| Author |
Message
|
| mhubbard |
 Posted: Thu May 15, 2008 9:52 am Post subject: 2393 After Server Upgrade |
 |
|
Acolyte
Joined: 25 Aug 2004
Posts: 54
|
Hello - I have a Websphere MQ Server V 6.0 running on Redhat. I am running this on vmware, so, luckily, I also have a clone of this box before it was upgraded from 5.3.
I have about 2500 client boxes in the field. All of them are still running the 5.3 client. They are communicating to my server over an SSL channel.
I discovered recently, that it appears that a 6.0 client cannot talk successfully - at least over an SSL channel - to a 5.3 server. Now, I seem to be finding that the opposite is also true.....A 5.3 client cannot talk SSL to a 6.0 server.
In my test lab, I have 1 server at 5.3 and 1 at 6.0 and I also have a 5.3 client and a 6.0 client. Each can only seem to successfully talk to the server of its own version. When going 5.3 client to 6.0 server, I get error 2393 and the following messages on the server side in /var/mqm/qmgrs/QM1.queue.manager/errors/AMQERR01.LOG:
----- amqrmrsa.c : 468 --------------------------------------------------------
05/15/2008 01:28:20 PM - Process(8678.18683) User(root) Program(amqrmppa)
AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the
required CipherSpec for channel 'CHANNELSSL1'.
EXPLANATION:
There is a mismatch between the CipherSpecs on the local and remote ends of
channel 'CHANNELSSL1'. The channel will not run until this mismatch is
resolved. The CipherSpec required in the local channel definition is
'TLS_RSA_WITH_AES_128_CBC_SHA'. The name of the CipherSpec negotiated during
the SSL handshake is 'TLS_RSA_WITH_AES_128_CBC_SHA'. A code is displayed if the
name of the negotiated CipherSpec cannot be determined.
ACTION:
Change the channel definitions for 'CHANNELSSL1' so the two ends have matching
CipherSpecs and restart the channel. If the certificate in use by one end of
the channel is a Global Server Certificate, then the negotiated CipherSpec may
not match that specified on either end of the channel. This is because the SSL
protocol allows a Global Server Certificate to automatically negotiate a higher
level of encryption. In these cases specify a CipherSpec which meets the
requirements of the Global Server Certificate.
I am running the Client side program with the channel table copied there - it was the channel table created back with the 5.3 server. Can someone please tell me that my nightmare is not true? It is not possible that I could upgrade both my production servers and clients at the same time. It is not even possible that I could upgrade my server and make some maniuplation to the certifcates or channel tables on my clients.
Please help.
Thanks
_________________
Michael J. Hubbard |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu May 15, 2008 10:54 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Ok, SSL is not my thing and I've no idea if this will help or even if it's connected, but I notice the process is running as root rather than mqm. I therefore wonder if it's a permissions problem in disguise?
Like I said, could be utterly unrelated. I offer it in good faith for whatever it's worth. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mhubbard |
| Posted: Thu May 15, 2008 11:11 am Post subject: |
|
|
Acolyte
Joined: 25 Aug 2004
Posts: 54
|
Thanks for responding.
But the 5.3 server is root and the 6.0 server is root.
the 5.3 client is root and the 6.0 client is root.
5.3 can talk to 5.3 and 6.0 can talk to 6.0, so conversation is possible, in general under these conditions.
_________________
Michael J. Hubbard |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu May 15, 2008 11:43 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Still, in an ideal world the demons should run as mqm
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu May 15, 2008 2:24 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
root is never a good user to run MQ under.
Unlikely to the Unix world root does not have automatically all permissions in mqm but mqm does.
Is your root member of the mqm group?
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mhubbard |
| Posted: Fri May 16, 2008 11:19 am Post subject: |
|
|
Acolyte
Joined: 25 Aug 2004
Posts: 54
|
I guess I'll reply to my own message in case someone else ends up in this hell. For cipher spec: TLS_RSA_WITH_AES_128_CBC_SHA between MQ6.0 and MQ5.3 there is a mismatch. This is outlined in http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg1IZ01355 . I will post again if I am able to a 6.0 apar to fix it from that side.
_________________
Michael J. Hubbard |
|
| Back to top |
|
|
|
|
