| Author |
Message
|
| Jmeek |
 Posted: Thu Jun 01, 2006 5:44 am Post subject: SSL Between Z/os and distributed |
 |
|
Novice
Joined: 19 Dec 2005
Posts: 10
Location: Winston Salem, NC
|
Hey all, Unix to MVS SDR/RCVR pair. MQ5.3 CSD10:
Background:
Speaking from Distributed side, SDR has SSL Peer info filled in, CIPHSPEC is 3_DES_SHA_US and the SDR starts and runs fine.
SSL Problem:
RCVR channel has all the same information, but when the MVS host starts the channel back to the Distributed box, we get the following error on the Dist. side:
05/31/06 19:12:54
AMQ9633: Bad SSL certificate for channel '????'.
EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated, or
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system, or
(c) it was found in a Certification Revocation List (CRL) on an LDAP server.
The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.
ACTION:
Check which of the three possible causes applies on your system. Correct the
error, and restart the channel.
Additional info:
I can see SSL Peer info on the CHSTATUS of the working channel.
Channels run if SSL is turned off.
We have tried making SSLCAUTH(OPTIONAL) and removing SSLPEER info.
The Question:
What would cause the SDR channel to mutually authenticate, but the RCVR to reject the Cert?
_________________
All else fails, RTFM. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Thu Jun 01, 2006 7:16 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Did you add the cert to the z/OS key repository (wherever that is...)
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Jmeek |
| Posted: Thu Jun 01, 2006 7:18 am Post subject: |
|
|
Novice
Joined: 19 Dec 2005
Posts: 10
Location: Winston Salem, NC
|
yes, otherwise the Sender wouldn't be able to fully authenticate... Right?
_________________
All else fails, RTFM. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Jun 01, 2006 7:20 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| Jmeek wrote: |
| yes, otherwise the Sender wouldn't be able to fully authenticate... Right? |
What makes you think the Sender is fully authenticating?
Did you add the z/OS cert to the sender side key-ring?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Jmeek |
| Posted: Thu Jun 01, 2006 7:30 am Post subject: |
|
|
Novice
Joined: 19 Dec 2005
Posts: 10
Location: Winston Salem, NC
|
Is there a separate keyring on z/OS for a sender and a receiver? The z/OS is remote and I can't verify personally any of their settings. But, the fact that our sender to them starts and runs with SSL turned on and the fact that the DN is in the CHSTATUS on both sides tells me that they have teh key ring loaded at least on their RCVR. Is it possible to have it loaded on the RCVR and not on the SDR? I was under the understanding that the keyring was per Plex and key per QMGR... Is there a way to set it by channel?
_________________
All else fails, RTFM. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Jun 01, 2006 7:36 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Okay, so the Sender starts fine and the z/OS receiver starts fine. I wasn't sure that at least one channel was working successfully. 
You get the error when the z/OS tries to start a sender back. Is the error on the z/OS side or the distributed side?
As far as I know, there should only be one keyring per Plex - I'm not a z/OS guy.
Do you have the z/OS cert installed properly on the distributed side?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Jmeek |
| Posted: Thu Jun 01, 2006 7:54 am Post subject: |
|
|
Novice
Joined: 19 Dec 2005
Posts: 10
Location: Winston Salem, NC
|
The error is on both sides:
On z/OS side, it says "remote system rejected the cert" and Dist. side shows error I posted originally, "Invalid Cert".
Again, I think that the key ring and signers have to be correct on both sides for the Dist.to.z/OS channel to be working with SSL enabled. If that is a wrong assumption please correct my thinking.
_________________
All else fails, RTFM. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Jun 01, 2006 8:00 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Is it a self-signed key, or a CA-signed key?
Maybe you don't have the right CA root cert on your local queue manager keyring. That is what the #2 suggestion in the error message says.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Jmeek |
| Posted: Thu Jun 01, 2006 8:08 am Post subject: |
|
|
Novice
Joined: 19 Dec 2005
Posts: 10
Location: Winston Salem, NC
|
Not self-signed, it is an Equifax Cert, and we have added them to our keystore via GSK command.
_________________
All else fails, RTFM. |
|
| Back to top |
|
|
| Anirud |
| Posted: Thu Jun 01, 2006 3:39 pm Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
| Jmeek wrote: |
| Not self-signed, it is an Equifax Cert, and we have added them to our keystore via GSK command. |
did you add the CA Root cert(s) on the distributed side? |
|
| Back to top |
|
|
|
|
