| Author |
Message
|
| crusader |
 Posted: Mon Dec 28, 2015 5:49 pm Post subject: IBM MQ 2397 Error |
 |
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
Hi,
i'm having MQ 2397 problem while I'm trying to established ssl connection from mq client to mq server.
Caused by: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
I think there is something wrong with my configuration inside mq server or client.
I have followed some steps which i found out after google but i'm getting that error.
is there any detail step I can refer how to create certificate and configure inside mq server and client to establish ssl connection.  |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Mon Dec 28, 2015 6:16 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
It would help if you gave us the detailed steps you have done so far... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| crusader |
| Posted: Mon Dec 28, 2015 7:25 pm Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Dec 29, 2015 2:44 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Sorry Claire, I'm on a slow connection here, so I can't really look at the link. However I would expect that yes, you'd have to.
What version (major-minor) of MQ are we talking about here?
Are you trying a self signed, or a ca signed setup?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| crusader |
| Posted: Tue Dec 29, 2015 10:20 pm Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
i'm creating self-signed only 
i'm still stucking on that issue.
first, i created keystore. Then i created self-signed certificate and extract into "server.der" file.
Then copy to client machine, created truststore on client side. Then i imported that "server.der" file into truststore.
There are two places i can define keystore at server side:
right click on my queue manager name, then go to ssl properties and point to the keystore.
another one is go to mq menu Window->Preferences->Websphere MQ Explorer->SSL Key Repositories
and check "Enable SSL key repositories". point to truststore and keystore as shown in the link i shared u.
I'm not sure if i need to configure on both settings
my mq client version is 7.5 and server mq version is 7.0. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Dec 29, 2015 10:49 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If you want to use SSL using Windows Explorer, you do need to configure both. Remember that by default your browser has a certificate. So create one for the client. Don't know if it is needed for one way SSL, I usually do 2 way.
In any case you'll have to put the server cert into the client's truststore...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| crusader |
| Posted: Tue Dec 29, 2015 11:01 pm Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
yes i have put server cert to the client's truststore but i'm facing mq error 2397. it seems the way i generated server cert of the way i import to client truststore is wrong.
i'm not using browser, i'm using jms application to send message to mq server. i can send msg to server without ssl using my jms but can't with ssl |
|
| Back to top |
|
|
| crusader |
| Posted: Tue Dec 29, 2015 11:15 pm Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
| can you plz kinldy share me how you configure to set up two way ssl on both server & client site ? I would like to verify the steps i have taken is correct or not |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Dec 30, 2015 7:42 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| crusader wrote: |
| can you plz kinldy share me how you configure to set up two way ssl on both server & client site ? I would like to verify the steps i have taken is correct or not |
Go to google, search for "mq+client+ssl+jks".
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| crusader |
| Posted: Wed Dec 30, 2015 7:27 pm Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
| i followed those steps i found from google but still can't resolve that mq error 2397 |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Dec 30, 2015 10:19 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| crusader wrote: |
| i followed those steps i found from google but still can't resolve that mq error 2397 |
Precisely which steps? Which URL?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| crusader |
| Posted: Mon Jan 04, 2016 6:37 pm Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
That's what I have done on both server & client site,
At server side
create keystore >>> keytool -genkey -alias ibmwebspheremqqm1 -keyalg RSA -keystore keystore.jks
export server cert >>>> keytool -export -alias ibmwebspheremqqm1 -file server.cer -keystore keystore.jks
import server cert to truststore >>>> keytool -import -trustcacerts -alias ibmwebspheremqqm1 -file server.cer -keystore truststore.ts -storepass password -noprompt
Then i copied this truststore to client and did following :
create keystore >>>> keytool -genkey -alias ibmwebspheremquserid -keyalg RSA -keystore keystore.jks
export client cert >>>> keytool -export -alias ibmwebspheremquserid -file client.cer -keystore keystore.jks
import client cert to truststore >>> keytool -import -trustcacerts -alias ibmwebspheremquserid -file client.cer -keystore truststore.ts -storepass password -noprompt
Is it correct way to geneate keys and import certificates to truststore?
Then in my jms program I point to keystore and truststore on client side. But I still encounter 2397 error,
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at sun.security.ssl.Handshaker.activate(Handshaker.java:470)[:1.7.0_80]
at sun.security.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1438)[:1.7.0_80]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1308)[:1.7.0_80]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)[:1.7.0_80]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)[:1.7.0_80]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1314)[com.ibm.mq.jmqi.jar:7.5.0.5 - p750-005-150424]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection$6.run(RemoteTCPConnection.java:1309)[com.ibm.mq.jmqi.jar:7.5.0.5 - p750-005-150424]
at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_80]
at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.protocolConnect(RemoteTCPConnection.java:1307)[com.ibm.mq.jmqi.jar:7.5.0.5 - p750-005-150424] |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jan 05, 2016 5:46 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| crusader wrote: |
Then in my jms program I point to keystore and truststore on client side. But I still encounter 2397 error,
| Code: |
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at sun.security.ssl.Handshaker.activate(Handshaker.java:470) |
|
You did not specify MQ version nor did I see you setting any key size.
Preferred way is to use runmqakm or runmqckm to create keystore and/or truststore. Using keytool is not wrong but you might not get all the stuff used by the IBM JSSE. Your error is quite clear: No appropriate protocol / cipher suite
What is the key size?
What is the cipher spec. on the channel?
What are you using as a cipher suite?
What is the value for your SSL_FIPS flag?
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| crusader |
| Posted: Tue Jan 05, 2016 6:08 pm Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
my key size is 1024, cipher spec i set at mq server is "RCR_MD5_US" and cipher suite I set on my client is "SSL_RSA_WITH_RC4_128_MD5". So I believe it's match on both side but i have no idea why that error is triggered.
SSL_FIPS flag is "NO"
plz help me i need to resolve this and still stucking on this issue |
|
| Back to top |
|
|
| crusader |
| Posted: Tue Jan 05, 2016 6:11 pm Post subject: |
|
|
Novice
Joined: 28 Dec 2015
Posts: 16
|
| my mq server is 7.0.1.6 and mq client jar i'm using is 7.5.0.2 |
|
| Back to top |
|
|
|
|
