ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ Installation/Configuration SupportError 2393 in MQMON - MO71

Post new topicReply to topic
Error 2393 in MQMON - MO71 View previous topic :: View next topic
Author Message
saurabh25281
PostPosted: Tue May 14, 2019 5:11 am Post subject: Error 2393 in MQMON - MO71 Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 105
Location: Bangalore

Hi All,

We are trying to use MO71 to connect to remote Queue Manager which are secured by using SSL over SVRCONN channels. However we are getting 2393 SSL Initialization error code in MO71. The eventviewer logs on the client side shows the below error.

However, I was able to connect to the Queue Manager using MQ Explorer using the same keystore, with the only difference that MQ Explorer allows JKS keystore whereas MQMON uses CMS keystores.

I tried disabling the OCSP feature by modifying the mqclient.ini file as below, but with no effect.

Code:
SSL: 
   OCSPAuthentication=OPTIONAL
   OCSPCheckExtensions=NO
   CDPCheckExtensions=NO


Quote:
Remote SSL certificate revocation status check failed for channel 'xxxxx.00001.ADMIN'.

IBM MQ failed to determine the revocation status of the remote SSL certificate for one of the following reasons: &B (a) The channel was unable to contact any of the CRL servers or OCSP responders for the certificate. &B (b) None of the OCSP responders contacted knows the revocation status of the certificate. &B (c) An OCSP response was received, but the digital signature of the response could not be verified. &P The details of the certificate in question are 'xxxxxxxxx'. &P The channel name is 'xxxxx.00001.ADMIN'. In some cases the channel name cannot be determined and so is shown as '????'. The channel did not start. &P IBM MQ does not allow the channel to start unless the certificate revocation status can be determined.

If the certificate contains an AuthorityInfoAccess extension, ensure that the OCSP server named in the certificate extension is available and is correctly configured. &P If the certificate contains a CrlDistributionPoint extension, ensure that the CRL server named in the certificate extension is available and is correctly configured. &P If you have specified any CRL or OCSP servers to IBM MQ, check that those servers are available and are correctly configured. &P Ensure that the local key repository has the necessary SSL certificates to verify the digital signature of the response from the OCSP server.

ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=xxxxx?cACertificate?base?objectClass=certificationAuthority
, accessMethod: caIssuers
accessLocation: URIName: http://sslcrl.url%20Issuing%20CA%20SSL1.crt
, accessMethod: caIssuers
accessLocation: URIName: http://sslcrl.url%20Issuing%20CA%20SSL1.crt
, accessMethod: ocsp
accessLocation: URIName: http://url/ocsp
]]


Can someone please provide pointers on the configurations where I am going wrong.

Regards
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
hughson
PostPosted: Tue May 14, 2019 8:03 am Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1253
Location: Bay of Plenty, New Zealand

If you haven't restarted the MO71 executable since editing the mqclient.ini, please do so as the MQ Client caches the values found in that file in the running process and may not therefore be using the new values.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
saurabh25281
PostPosted: Tue May 14, 2019 12:49 pm Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 105
Location: Bangalore

Thanks Morag for the tip, restarting the MQMON worked for me.

However, i am confused about the permission that was required for the SYSTEM.DEFAULT.MODEL.QUEUE queue i.e. put, dsp. For MQ Explorer, we only need the get, inq, dsp on the SYSTEM.MQEXPLORER.REPLY.MODEL queue.

Although I must admit, that I only tested the connectivity as a test for both MQMON and MQExplorer and the above authorizations are the bare minimum for connecting to a Qmgr.

Isn't both the Reply queue for MQMON & MQExplorer supposed to have similar access? If not can you point me to some MQMON documentation that speaks about authorization for MQMON specific queues.

Regards
Saurabh[/b]
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
hughson
PostPosted: Tue May 14, 2019 10:03 pm Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1253
Location: Bay of Plenty, New Zealand

MO71 uses its reply queue to communicate between threads as well and so requires put authoritiy. MQ Explorer only uses its reply queue to get replies from the command server so only needs get and not put.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
saurabh25281
PostPosted: Wed May 15, 2019 1:22 am Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 105
Location: Bangalore

I have observed that MQMON does not require "get" authorization for atleast connecting with MQMON as opposed to MQExplorer. Do you think we would still need atleast the same authorization as MQExplorer for basic MQMON operations.
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
hughson
PostPosted: Wed May 15, 2019 1:45 am Post subject: Reply with quote

Grand Master

Joined: 09 May 2013
Posts: 1253
Location: Bay of Plenty, New Zealand

If you have not issued a command to the command server yet, then you will have not had to get any messages yet, but as soon as you do anything you will need to get messages from the reply queue.

I believe Mq Explorer will display qmgr details immediately so you can't connect without also issuing a command.

Does that make sense?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
saurabh25281
PostPosted: Mon May 20, 2019 2:50 am Post subject: Reply with quote

Centurion

Joined: 05 Nov 2006
Posts: 105
Location: Bangalore

Thanks Morag.!!!
Back to top
View user's profile Send private message Send e-mail Yahoo Messenger
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ Installation/Configuration SupportError 2393 in MQMON - MO71
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.