MQSeries.net :: View topic - Verification fails between RS6000(Sender) and z/OS(Receiver)

zlf

Hi,

I have created two qmgrs on RS6000 and z/OS. Two pairs of sender/receiver channel with SSL. One sender and receiver on RS6000 and the same to z/OS. Generating, export ing and importing certificate each other are done.
If I start sender channel on RS6000, it works well( channel is running). However, start the sender channel on z/OS will result "'gsk_secure_soc_init' RC=-18" error seen from system log.

The two most important steps(also the steps most likely have problem) are releasing certificate on RS6000 and importing it to z/OS.

1. I think it very possible that the problem layes on the certificate released by RS6000. IKeyman is used to publish the self-signed certificate. Steps are detailed below:
1.1 Create a keystore.
1.2 Create a self-signed certificate named ibmwebspheremqqmgr1.
1.3 Extract the self-signed certificate to file cert6000.arm(base64) and upload it to z/OS by FTP asc.

2. Import the certificate published above to z/OS:
2.1 import certificate that generate from rs6000,
racf statments:
RACDCERT ID(STCxxx) +
ADD('spuser.CERT.cert6000') +
withlabel('ibmwebspheremqqmgr1') trust
---------------- add certificate ----------above---------
2.2 connection certificate with the key-ring .
RACDCERT ID(STCxxx) +
CONN(ID(STCSYS) +
label('ibmwebspheremqqmgr1') +
RING(BOCSOFT-ZOSBS1-CL-TEST-1) USAGE(PERSONAL))
--------------add certificate into key ring----- above----

The error log on RS6000 is following:
----- amqrmrsa.c : 461 --------------------------------------------------------
09/22/06 19:04:02
AMQ9665: SSL connection closed by remote end of channel '????'.

EXPLANATION:
The SSL connection was closed by the remote end of the channel during the SSL
handshake. The channel is '????'; in some cases its name cannot be determined
and so is shown as '????'. The channel did not start.
ACTION:
Check the remote end of the channel for SSL-related errors. Fix them and
restart the channel.
----- amqccisx.c : 1013 -------------------------------------------------------
09/22/06 19:04:02
AMQ9228: The TCP/IP responder program could not be started.

EXPLANATION:
An attempt was made to start an instance of the responder program, but the
program was rejected.
ACTION:
The failure could be because either the subsystem has not been started (in this
case you should start the subsystem), or there are too many programs waiting
(in this case you should try to start the responder program later). The reason
code was 0.
----- amqrmrsa.c : 461 --------------------------------------------------------

The error log on z/OS is listed below:
CSQX620E !CSQ1 CSQXRCTL System SSL error,
channel A.B,
function 'gsk_secure_soc_init' RC=-18
CSQ9023E !CSQ1 CSQXCRPS ' START CHANNEL' ABNORMAL COMPLETION

BTW:
The actions taken for generating and exporting certificate on z/OS may also be useful, so I put it here:
1. I have already defined RACF definitions the following:
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(STCUSER) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
SETROPTS GENERIC(FACILITY) REFRESH
2. And I create a certificate
RACDCERT ID(STCxxx) GENCERT SUBJECTSDN(CN('xxL') T('xxx') OU('xxx') O('xx') L('xx') SP(xx') C('xxxA')) WITHLABEL('ibmWebSphereMQCSQ1') NOTBEFORE (DATE(2009-09-11))
3. Then Connect the certificate to the ring
RACDCERT id(STCUSER) CONNECT(ID(STCUSER) LABEL('ibmWebSphereMQCSQ1') ring(CSQ1RING) USAGE(PERSONAL))
4. The end Export the certificate to a dataset, FTP to R6 in ascii format or binary format
RACDCERT ID(STCxxx) EXPORT(LABEL('ibmWebSphereMQCSQ1')) DSN('xxx.tt.SSL') FORMAT(CERTB64) â€¦. In ASCII format
RACDCERT ID(STCxxx) EXPORT(LABEL('ibmWebSphereMQCSQ1')) dsn('xxx.tt.SSLBIN') FORMAT(CERTDER) â€¦. In binary format
5. When I have done those steps , in RS6000/UNIX SYSTEM, itâ€™s successful to START itâ€™s sender channel.