| Author |
Message
|
| riyaz_tak |
 Posted: Thu Aug 29, 2019 1:26 am Post subject: |
 |
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
/opt/mqm/bin/runmqckm -cert -list -db key.jck -type jceks -pw xxxx
to list all the certificates.
Really Sorry for the confusion but I am still getting the same invalid keystore format error.
[/quote] |
|
| Back to top |
|
 |
| riyaz_tak |
| Posted: Thu Aug 29, 2019 1:29 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
I am using jceks not JKS key format.
jceks keyformat was working with MQ 7.5.0.0 but after upgrading to IBM mq 8.0.0.5 ,it has stopped working and throwing error. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Aug 29, 2019 2:04 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
How did you create the JCEKS file? Was it created using an IBM JRE or an Oracle JRE? I have seen some mention that the two are incompatible. Are you using the same vendor JRE in both MQ 7.5 (working) and MQ 8 (failing) scenarios?
Also, have you tried with a JKS file to see if that works?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Thu Aug 29, 2019 2:17 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
I am using Oracle JAVA 8 with IBM MQ 8.0.0.5.
Earlier with IBM MQ 7.5.0.0 ,I was using JAVA 6.
I haven't tried JKS format so I will try to create one and let you know my results. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Thu Aug 29, 2019 2:40 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
1.runmqckm -keydb -create -db key.jck -pw xxxx -type jks
2. runmqckm -cert -export -db /dir/key.kdb -pw xxxx -label test -target key.jck -target_pw xxxx -type cms
3. runmqckm -cert -extract -db /dir/key.kdb -pw xxxx -label test2-target test.arm -format ascii
4. runmqckm -cert -add -db key.jck -pw xxx -label test -file test.arm -format ascii
I used above commands to create jsk key format but still getting the same error  |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu Aug 29, 2019 5:33 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
From what I have read, the JCEKS format for your keystore is recommended because it provides more security than a JKS keystore. I use the IBM Key Management GUI that comes with IBM MQ to create the JCEKS, and I have not had issues running it with a non-IBM JRE.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Aug 29, 2019 3:06 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| riyaz_tak wrote: |
I am using Oracle JAVA 8 with IBM MQ 8.0.0.5.
Earlier with IBM MQ 7.5.0.0 ,I was using JAVA 6. |
Which vendor was your Java 6?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| tczielke |
| Posted: Sat Aug 31, 2019 7:31 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
Can you also explain how you are setting the keystore type to be a jceks. Is it through a Java system property? Programmatically?
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Mon Sep 02, 2019 7:04 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| hughson wrote: |
| riyaz_tak wrote: |
I am using Oracle JAVA 8 with IBM MQ 8.0.0.5.
Earlier with IBM MQ 7.5.0.0 ,I was using JAVA 6. |
Which vendor was your Java 6? |
it was Oracle. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Mon Sep 02, 2019 7:50 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| tczielke wrote: |
| Can you also explain how you are setting the keystore type to be a jceks. Is it through a Java system property? Programmatically? |
I have created makefile which is creating keystore.
runmqckm -keydb -create \
-db key.jck -pw xxxx \
-type jceks |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Mon Sep 02, 2019 10:27 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
I have found another error where listener starts and then stops.
09/03/19 06:25:36 - Process(6221.1) User(root) Program(runmqlsr)
Host(xxxx) Installation(Installation1)
VRMF(8.0.0.5) QMgr(xxx)
AMQ9218: The TCP/IP listener program could not bind to port number 51410.
EXPLANATION:
An attempt to bind the TCP/IP socket to the listener port was unsuccessful.
ACTION:
The failure could be due to another program, including other MQ listeners,
using the same port number. The return code from the 'bind' call for port
:51410 was 125. Record these values and tell the systems administrator.
----- amqclita.c : 771 --------------------------------------------------------
09/03/19 06:25:36 - Process(6191.1) User(root) Program(amqzmgr0)
Host(xxx) Installation(Installation1)
VRMF(8.0.0.5) QMgr(xxxx)
AMQ5027: The listener 'SYSTEM.LISTENER.TCP.2' has ended. ProcessId(6221).
EXPLANATION:
The listener process has ended.
ACTION:
None.
I have already verified that no other process is trying to connects to port 51410 |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Sep 02, 2019 11:02 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
What does netstat show about this port number?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Sep 02, 2019 11:10 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| riyaz_tak wrote: |
| ...The listener 'SYSTEM.LISTENER.TCP.2' has ended... |
And is there a SYSTEM.LISTENER.TCP.1 that may be using the same port? TCP/IP Error 125 is EADDRINUSE (which suggests you're on Solaris?) so it's possible that the Listener process previously abnormally terminated or did not clean up properly.
| riyaz_tak wrote: |
| ...I have already verified that no other process is trying to connects to port 51410 |
By that, do you mean that no other process is selecting that port for its own purposes?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Mon Sep 02, 2019 11:12 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| exerk wrote: |
| riyaz_tak wrote: |
| "...The listener 'SYSTEM.LISTENER.TCP.2' has ended..." |
And is there a SYSTEM.LISTENER.TCP.1 that may be using the same port? TCP/IP Error 125 is EADDRINUSE (which suggests you're on Solaris?) so it's possible that the Listener process previously abnormally terminated or did not clean up properly.
| riyaz_tak wrote: |
| "...I have already verified that no other process is trying to connects to port 51410 |
By that, do you mean that no other process is selecting that port for its own purposes? |
Yes that's what I meant. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Tue Sep 03, 2019 12:15 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| riyaz_tak wrote: |
| exerk wrote: |
| riyaz_tak wrote: |
| "...I have already verified that no other process is trying to connects to port 51410 |
By that, do you mean that no other process is selecting that port for its own purposes? |
Yes that's what I meant. |
How could you verify this? Corresponding to RFC 6335 of the Internet Engineering Task Force (IETF), ports above 49152 are used for dynamic port allocation. So these ports may be used - and dropped - and used - ... by any application. These ports could also be locked by the operating system. You should not use ports in this range for MQ listeners (or any other fixed port allocation).
_________________
Regards
Hubert |
|
| Back to top |
|
|
|
|
