEER SSLCERTI shows SSLPEER and SSLCERTI values as blank.

Logs say "AMQ9209: Connection to host 'receiverHost(QMPort)' for channel 'Sender Channel' closed.

Am I missing some steps ?
How does the sender channel know which certificate to use while connecting to receiving side QM ?
How are the attributes SSLPEER SSLCERTI populated (using the correct certs) ?

Thanks in advance.
regards,
Abhi
Back to top
View user's profile Send private message
exerk
PostPosted: Mon Jan 21, 2019 3:34 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5999

What label name did you use for the certificates? Are they in the format ibmwebspheremqqmgra and ibmwebspheremqqmgrb (where qmgra and qmgrb are the actual queue managers names, and assuming your infra is NOT z/OS)? Did you issue the REFRESH SECURITY TYPE(SSL) command, on each queue manager?

MQ expects the above format by default, although the value can be changed in the queue manager attribute CERTLABL

CAVEAT! A while back when I was testing I found this did not work unless there was a 'default' certificate of the correct name format, but whether that was a bug, or me forgetting something, it was a while back so this warning may no longer be valid.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
Abhi
PostPosted: Mon Jan 21, 2019 5:37 am Post subject: Reply with quote

Novice

Joined: 10 Mar 2011
Posts: 14

Thanks exerk for your response.

So if QMA is Sending and QMB is receiving.
CERTLABL for QMA was ibmwebspheremqqma and same was used as the label while creating the cert on QMA.
Used "runmqakm -cert -create" to do the same.
Extracted the cert using "runmqakm -cert -extract".
Shared the cert to import to QMB key repo.
refreshed on QMA using REFRESH SECURITY TYPE(SSL).

I have a sender channel using SSLCIPH TLS_RSA_WITH_AES_256_CBC_SHA256 same cipher spec is used in the receiver channel on QMB.

Though I need two way communication but just for the sake of my understanding, do I need add ibmwebspheremqqmb cert to QMA Key.kdb if I just need QMA sending and QMB receiving ? Shouldn't just importing ibmwebspheremqqma cert to QMB key.kdb and refreshing security be enough for channels to start ?

Please note that as per manual executing
DISPLAY CHS(QMA.TO.QMB) SSLPEER SSLCERTI
gives CHSTATUS output with
SSLCERTI("-dn flag values used while creating cert")
SSLPEER("SERIALNUMBER=cert serial no,-dn flag values used while creating cert")
In my case both are coming as blank, does it tell what could possibly be wrong with the setup ?

Regards,
Abhi
Back to top
View user's profile Send private message
bruce2359
PostPosted: Mon Jan 21, 2019 5:47 am Post subject: Re: Channel not starting - SSL connection Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 8343
Location: US: west coast, almost. Otherwise, enroute.

Abhi wrote:
Hi,

I'm trying to set up SSL communication between 2 QMs using self signed certificate. I already had the QMs and sender and receiver channels in place. Since the key repo was missing the sender channel was not starting. I performed below steps (based on the manual)


Which manual? Post the URL here.

Abhi wrote:
on sending side QM:

    1. I created the key repo containing the key.kdb file
    2. Associated the key repo to QM using SSLKEYR attribute
    3. I created a self signed certificate and added to key.kdb
    4. Extracted the public part of certificate and shared with receiving side (external QM)
    5. Added the certificate I got from receiving side party to the key.kdb on our side.
    6. Sender channel was already created and was in retrying state hence refreshed security on sending side QM.

Have you done the same configuration things on the receiving side?
_________________
There are two types of people in this world:
1) Those that can extrapolate from incomplete data
Back to top
View user's profile Send private message
exerk
PostPosted: Mon Jan 21, 2019 5:48 am Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 5999

Abhi wrote:
Though I need two way communication but just for the sake of my understanding, do I need add ibmwebspheremqqmb cert to QMA Key.kdb if I just need QMA sending and QMB receiving ?

Yes, you need the QMA and QMB self-signed certificates in each of the key stores.

Abhi wrote:
...Shouldn't just importing ibmwebspheremqqma cert to QMB key.kdb and refreshing security be enough for channels to start ?

No. Think of a self-signed certificate as being a combined CA and Personal certificate, therefore you need the CA 'chain' for both certificates to be present in any key store that needs to authenticate the presented certificate.

One of the easiest ways to test (that works for me) is to use OpenSSL to create CA Root, CA Intermediate certificates, and Personal certificates. A 'vanilla' copyable 'master' key store, containing the CA chain, can be used to distribute copies to your test queue managers, and the same CA used to sign certificate requests.

I frequently use this method to set up test systems because once you get above two queue managers, managing self-signed and their distribution, becomes a real pain.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
hughson
PostPosted: Mon Jan 21, 2019 7:31 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1043
Location: Bay of Plenty, New Zealand

Please post the error messages from the queue manager AMQERR01.LOG file for the queue manager where your SENDER channel is running. This will tell you/us what the problem is. There are various steps you might have missed and the error message will tell us which rather than us just guessing.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Abhi
PostPosted: Mon Jan 21, 2019 10:34 pm Post subject: Reply with quote

Novice

Joined: 10 Mar 2011
Posts: 14

Thanks all for your response. Issue is resolved now.
The problem was with the label used while creating the cert on receiving side QM. The new cert i got from the receiving team were in the format of ibmwebspheremqqmb. Imported using the same lable on QM A key repo and it worked. Even values for SSLCERTI and SSLPEER came right this time (DISPLAY CHS(QMA.TO.QMB) SSLPEER SSLCERTI)

Question: Is their a restriction using label names while creating certs ( to adhere to ibmwebspheremqqmb format) or things should work even label name used matched the CERTLABL attribute of QMGR ? (receiving side is a diff mq team, short of details to check myself)

bruce2359 wrote:
Quote:
Which manual? Post the URL here

https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/zs14270_1.htm

hughson wrote:
Quote:
Please post the error messages from the queue manager AMQERR01.LOG

Sender channel related logs said
"AMQ9209: Connection to host 'IP(port)' for channel 'SENDER.CHANNEL'
closed.

EXPLANATION:
An error occurred receiving data from 'IP(port)' over TCP/IP. The
connection to the remote host has unexpectedly terminated. "

I'm still not sure if the team updated key store on the receiving side with sending side cert at this point of time. @hughson : Little bit off topic, I've read a no of your support blogs, they are really well explained . Thanks for that.

@exerk : your explanation of self signed certs clarifies my biggest query.Thanks for that.

Regards,
Abhi
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Jan 22, 2019 12:36 am Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1043
Location: Bay of Plenty, New Zealand

Abhi wrote:
Even values for SSLCERTI and SSLPEER came right this time (DISPLAY CHS(QMA.TO.QMB) SSLPEER SSLCERTI)

Be aware, the reason your SSLCERTI and SSLPEER fields were empty before is because your channel was RETRYING. Those fields will only populate once you get the channel running.

Glad to hear that you are all working now.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportChannel not starting - SSL connection
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.