| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Having trouble configuring RFHUTILC to use SSL to remote QMs |
« View previous topic :: View next topic » |
| Author |
Message
|
| Chris_CG |
 Posted: Thu Nov 24, 2011 9:33 am Post subject: Having trouble configuring RFHUTILC to use SSL to remote QMs |
 |
|
Newbie
Joined: 24 Nov 2011
Posts: 2
|
Can anyone help me? I'm trying to configure RFHUTILC to talk to a queue manager on a remote UNIX server that is secured by SSL. When we use MQ Explorer to connect to the queue manager we use a channel table rather than specifying a connection channel. Also when MQ Explorer opens up it asks for two passwords which are the ones created in the .JKS file. I guess this is becasue it is a JAVA app?
As I'm told RFHUTILC isn't I've copied the key.* files including the password stash file from the server to the local PC where we are running RFHUTILC and have configured this batch file
rem ***********************************
set MQSERVER=
set MQSSLKEYR=C:\Program Files\IBM\WebSphere MQ\ExplorerConfiguration\key
set MQCHLLIB=C:\Program Files\IBM\WebSphere MQ\ExplorerConfiguration
set MQCHLTAB=AMQCLCHL.TAB
call \LocalInstallForTest\RFHUTIL\rfhutilc.exe
exit
rem ***********************************
When RFHUTILC starts I can see a list of queue managers so that bit is working. Now with a couple of the queue managers for our development system I can do "load names" and this is fine. However any qm that I should have read-only access to when I try, I get the following errors displayed
17.09.29 2393 SSL unable to initialize - check SSL parms
2393 SSL unable to initialize - check SSL parms
2393 SSL unable to initialize - check SSL parms
Error getting queue names
and in the AMQERR01.LOG it says
"The channel 'EAI_UAT_RTR' did not supply a certificate to use during SSL
handshaking, but a certificate is required by the remote queue manager. The channel did not start."
The one that works typlically is "EAI_DEV_RTR" and I assume its level of SSL is allowing me through?
In the "Set Conn ID" dialog I have set the certificate store location to be the same as in the batch file, ticked SSL and SSL Client Validation and set the appropriate SSL Cypher Algorithm. However I haven't put anything in UserID and Password? But I don't think I need to based on how MQ Explorer works, and the password for the .JKS file shouldn't be relevant when using a .kbd and .sth file? Actually the files available are
key.crl
key.kbd
key.rdb
key.sth
So I'm missing something somewhere so any help anyone can give will be very much appreciated! This is my first question so appologies as a newbie if I haven't explained the problem well enough!  please be kind! |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu Nov 24, 2011 12:30 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
OK, you have everything wrong...
You can either use RFHUtilc like any other C program accessing an SSL qmgr and set the environment variables or you can use the special features on RFHUtilc (make sure you have the latest version).
There is a button on the first tab that takes you to a screen with ssl options.
All you need is the path to the kdb file including the file name without the extension.
Make sure you select the checkbox telling RFHUtil to use SSL.
When switching the connection, make sure you uncheck that checkbox if you don't need SSL on that connection.
Fill in the content of the qmgr field with the content of the MQSERVER variable.
Last but not least you can't copy the SSL files from the server. You need to create them for the client.
Read up on how SSL works. (google search).
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Chris_CG |
| Posted: Fri Nov 25, 2011 3:21 am Post subject: |
|
|
Newbie
Joined: 24 Nov 2011
Posts: 2
|
Yes I am using the SSL button as I say "In the "Set Conn ID" dialog I have set ..." but it is not working, but your helpful advice is that I can't use the files I have copied from the UNIX server, I have to create my onw on the Windows PC? Ok, I'll try that! Thanks!  |
|
| Back to top |
|
|
| kumarbai |
| Posted: Thu Feb 08, 2024 2:06 am Post subject: |
|
|
Apprentice
Joined: 24 May 2013
Posts: 45
|
| Chris_CG wrote: |
| Yes I am using the SSL button as I say "In the "Set Conn ID" dialog I have set ..." but it is not working, but your helpful advice is that I can't use the files I have copied from the UNIX server, I have to create my onw on the Windows PC? Ok, I'll try that! Thanks! |
did you find any solution for this issue? |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
