| Author |
Message
|
| stephenboarder |
 Posted: Wed Jan 31, 2007 5:19 am Post subject: Websphere MQ Client Connection using SSL on AIX |
 |
|
Newbie
Joined: 07 Dec 2006
Posts: 9
|
Hi, I am attempting to test an mq client connection to a queue manager on AIX using SSL and I am not having any success. Currently my client connection is from the same AIX box and I am testing using amqsputc, although when this is successful I intend to also test the client connection from a remote Windows box. Below are the steps I have taken to achieve this, taken from various IBM docs. Am I missing a vital step?
GENERAL
export JAVA_HOME=/usr/mqm/ssl/jre
export CLASSPATH=/usr/opt/ibm/gsksa/classes/cfwk.zip:$CLASSPATH
export CLASSPATH=/usr/opt/ibm/gsksa/classes/gsk7cls.zip:$CLASSPATH
SERVER SIDE
CREATE SERVER key repository file
java com.ibm.gsk.ikeyman.ikeycmd -keydb -create -db key.kdb -pw ibm -type cms -expire 365 -stash
CREATE CERTIFICATE
java com.ibm.gsk.ikeyman.ikeycmd -cert -create -db key.kdb -pw ibm -label ibmwebspheremqnrpeb023 -dn "CN=Steve Boarder, O=IBM, OU=Test, C=GB"
LIST CERTIFICATES
java com.ibm.gsk.ikeyman.ikeycmd -cert -list all -db key.kdb -pw ibm
EXTRACT CERTIFICATE
java com.ibm.gsk.ikeyman.ikeycmd -cert -extract -db key.kdb -pw ibm -label ibmwebspheremqnrpeb023 -target lul.arm -format ascii
runmqsc NRPEB023
display QMGR SSLKEYR
SSLKEYR(/var/mqm/qmgrs/NRPEB023/ssl/key.kdb)
CLIENT SIDE
CREATE CLIENT KEY REPOSITORY FILE
java com.ibm.gsk.ikeyman.ikeycmd -keydb -create -db clientkey -pw ibm -type cms -expire 365 -stash
ADD CERTIFICATE
java com.ibm.gsk.ikeyman.ikeycmd -cert -add -db clientkey -pw ibm -label ibmwebspheremqnrpeb023 -file lul.arm -format ascii
SET ENVIRONMENT VARIABLES
export MQCHLLIB=/var/mqm/MQCLIENT
export MQCHLTAB=AMQCLCHL.TAB
export MQSSLKEYR=/var/mqm/MQCLIENT/clientkey
runmqsc NRPEB023
alter chl(SSL.CLIENTS) chltype(SVRCONN) sslciph(TRIPLE_DES_SHA_US) sslcauth(optional)
alter chl(SSL.CLIENTS) chltype(CLNTCONN) sslciph(TRIPLE_DES_SHA_US)
COPY CLIENT CONNECTION FILE TO CLIENT
cp /var/mqm/qmgrs/NRPEB023/@ipcc/AMQCLCHL.TAB /var/mqm/MQCLIENT
TEST
gb02qmq01nwrx7[/usr/mqm/samp/bin]$ amqsputc TEST
Sample AMQSPUT0 start
MQCONN ended with reason code 2059 |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Jan 31, 2007 5:26 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Does it work without SSL? If not:
Is the queue manager you're attempting to contact the default? If not, you'll need to specify the name.
Also did you specify a client connection or are you attempting to use the system default channel?
If it does, then you've got a problem with the SSL keys.
I'd suggest you get the client connection working without SSL and then secure it. Also search the forum for 2059 - it's a common problem & you'll find a raft of possible causes & solutions (above the ones I've listed above)
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Jan 31, 2007 5:35 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Vitor - some of your questions were answered in the original post... 
Normally, I would suggest that the Support Pack MO04 would be very handy in this situation, as it comes with sample programs and instructions for using those sample programs.
However, the last time I tried to use those sampesl, I had some issues. Those might have been my own fault (I'm sure the code was fine...).
The most important thing to make sure of is that the Client Channel includes the queue manager name.
Also, remember that C programs can't use jks keystores and Java programs can't use anything BUT jks keystores.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Jan 31, 2007 5:38 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Doh...... 
RTFP! 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| stephenboarder |
| Posted: Wed Jan 31, 2007 6:16 am Post subject: |
|
|
Newbie
Joined: 07 Dec 2006
Posts: 9
|
Thanks for the responses.
The queue manager is not the default.
If I remove the SSL entries with the following commands, the client connection is successful;
alter chl(SSL.CLIENTS) chltype(SVRCONN) sslciph('')
alter chl(SSL.CLIENTS) chltype(CLNTCONN) sslciph('')
cp /var/mqm/qmgrs/NRPEB023/@ipcc/AMQCLCHL.TAB /var/mqm/MQCLIENT
With SSL entries re-entered my SVRCONN and CLNTCONN channels look like this;
CHANNEL(SSL.CLIENTS) CHLTYPE(SVRCONN)
ALTDATE(2007-01-31) ALTTIME(14.09.04)
COMPHDR(NONE) COMPMSG(NONE)
DESCR( ) HBINT(300)
KAINT(AUTO) MAXMSGL(4194304)
MCAUSER( ) MONCHL(QMGR)
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SSLCAUTH(OPTIONAL) SSLCIPH(TRIPLE_DES_SHA_US)
SSLPEER( ) TRPTYPE(TCP)
CHANNEL(SSL.CLIENTS) CHLTYPE(CLNTCONN)
ALTDATE(2007-01-31) ALTTIME(14.09.04)
COMPHDR(NONE) COMPMSG(NONE)
CONNAME(10.***.*.**(1414)) DESCR( )
HBINT(300) KAINT(AUTO)
LOCLADDR( ) MAXMSGL(4194304)
MODENAME( ) PASSWORD( )
QMNAME(NRPEB023) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SSLCIPH(TRIPLE_DES_SHA_US)
SSLPEER( ) TPNAME( )
TRPTYPE(TCP) USERID( ) |
|
| Back to top |
|
|
| stephenboarder |
| Posted: Thu Feb 01, 2007 7:54 am Post subject: |
|
|
Newbie
Joined: 07 Dec 2006
Posts: 9
|
Any more ideas on this guys??
The steps produced by supportpac MO04 are very similar and I still receive the same error. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Feb 01, 2007 8:01 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Again, make sure you are using the right type of keystore for the program you're trying to run.
C programs can't use jks and Java programs can't use anything else.
And then you can look at enabling SSL events.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| stephenboarder |
| Posted: Thu Feb 01, 2007 8:11 am Post subject: |
|
|
Newbie
Joined: 07 Dec 2006
Posts: 9
|
As above, I am using -type cms and I am testing with a C program amqsputc to test.
Is there anyway to debug this to provide a more meaningful error? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Feb 01, 2007 8:16 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Enable SSL Events and use MO01 to look at the SSL events.
Look for channel errors.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
