ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General Discussion » SSLPEER question

Post new topic  Reply to topic
 SSLPEER question « View previous topic :: View next topic » 
Author Message
KoGor
PostPosted: Thu Jun 19, 2008 3:56 am    Post subject: SSLPEER question Reply with quote

Voyager

Joined: 09 Nov 2005
Posts: 81
Location: Moscow,Russia.
Hi All!

I have a test environment from 4 servers:
- MQ Sever 6
- MQ Client
- Windows 2003 EE which run Active Directory
- Windows 2003 EE which run Certification Authority

All servers are in one windows domain. I have already set up SSL connection between MQ server and client successfully. I'm using LDAP for storing client channel info. Everything works fine. Now I want to separate different server-connection channel with specified client. As I understood the only way to force MQ Client use another (not first) server-connection channel is to specify Distinguished Name (SSLPEER). May be I'm on the wrong way but I can't see any other way to make a client connect to the specified server-connection channel when you use LDAP to store server-channel information.
So I have this error in Windows Event Log:

Quote:
SSL distinguished name does not match peer name, channel 'LGVM_QM1CH'.

The distinguished name, 'CN=MQ Client,CN=Users,DC=lg,DC=factor-ts,DC=ru', contained in the SSL certificate for the remote end of the channel does not match the local SSL peer name for channel 'LGVM_QM1CH'. The distinguished name at the remote end must match the peer name specified (which can be generic) before the channel can be started.

If this remote system should be allowed to connect, either change the SSL peer name specification for the local channel so that it matches the distinguished name in the SSL certificate for the remote end of the channel, or obtain the correct certificate for the remote end of the channel. Restart the channel.

I can't understand what string should I put into SSLPEER variable to match the Distinguished Name of the certificate. When I put double CN or at least one DC type, I got a wrong syntax error. There are a rules how to form this string:
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.csqzas.doc/sy12940_.htm

I can't figure out how can I change the Microsoft format "CN=MQ Client,CN=Users,DC=lg,DC=factor-ts,DC=ru" into format suitable for MQ.

Could anybody help me with my problem?

Thanks in advance!
Back to top
View user's profile Send private message
KoGor
PostPosted: Fri Jun 20, 2008 4:00 am    Post subject: Reply with quote

Voyager

Joined: 09 Nov 2005
Posts: 81
Location: Moscow,Russia.
I found the solution. May be it's not perfect but it works. You should use '*' for the rest of the string. For my case it should be: CN='MQ User1'*
It's the only way I manage to match certificate distinguished name with SSLPERR.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General Discussion » SSLPEER question
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.