| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ IPT and ssl proxy [resolved] |
« View previous topic :: View next topic » |
| Author |
Message
|
| qtrainee |
 Posted: Fri Oct 01, 2010 4:05 pm Post subject: MQ IPT and ssl proxy [resolved] |
 |
|
Newbie
Joined: 01 Oct 2010
Posts: 3
|
Hello,
We've set up the following:
MQClient -> IPT1(SSL client) -> IPT2(ssl proxy) -> IPT3(ssl proxy) -> IPT4(SSL Server) -> MQserver
MQClient -> IPT1(ssl client) -> IPT4(ssl server) -> MQserver Works just fine with SSL turned on
This tells me the SSL process is configured correctly
MQClient -> IPT1(No SSL) -> IPT2(No SSL) -> IPT3(No SSL) -> IPT4(No SSL) -> MQserver Works just fine (ssl turned off).
This tells me the ports are open and the network is fine.
MQClient -> IPT1(SSL client) -> IPT2(ssl proxy) -> IPT3(ssl proxy) -> IPT4(SSL Server) -> MQserver
This fails miserably. I can not figure out why.
The Client fails with RC 2538
On IPT1 the log states:
MQCPI130 Connection caller closed due to connection failure to destination.
SSL Handshake failure.
On MQIPT4 the log states:
com.ibm.mq.ipt.ssl.SSLException: reason=3 (timeout); alert=0 (?); exception=null
Can anyone help to point me in the right direction?
Last edited by qtrainee on Mon Oct 04, 2010 12:06 pm; edited 1 time in total |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sat Oct 02, 2010 1:07 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
What does your IPT manual say about SSL proxy? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| qtrainee |
| Posted: Sat Oct 02, 2010 11:39 am Post subject: |
|
|
Newbie
Joined: 01 Oct 2010
Posts: 3
|
| fjb_saper wrote: |
| What does your IPT manual say about SSL proxy? |
I have read the manual, but I'm afraid I'm just not understanding something.
I have set this scenario up between two laptops, two desktops, and an AIX server and gotten it to work quite well.
It's when I've moved this into a production environment that I'm having trouble.
My first thought was that it was an issue with the certificates, but I've proved that wrong by bypassing the proxy nodes.
Second thought was that the firewalls weren't allowing a route back out to the client (it seems to be actually reaching the server), but disabling SSL allowed communication back out.
I must admit, I'm fairly new to all this, but I have tried to understand the problem. Mr Google doesn't have much to offer (although it's quite possible I'm searching for the wrong things).
RTFM just isn't giving me the magic key to unlocking the door to my understanding. Am I overlooking something quite basic? Monday I'll be rebuilding the routes with the laptops/desktops. If I'm successful, I guess I'll have to call IBM for help. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Oct 02, 2010 6:42 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
What is different from the setup you had working?
Did you compare the setups? Are you sure your SSL certs and chains are all correct?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| qtrainee |
| Posted: Mon Oct 04, 2010 12:13 pm Post subject: |
|
|
Newbie
Joined: 01 Oct 2010
Posts: 3
|
After driving our network folks nuts for a few hours, we tried:
MQClient -> IPT1 -> IPT3 -> IPT4 -> MQSERVER
The connection took about 10 seconds, but it worked.
I changed the SSL Client Connect Timeout on IPT1 to 60 and retried with IPT2 in the loop (default SSL Client Connect Timeout is 30). Success! But it took 34 seconds to connect.
We added entries in the hosts files on IPT2 and IPT3 and got it down to 5 seconds.
I'd still like to get it down to a more reasonable connect time, but for now I think we have a handle on it. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
