ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » SSL testing failing

Post new topic  Reply to topic
 SSL testing failing « View previous topic :: View next topic » 
Author Message
mqmike
PostPosted: Fri Nov 19, 2004 7:02 am    Post subject: SSL testing failing Reply with quote

Acolyte

Joined: 09 Jul 2004
Posts: 63
I've set up two test qmgrs and am trying to implement SSL between the two. I've been following the instructions from the MQ docs so have 2 qmgrs, QM1 and QM2.

I created a key database file for each qmgr and then created a self signed cert for each. I then wanted to test this with a channel. I extracted the self signed cert from QM1 and inserted it into QM2. I then changed the qmgr attribute to SSLKEYR(/var/mqm/qmgrs/QMx/ssl/key) for each one and in the channel attributes for the sender/receiver pair used NULL_MD5 in the SSLCIPH attribute.

Upon starting the channel though I get:
11/19/04 14:46:01
AMQ9209: Connection to host 'etmq2 (xx.xx.xx.xx)' closed.

EXPLANATION:
An error occurred receiving data from 'etmq2 (xx.xx.xx.xx)' over TCP/IP. The
connection to the remote host has unexpectedly terminated.
ACTION:
Tell the systems administrator.

Can anyone shed any light? I'm new to SSL so should this at least work in theory?

Thanks

Mike
Back to top
View user's profile Send private message
Anirud
PostPosted: Fri Nov 19, 2004 8:54 am    Post subject: Reply with quote

Master

Joined: 12 Feb 2004
Posts: 285
Location: Vermont
The error doesn't look like an SSL Certificate error.

Did you check to see if the channels were running before the certificates were loaded?

Once you make sure the channels are running without the certificates, then load the certificates and set the channel attributes as you mentioned. Also check for SSLCAUTH channel attribute. For a one-way authentication it should be set to OPTIONAL and for a two-way authentication it should be set to REQUIRED on the receiver side of the channel.
It looks like you are trying to do a two-way authentication as you mentioned that you have created certificates on both the queue managers.

The label of the certificate must be "ibmwebspheremq<queuemanagername>" (everything lower case). Make sure you add the certificate of QM1 on QM2 as a Signer Certificate (since this is a self signed certificate) and vice versa.

Then start your channels and you should be good.

Hope this helps.
Back to top
View user's profile Send private message Visit poster's website
jamestate2001
PostPosted: Fri Nov 19, 2004 2:04 pm    Post subject: SSL MQSeries Problems Reply with quote

Newbie

Joined: 16 Sep 2004
Posts: 2
Hi,

I'm also having trouble setting up 1 way SSL connections. Here's what I've done so far:

1. On QM1 I've assigned a certificate from Global Sign. The cert has the green check mark.

2. I've set the CipherSpec to Null MD5 on both QM1 and QM2.

3. On QM2 I've added the GloabaSign CA Root (?) certificate to the QM store.

4. I've restarted both Queue managers.

I get this error on QM2:

AMQ9637: Channel is lacking a certificate.

EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is '????' (if '????' it is unknown at this stage in the SSL processing).
The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.

What do you mean by "labelling the certificate"?

Thanks.
Back to top
View user's profile Send private message
Anirud
PostPosted: Mon Nov 22, 2004 7:43 am    Post subject: Reply with quote

Master

Joined: 12 Feb 2004
Posts: 285
Location: Vermont
You got this error because you never added the personal certificate to QM2 key database.

If QM1 is the queue manager which is starting the communication, then you will also need to add the personal certificate of QM1 to the key database of QM2 and before that add all the root certificates to the QM2 key database (which you already did).

This should do the trick.
Back to top
View user's profile Send private message Visit poster's website
mqmike
PostPosted: Mon Nov 29, 2004 7:41 am    Post subject: Reply with quote

Acolyte

Joined: 09 Jul 2004
Posts: 63
thanks for the info anirud

the channels are def working ok when i dont include the SSLCIPH attribute

i'm trying to test from QM1.TO.QM2 so I changed the SSLCAUTH attribute of the receiver channel to QM2 to optional but am still getting the same error
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » SSL testing failing
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.