ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexIBM MQ SecurityBad SSL certificate for channel '????'.

Post new topicReply to topic
Bad SSL certificate for channel '????'. View previous topic :: View next topic
Author Message
RimRim
PostPosted: Tue Jan 24, 2023 6:14 pm Post subject: Bad SSL certificate for channel '????'. Reply with quote

Newbie

Joined: 18 Jan 2023
Posts: 4

I am facing SSL error when trying to connect from QM1 to QM2. There are few other channels running from QM1 to other QMGR's and server conn as well. But particulary to 2 QMGR's when trying to connect from QM1 facing error as:

Bad SSL certificate for channel '????'.

A certificate encountered during SSL handshaking is regarded as bad for one of the following reasons: &B (a) it was formatted incorrectly and could not be validated &B (b) it was formatted correctly but failed validation against the Certification Authority (CA) root and other certificates held on the local system &B (c) it was found in a Certification Revocation List (CRL) on an LDAP server &B (d) a CRL was specified but the CRL could not be found on the LDAP server &B (e) an OCSP responder has indicated that it is revoked &B (f) The keysize of the certificate is too small for the configured limit. (MinimumRSAKeySize) &P The channel is '????'; in some cases its name cannot be determined and so is shown as '????'. The remote host is 'XXXXXX'. The channel did not start. &P The details of the certificate which could not be validated are '[Class=]GSKVALMethod::X509
[Issuer=]CN=XXXXXX,
DC=xxx,DC=xxxxxxx,DC=net[#=]7700000733bgh8ewdedaasdadc604768720002733
[Subject=]CN=ibmwebspheremqqm1,OU=MQ,O=XXXXX,L=XXX,C=XX
[Class=]GSKVALMethod::X509[Issuer=]CN=XXXXXXX'. &P
The certificate validation error was 575032.

Check which of the possible causes applies on your system. Correct the error, and restart the channel. &P This error might indicate that the remote end of the channel is configured to send the wrong certificate. Check the certificate label configuration at the remote end of the channel and ensure that the local key repository contains all of the necessary CA certificates.


The certificate validation error was 575032 - The certificate is revoked.

Not sure how come 575032, as from the same qmgr, channels to other qmgr's are running whereas to specific QM2 not working. Kindly provide your inputs.[/i]
Back to top
View user's profile Send private message
RimRim
PostPosted: Tue Jan 24, 2023 7:09 pm Post subject: Reply with quote

Newbie

Joined: 18 Jan 2023
Posts: 4

tried possible ways and its working:
1. disabling SSL at both ends.
2. disabling SSLCIPH and enabled SSLPEER at both ends.

when enabling SSLCIPH with below values, channel goes to retrying with bad ssl cert error.
ECDHE_ECDSA_AES_256_GCM_SHA384
ECDHE_ECDSA_AES_256_CBC_SHA384
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SH256

Both qmgr version is 9.2.0.4
so i guess SSLCIPH is the issue, whereas other channels from these qmgrs are using abve sslciph and working
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Jan 25, 2023 12:19 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20642
Location: LI,NY

Are you trying to run an Elliptic Curve Cipher with an RSA certificate?
Or a TLS 1.3 cipher against a TLS 1.2 cipher?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
hughson
PostPosted: Wed Jan 25, 2023 8:33 pm Post subject: Re: Bad SSL certificate for channel '????'. Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1835
Location: Bay of Plenty, New Zealand

RimRim wrote:
The certificate validation error was 575032 - The certificate is revoked.

Not sure how come 575032, as from the same qmgr, channels to other qmgr's are running whereas to specific QM2 not working.

I assume the error message you have shown us is from the error log on QM2?

It is telling you that the certificate ibmwebspheremqqm1, is revoked according to either
(c) it was found in a Certification Revocation List (CRL) on an LDAP server
(e) an OCSP responder has indicated that it is revoked

What is the set up on QM2 for either CRL on an LDAP server or OCSP that differs from other queue managers where the QM1 certificate, ibmwebspheremqqm1, is accepted and not rejected because it is revoked?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexIBM MQ SecurityBad SSL certificate for channel '????'.
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.