| Author |
Message
|
| hdjur |
 Posted: Thu Oct 27, 2005 4:57 am Post subject: SSL problem: AMQ9637: Channel is lacking a certificate. |
 |
|
Centurion
Joined: 16 Sep 2004
Posts: 116
Location: Zagreb
|
Hello!
Few days ago I have posted a topic regarding keytool, obtaining a password stash file and so on. Now, I am using iKeyman, and have no
problem with this. Qmgr on the sender channel side (SSL client) initiates connection but qmgr on the receiver channel side (SSL server)
logs that "Channel is lacking a certificate". I have made exactly this steps:
1. on both sides I have created key store database (of CMS type)
2. in both databases I have created new self signed certificates, labeled 'ibmWebSphereMQ<qmgr-name>' (is it important to name it exactly like this?) where qmgr-name is the name of the local qmgr (which owns the key repository), cn is set to the hostname alias, as iKeyman originally suggested as default
3. I have exported key store using "Export/Import..." option, and imported on the other side only the new created self signed
certificates (I was prompted for pwd, and to choose items which I want to import from the key store)
4. now I have on every side, under "Personal Certificates" two entries: the one created which is deafault, and the one imported
5. channel attributes are:
SSLCIPH(RC4_MD5_US) - for sdr and rcvr
SSLCAUTH(OPTIONAL)
SSLPEER(... I have set this to the partners Distinguished Name -
cn=hostname, O=...,OU=...,C=HR -
on both sides, but if I leave it blank, it does not work too)
What am I missing ? Thanks in advance. |
|
| Back to top |
|
 |
| Mr Butcher |
| Posted: Thu Oct 27, 2005 5:50 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
you said that your created certificates are self-signed. did you also import the public key of the CA in every keystore?
_________________
Regards, Butcher |
|
| Back to top |
|
|
| hdjur |
| Posted: Thu Oct 27, 2005 6:38 am Post subject: |
|
|
Centurion
Joined: 16 Sep 2004
Posts: 116
Location: Zagreb
|
Hi Mr Butcher!
Thank you for your answer.
In the case of self signed certificates, who would be the CA?
What exactly should I do, in terms of using iKeyman options? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Oct 27, 2005 6:46 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| hdjur wrote: |
| What exactly should I do, in terms of using iKeyman options? |
Step by Step instructions, courtesy of the fine manual.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| hdjur |
| Posted: Thu Oct 27, 2005 6:48 am Post subject: |
|
|
Centurion
Joined: 16 Sep 2004
Posts: 116
Location: Zagreb
|
|
| Back to top |
|
|
| wschutz |
| Posted: Thu Oct 27, 2005 7:21 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
| 'ibmWebSphereMQ<qmgr-name>' (is it important to name it exactly like this?) |
it must be like this:
| Code: |
| ibmwebspheremq<qmgr-name> |
all in lower case 
_________________
-wayne |
|
| Back to top |
|
|
| Anirud |
| Posted: Thu Oct 27, 2005 7:58 am Post subject: |
|
|
Master
Joined: 12 Feb 2004
Posts: 285
Location: Vermont
|
hdjur,
your setp3 should be the following
3. Extract the certificate and ftp it to the other server and Add the certificate as a Signer Certificate and recycle the queue managers to pickup the certificates. |
|
| Back to top |
|
|
| hdjur |
| Posted: Thu Oct 27, 2005 9:29 am Post subject: |
|
|
Centurion
Joined: 16 Sep 2004
Posts: 116
Location: Zagreb
|
Thank you Wayne and Anirud too.
I have applied suggestion regarding the label. Than I have extracted (instead of exporting - that was one mistake) personal self signed certificates on each side,
ftp-ed to the other side, and added it to the signer certificates (instead of importing it to the personal certificates - that was my second mistake).
Than I have issued mqsc refresh security (how exactly one "recycles" queue manager on AIX? - I can't find it anywhere - sorry for being newbie).
Now, there is a progress in my work: I get AMQ9633: Bad SSL certificate for channel on the SSL client side instead of previous "lacking a certificate" on the SSL server side.
Trying again ... and it works. I have channel in running state.
Thank you all. |
|
| Back to top |
|
|
| kats |
| Posted: Tue Aug 22, 2006 10:52 am Post subject: |
|
|
Voyager
Joined: 20 Apr 2006
Posts: 78
|
Recycle qmgr means stopping and restarting qmgr.
This is awkward but we have to recycle qmgr to pick up the certs.
In MQ V 6.0 , we don't have to recycle qmgr. Simply giving Runmqsc command : Refresh security type(ssl) would do the job. |
|
| Back to top |
|
|
|
|
