| Author |
Message
|
| Sam Uppu |
 Posted: Wed May 11, 2011 11:40 am Post subject: SSL setup on Linux MQ |
 |
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
Hi Guys,
We are using MQ v 7.0.1.4 on Linux x86_64.
I am planning to setup SSL between MQ manager running on Linux and clients on Windows machines.
I am playing around by creating a self signed certificate as below but I am getting an error while creating a self signed cert as below.
| Quote: |
$ gsk7cmd -keydb -create -db /var/mqm/qmgrs/QM1/ssl/key.kdb -pw xyz -type cms -expire 1825 -stash
The provider for keystore type 'IBMCMSKS' is not available.
Ensure that the necessary provider JAR file is on the class path or in the ext directory, and that the provider has been added to the java.security file. |
I tried exporting JAVA_HOME to /opt/mqm/ssl as I have seen in one of the document.
| Quote: |
| export JAVA_HOME to /opt/mqm/ssl |
(under /opt/mqm, there is no ssl directory and I even tried to create the ssl directory but still getting the same error).
Please advice.
Thanks. |
|
| Back to top |
|
 |
| shashivarungupta |
| Posted: Wed May 11, 2011 11:59 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
on AIX box , I used to do
export PATH=/usr/mqm/ssl/jre/bin:$PATH
export JAVA_HOME=/usr/mqm/ssl/jre
cd /var/mqm/qmgr/QMGR1/ssl
gsk7cmd -keydb -create -db key.kdb -pw password -type cms -expire 7000 –stash
(gsk command looks good to me though).
On Linux :
export PATH=/opt/mqm/ssl/jre/bin:$PATH
export JAVA_HOME=/opt/mqm/ssl/jre
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Wed May 11, 2011 12:05 pm Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
I don't think that you should be creating ssl directory file inside the /opt/mqm (linux) or /usr/mqm (aix) , it comes with the package and owned by mqm.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Wed May 11, 2011 12:30 pm Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
| shashivarungupta wrote: |
I don't think that you should be creating ssl directory file inside the /opt/mqm (linux) or /usr/mqm (aix) , it comes with the package and owned by mqm.
|
Thatswhat I thought but I dont see 'ssl' directory under '/opt/mqm' on my Linux machine. I see that gsk7 packages are installed. Not sure what else need to install.
Thanks. |
|
| Back to top |
|
|
| mvic |
| Posted: Wed May 11, 2011 1:04 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| What is the output from "rpm -qa | grep MQSeries" |
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Wed May 11, 2011 2:38 pm Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
| mvic wrote: |
| What is the output from "rpm -qa | grep MQSeries" |
bash-3.2$ rpm -qa | grep MQSeries
MQSeriesSamples-7.0.1-0
MQSeriesJRE-U834985-7.0.1-3
MQSeriesServer-U836464-7.0.1-4
MQSeriesJRE-7.0.1-0
MQSeriesClient-U834985-7.0.1-3
MQSeriesMan-U834985-7.0.1-3
MQSeriesJRE-U836464-7.0.1-4
MQSeriesServer-7.0.1-0
MQSeriesTXClient-7.0.1-0
MQSeriesSamples-U834985-7.0.1-3
MQSeriesServer-U834985-7.0.1-3
MQSeriesSDK-U836464-7.0.1-4
MQSeriesClient-U836464-7.0.1-4
MQSeriesJava-7.0.1-0
MQSeriesSDK-7.0.1-0
MQSeriesRuntime-U834985-7.0.1-3
MQSeriesTXClient-U834985-7.0.1-3
MQSeriesMan-7.0.1-0
MQSeriesRuntime-U836464-7.0.1-4
MQSeriesTXClient-U836464-7.0.1-4
MQSeriesClient-7.0.1-0
MQSeriesSDK-U834985-7.0.1-3
MQSeriesJava-U836464-7.0.1-4
MQSeriesRuntime-7.0.1-0
MQSeriesJava-U834985-7.0.1-3
MQSeriesSamples-U836464-7.0.1-4
bash-3.2$ rpm -qa | grep gsk7
gsk7bas64-7.0-4.29
gsk7bas-7.0-4.29
Let me know if I missed anything to install.
Thanks. |
|
| Back to top |
|
|
| mvic |
| Posted: Wed May 11, 2011 3:00 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Wed May 11, 2011 3:28 pm Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
|
| Back to top |
|
|
| Sam Uppu |
| Posted: Thu May 12, 2011 5:04 am Post subject: |
|
|
Yatiri
Joined: 11 Nov 2008
Posts: 610
|
| Sam Uppu wrote: |
Good catch.. thank you!. |
I created the Qmgr on linux machine and configured client machine with SSL but I am getting below errors:
Clinet(windows) command prompt:
| Quote: |
C:\Users\uppus01>set mq
mqchllib=C:\MQCLIENT\
mqchltab=QM1.TAB
MQFT_JAVA_LIB_PATH=C:\Program Files\IBM\WebSphere MQ\java\jre\lib
MQFT_JRE_BIN_PATH=C:\Program Files\IBM\WebSphere MQ\java\jre\bin
mqsslkeyr=C:\MQCLIENT\key
MQ_FILE_PATH=C:\Program Files\IBM\WebSphere MQ
MQ_JAVA_DATA_PATH=C:\Program Files\IBM\WebSphere MQ
MQ_JAVA_INSTALL_PATH=C:\Program Files\IBM\WebSphere MQ\Java
MQ_JAVA_LIB_PATH=C:\Program Files\IBM\WebSphere MQ\Java\lib
MQ_JRE_PATH=C:\Program Files\IBM\WebSphere MQ\java\jre
C:\Users\uppus01>amqsputc TESTQ
Sample AMQSPUT0 start
MQCONN ended with reason code 2538
C:\Users\uppus01>MQRC 2538
2538 0x000009ea MQRC_HOST_NOT_AVAILABLE
C:\Users\uppus01>amqsputc TESTQ QM1
Sample AMQSPUT0 start
MQCONN ended with reason code 2058
C:\Users\uppus01>mqrc 2058
2058 0x0000080a MQRC_Q_MGR_NAME_ERROR
C:\Users\uppus01>amqsputc TESTQ QM1
Sample AMQSPUT0 start
MQCONN ended with reason code 2058 |
Errors on the Qmgr side:
I don’t see any FDCs generated but I do see few errors in the Qmgr error logs:
| Quote: |
The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.
AMQ9492: The TCP/IP responder program encountered an error.
EXPLANATION:
The responder program was started but detected an error.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is '????' (if '????' it is unknown at this stage in the SSL processing).
The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel. |
Please advice.
Thanks |
|
| Back to top |
|
|
| exerk |
| Posted: Thu May 12, 2011 5:31 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
As regards the Windows end, are you sure the queue manager name you are supplying on the command line matches the queue manager name in the CLNTCONN definition, and that the queue manager name in the CLNTCONN definition matches the name of the queue manager to which you are trying to connect?
Create two CCDT files, one with SSL applied to the channel and one without (copy the original and use SupportPac MO72 to alter the definition in the copy). Ensure you can connect using the non-SSL CCDT file then switch to the SSL CCDT file. This sort of cut-out testing ensures that any errors/issues you encounter are not down to 'mechanical' failure, e.g. incorrect set up.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
