| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL related User ID query |
« View previous topic :: View next topic » |
| Author |
Message
|
| PhiliB |
 Posted: Thu Sep 16, 2004 7:11 am Post subject: SSL related User ID query |
 |
|
Novice
Joined: 16 Sep 2004
Posts: 21
Location: Portsmouth
|
Afternoon all
I have set up a Windows 2000 MQ Server to MQ Client connection with SSL enabled (MQ 5.3 CSD07). I've managed to get this to work without any issues but Ive come across an issue now while using a different id on the client machine.
The working ID has the Certificate added to the CURRENT_USER MQClient store, an AMQMCERT -l shows this. (this user has admin rights to the client machine).
After logging on as a different user to the client machine (also with admin rights) I added the same certificate to this user, again AMQMCERT -l shows the certificate added is the same as the original/working user. However when I do a AMQSPUTC <q name> <q manager> i get a 2059 error.
The log on the client machine indicates a SSL handshake error.
Can anyone advise why one ID can connect to the queue manager on the server and the other, which imported the certificates (.pfx files) in exactly the same manner cannot ?
Certs were generated using makecert
Thanks
Phil |
|
| Back to top |
|
 |
| JasonE |
| Posted: Thu Sep 16, 2004 9:37 am Post subject: |
|
|
Grand Master
Joined: 03 Nov 2003
Posts: 1220
Location: Hursley
|
Does one have the certificate assigned, the other not?
(The first 2 or 3 lines of amqmcert -l should show for a client the assigned certificate). Therefore if SSLCAUTH(REQUIRED) is set on the svrconn the one without it assigned would fail |
|
| Back to top |
|
|
| PhiliB |
| Posted: Fri Sep 17, 2004 12:14 am Post subject: |
|
|
Novice
Joined: 16 Sep 2004
Posts: 21
Location: Portsmouth
|
Hi Jason
Yes both ID's have the certificates assigned
As ID number 1
C:\Documents and Settings\amqmcert -l
5724-B41 (c) Copyright IBM Corp 1994, 2002. ALL RIGHTS RESERVED
Using CURRENT_USER for default system stores.
Assigned MQClient Certificate:
Name: MESSCOLLSERVER
CA: MESSCOLL
Enumerating Certificate Stores:
As ID number 2
C:\Documents and Settings\amqmcert -l
5724-B41 (c) Copyright IBM Corp 1994, 2002. ALL RIGHTS RESERVED
Using CURRENT_USER for default system stores.
Assigned MQClient Certificate:
Name: MESSCOLLSERVER
CA: MESSCOLL
Enumerating Certificate Stores:
ID number 1 works with an AMQSPUTC and ID 2 give me a 2059 error still with the syntax in the log being
AMQ9698: An SSL security call failed during SSL handshaking
EXPLANATION:
An SSPI call to the Secure Channel (SChannel) SSL provider failed during SSL handshaking. The failure has caused websphere MQ channel name 'MQMCHL' to be closed . If the name is '????' then the name is unknown.
ACTION:
Consult the Windows SChannel reference manual to determine the meaning of status 0x8009030D (The credentials supplied to the package were not recognized) for SSPI call AcquireCredentialsHandle. Correct the failure and if necessary re-start the channel.
Cheers
Phil |
|
| Back to top |
|
|
| hguapluas |
| Posted: Mon Sep 20, 2004 6:44 am Post subject: |
|
|
Centurion
Joined: 05 Aug 2004
Posts: 105
Location: San Diego
|
| This sounds similar to a problem I had run into. Make sure that on the other machine, that you have imported the full chain of authority to that account. You may be missing or have not imported the entire key chain. This will cause a failure since MQ may not consider this to be a fully authorized and validated key. Check your Root, Intermediate and Personal key chains to make sure the certificate is there in Windows Explorer. Then check your MQ Explorer to make sure the full chain is there also. Has the key been signed based on the FQDN of the other account? If so, then this may also cause a failure since the name of the certificate will not match the account it is being used under (if this is a personal key - this likely not to be the case but it is a possibility depending on how the key was originally generated). |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
