| Author |
Message
|
| qwerty |
 Posted: Tue Jul 21, 2009 2:23 am Post subject: MQCONN failed with CompCode:2, Reason:2393 |
 |
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
Hi,
I try to make a SSL handshake
i have got 2 linux test servers and on each server 1 qmgr
qma on servera
qmb on serverb
Each Server has it´s own KeyDataBase (.kdb)
and only servera has a TrustStore (.jks)
I have made a Self Signed Cert on qma (named: ibmwebspheremqqma) and exported it .
FTP´d it on the other Server, imported it there and named it:
ibmwebspheremqqmb
I downloaded a root Cert and added it to the signer cert list and set it as trusted.
now i´d like to send a message with the sample programm amqsputc from qma to qmb
I definded MQSERVER Variable
I am able to send the message, but when i try to receive it on the other server then it´s Reason Code 2393
I use the sample program amqsgetc.
-------------------
MQCONN failed with CompCode:2, Reason:2393
SSL initialisation error
-------------------
can somebody help me please?
thx qwerty |
|
| Back to top |
|
 |
| exerk |
| Posted: Tue Jul 21, 2009 3:26 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
So you created a self-signed certificate in QMA, and ADDED a copy of that certificate to QMB and gave it a label name corresponding to that of QMB. You defined a Client keystore on one server, set the MQSERVER variable, tried to use the sample client application to put a message, and you wonder why it doesn't work? 
Go back and read the manuals, especially regarding the use of SSL and try again. Hint: look in the self-signed certificate you created and look at the Issued to: and Issued by: fields, because they'll give you a HUGE clue as to what you need to do to get queue manager-to-queue manager SSL-secured channels working, and to give you a starter on what you need to do to get Client-to-queue manager SSL-secured channels working, look harder at what the MQSERVER variable allows.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| qwerty |
| Posted: Tue Jul 21, 2009 3:38 am Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
ok
it is issued by servera
and for servera
so it´s not possible to send messages to another server?
exits any tutorial to do ssl? |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jul 21, 2009 3:54 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| qwerty wrote: |
so it´s not possible to send messages to another server?
|
Perfectly possible, but you need to determine what kind of connection you're using (app to queue manager or queue manager to queue manager) and configure accordingly. Keep in mind what the SSL is actually doing as this will help you keep who signs what straight in your mind.
Check the manuals (as my worthy associate says) and be sure you have the right certificates in the right key chain signed by the right people.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| qwerty |
| Posted: Tue Jul 21, 2009 3:59 am Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
ok thanks =)
I now read the SSL Parts in the MQ Security Man again
can somebody give me a hint what else i could read? |
|
| Back to top |
|
|
| qwerty |
| Posted: Wed Jul 22, 2009 12:02 am Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
I also Altered my QMGR
SSLKEYR (/ssl/KeyDataBase/qma/key_servera)
and
export MQSSLKEYR="/ssl/KeyDataBase/qma/key_servera"
also did it on serverb
How is it possible or what should I do to send encrypted messages from
servera with qma to serverb with qmb??
what do I need?
thx @ all |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jul 22, 2009 12:13 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| qwerty wrote: |
...How is it possible or what should I do to send encrypted messages from servera with qma to serverb with qmb??
what do I need? |
To switch on and think perhaps?
SSL 101...
1. Each queue manager, or client, needs a key store, and needs to know where that key store is. How a queue manager is 'told' where its key store is differs from how a client is 'told' where its key store is.
2. Each queue manager, or client, needs a personal certificate, and if the personal certificate is self-signed, it is both the personal certificate, and the CA certificate combined.
3. Each queue manager, or client, key store requires the CA certificates of any certificate likely to be received by the queue manager, or client.
You didn't read the manuals properly, so the above 3 pointers should get you up and running...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| qwerty |
| Posted: Wed Jul 22, 2009 12:20 am Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
thanks for fast answer =)
1. is already done
2. I have made one Self Signed and exported it to the other qmgrs Key.kdb. It´s there in the Signer Cert List. I send message from the one with the Cert to the one with the Signer. Do I need two self signed for this test?
3. In this Test-Environment I have only 2 qmgrs so the have all certs the can receive
I have read the mans
MQ Security V6.0
everything about OAM SSL and Security Exits
but sometimes I need to try it, for 100% of understanding
and now I have some problems in trying so I ask.... |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jul 22, 2009 12:35 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| qwerty wrote: |
| 2. I have made one Self Signed... |
| exerk wrote: |
| 2. Each queue manager, or client... |
Note the difference...again, you are answering your own questions, and not believing those answers.
| qwerty wrote: |
| 3. ...I have only 2 qmgrs so they have all certs the can receive... |
Sure about that, considering...
| exerk wrote: |
| 3. Each queue manager...requires the CA certificates of any certificate likely to be received by the queue manager... |
The answers are staring you in the face. You have to understand the interaction between 1. and 2. above. When you do, all will become crystal clear.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| qwerty |
| Posted: Wed Jul 22, 2009 12:39 am Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
ok...
i have 1 other qmgr
but it´s ended
is this a problem?
or should i delete it?
2nd Self Signed Cert is active
exported
ftp´d
and in the Signer Certs of the other qmgr |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jul 22, 2009 12:57 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
OK, explain to me just how you would expect queue manager-to-queue manager communication when one is ended? However, going back to your original post, it appears that you want to connect a client to a queue manager, and secure that connection with SSL.
I've tried helping you by leading you to the answers you already know, but now I've run out of both time and patience, so...
1. Create a key store for queue manager A, then create a self-signed queue manager personal certificate and export it, with a unique name, to a temporary location.
2. Create a key store for queue manager B, then create a self-signed queue manager personal certificate and export it, with a unique name, to a temporary location.
3. Import the copy of queue manager A's self-signed certificate into queue manager B's key store, and import the copy of queue manager B's self-signed certificate into queue manager A's key store. Give them sensible labels, e.g. 'QMA Self-Signed Certificate' in queue manager B, etc.
4. Refresh security in both queue managers.
5. Start the channel(s).
The above is almost a direct extract from the Security manual (which you are obviously not reading properly). Get it working queue manager to queue manager, to prove the concept, then apply what you may have learned to client/server setup.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| qwerty |
| Posted: Wed Jul 22, 2009 1:19 am Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
ok qmgr stays ended
I´ve done all these things
both are refreshed...
ok from server a I can put messages
from server b not
when I put one at a normal local queue from server a to b
i can´t open it on b
amqsgetc or amqsbcgc don´t work
reason code 2393 =( |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Jul 22, 2009 1:23 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
| Try using the SSL wizard support pac. MO04. |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jul 22, 2009 1:31 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
So you are sending messages from QMA to QMB, via SSL-secured channels, then using the client browse sample to examine those messages?
If so, set up a client key store, create a self-signed certificate, do the needful with that certificate, and any others you think you might need in the client key store, then set up your client connection (as per the manual) and try again.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| qwerty |
| Posted: Wed Jul 22, 2009 1:35 am Post subject: |
|
|
Apprentice
Joined: 22 Jun 2009
Posts: 37
|
does it cost anything?
in the information it says
only one time you have to pay
but not how much?! |
|
| Back to top |
|
|
|
|
