| Author |
Message
|
| jbacskai |
 Posted: Thu Mar 11, 2004 12:28 pm Post subject: MQ Client SSL setup problem |
 |
|
Apprentice
Joined: 30 Dec 2002
Posts: 26
Location: Hungary
|
Hi All,
I treid to configure the SSL client auth, but it did not work for me.
config: Windows 2000 server 5.3 WMQ CSD04
The QM to QM SSL works on my test system and I would like to use SSL client auth.
I generated a cert an I assigned it to the user's store with amqmcert.
I made a CLNTCONN channel on the server with the same name and SSL setting and I copied the XY.TAB channel file to my client.
I set the MQSSL environment variables to the XY.TAB file, but I still got the error message on the server side that: The other side of the channel does not use SSL.
What else to do? I red all the posting and doc...
Regards,
János |
|
| Back to top |
|
 |
| Mallik |
| Posted: Thu Mar 11, 2004 5:41 pm Post subject: MQ Client SSL setup problem |
|
|
Acolyte
Joined: 29 Feb 2004
Posts: 53
|
can you provide some more details? like the the result of amqmcert -l, errors from the client & server side, also errors if any from the windows eventviewer would be helpful.
I assume that you set the MQSSLKEYR variable pointing to your client store. |
|
| Back to top |
|
|
| jbacskai |
| Posted: Fri Mar 12, 2004 1:30 am Post subject: |
|
|
Apprentice
Joined: 30 Dec 2002
Posts: 26
Location: Hungary
|
Hi,
yes you are right the MQSSLKEYR is set. The cert assignment is cheked with the amqmcert -l.
I deleted the MQSERVER environment variable.
the error on server side:
Remote channel 'XY' did not specify a CipherSpec.
Remote channel 'XY' did not specify a CipherSpec when the local channel expected one to be specified. The channel did not start.
Change the remote channel 'XY' to specify a CipherSpec so that both ends of the channel have matching CipherSpecs.
Client side:
Remote CipherSpec error for channel 'SYSTEM.ADMIN.SVRCONN'.
The remote end of channel 'SYSTEM.ADMIN.SVRCONN' has had a CipherSpec error. The channel did not start.
Review the error logs on the remote system to discover the problem with the CipherSpec.
So it looks that it does not find the amqclchl.tab.(I put ti in c:\mqm\amqclchl.tab as I know this is the default dir.)
Any idea?
János |
|
| Back to top |
|
|
| crossland |
| Posted: Fri Mar 12, 2004 3:53 am Post subject: |
|
|
Master
Joined: 26 Jun 2001
Posts: 248
|
|
| Back to top |
|
|
| jbacskai |
| Posted: Fri Mar 12, 2004 4:44 am Post subject: |
|
|
Apprentice
Joined: 30 Dec 2002
Posts: 26
Location: Hungary
|
yes I set these env. vars to (MQCHLTAB and MQCHLLIB), and Iput the amqclchl.tab file to the DefaultPrefix directory...
My other question is: Could I set the WMQ explorer (mmc snap-in) to use SSL Client authentication or it just uses normal auth with user name. |
|
| Back to top |
|
|
| JasonE |
| Posted: Fri Mar 12, 2004 4:44 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
The SYSTEM.ADMIN.SVRCONN is not an SSL channel by default, and the error message implies one end (either the clntconn version of the svrconn version) does not have an SSLCIPHER specified.
In case this is what you are trying to for, the MQ Gui on Windows cannot be made to support SSL as far as I know. |
|
| Back to top |
|
|
| jbacskai |
| Posted: Fri Mar 12, 2004 4:50 am Post subject: |
|
|
Apprentice
Joined: 30 Dec 2002
Posts: 26
Location: Hungary
|
I set the SYSTEM.ADMIN.SVRCONN on the server side to use SSL and I made a CLNTCONN channel with the same name and settings on the server...
Yes probably you are right. The WMQ explorer may not use the qmgclchl.tab file to fill the CONN structure. |
|
| Back to top |
|
|
| JasonE |
| Posted: Fri Mar 12, 2004 5:38 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
| It doesnt - It does the equivalent of an MQCONNX providing its own MQCD |
|
| Back to top |
|
|
|
|
