| Author |
Message
|
| tim42 |
 Posted: Mon Sep 26, 2011 8:24 am Post subject: SSL connection between WAS6.1 and WSMQ 7.0 - error 2393 |
 |
|
Newbie
Joined: 26 Sep 2011
Posts: 5
|
Hi!
I'm trying to organize SSL connection between WebSphere Application Server 6.1 and WebSphere MQ 7.0 (on the same host)
using IBM instruction "Securing connections between WebSphere Application Server and WebSphere MQ -- Part 1".
I have received Verisign Free Trial CA Root certificate, created self-signed certificate, etc. as per instruction.
(Also I've installed two Intermediate CA Certificates and Trial Root Certificate - there is nothing about it in the instruction, but
I've found out that it is required)
And I get the following in the WAS log:
JMSWMQ0018: Failed to connect to queue manager ''MY_QUEUE_MANAGER_NAME'' with connection mode 'Client' and host name 'localhost(1415)'.
So then I'm trying to connect to MQ with the amqscnxc command:
amqscnxc -x localhost(1415) -c MY_CHANNEL_NAME MY_QUEUE_MANAGER_NAME
and get the following:
MQCONNX ended with reason code 2393
I use RC4_MD5_US as SSL Cipher Spec (in the SSL properties of MY_CHANNEL_NAME)
and checked 'Accept only certificates with Distinguished Names matching these values'.
But when I disable SSL in the SSL properties of MY_CHANNEL_NAME (set SSL Cipher Spec empty),
then the previous amqscnxc command returns
Connection established to queue manager MY_QUEUE_MANAGER_NAME
Looking through similar topics on different forums I tried to set environment variables:
MQCHLLIB=C:\IBM\MQ7\Qmgrs\MY_QUEUE_MANAGER_NAME\@ipcc - path to AMQCLCHL.TAB
MQCHLTAB=AMQCLCHL.TAB
and then (separately from the previous two)
MQSERVER=MY_CHANNEL_NAME/TCP/127.0.0.1(1415)
but it seems that it does not influence on 2393 error.
What else can I do to fix the problem?
Thanks in advance! |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Mon Sep 26, 2011 11:05 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
First set up the SSL connection without checking SSLPEER.
Then check the different SSLPEER attributes and the order in which they need to appear, if multiple of the same type (OU)...
Also check the mapping of SSL Cipher Spec to SSL Cipher Suite...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| tim42 |
| Posted: Tue Sep 27, 2011 12:34 am Post subject: |
|
|
Newbie
Joined: 26 Sep 2011
Posts: 5
|
Thank you for your reply.
What I've already tried:
turned of SSL in MQ and WAS - connection successful.
But then I tried to set up the SSL connection without checking SSLPEER:
I set RC4_MD5_US (CipherSpec on WSMQ) and SSL_RSA_WITH_RC4_128_MD5 (CipherSuite on WAS).
The following SSL properties of MY_CHANNEL_NAME remain empty:
'Accept only certificates with Distinguished Names matching these values' - is not checked.
'Authentication of parties initiating connections' - is not required
And I get the following in the WAS log:
JMSWMQ0018: Failed to connect to queue manager ''MY_QUEUE_MANAGER_NAME'' with connection mode 'Client' and host name 'localhost(1415)'.
...
JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
...
CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[Remote host closed connection during handshake],3=localhost/127.0.0.1:1415 (localhost),4=SSLSocket.startHandshake,5=default]
So what does it mean? Any problem with certificates? Or anything else?
Also I noticed that I have 3 key files: key.kdb, key.rdb and key.crl.
But in the instruction it is said that there should be four files:
key.kdb
key.sth
key rdb.
key.
It does not make sense to me how I can get key.sth and key files instead of key.crl.
Probably this might be the clue to the problem?.. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 27, 2011 1:36 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
When you created the queue manager key store, did you select the "Stash the password to a file?" option? and where are you using the self-signed certificate?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| tim42 |
| Posted: Tue Sep 27, 2011 2:16 am Post subject: |
|
|
Newbie
Joined: 26 Sep 2011
Posts: 5
|
exerk,
no, I forgot to select it, thank you. Now .sth file appeared.
But is it vital to select the "Stash .." (for the test purposes)?
I created self-signed client certificate for WAS (for MQ I use VeriSign certificate). |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 27, 2011 2:21 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| tim42 wrote: |
| ...But is it vital to select the "Stash .."... |
As far as I am concerned, yes.
| tim42 wrote: |
| I created self-signed client certificate for WAS (for MQ I use VeriSign certificate). |
Have you imported the WAS self-signed certificate into the queue manager key store?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Sep 27, 2011 4:42 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| exerk wrote: |
| tim42 wrote: |
| ...But is it vital to select the "Stash .."... |
As far as I am concerned, yes.
| tim42 wrote: |
| I created self-signed client certificate for WAS (for MQ I use VeriSign certificate). |
Have you imported the WAS self-signed certificate into the queue manager key store? |
Is it vital? Wow... You mean life or death, don't you?
Following the exact same proven procedure in test, qa, prod, is vital to successful implementation and career longevity. The alternative is usually referred to as guess-work.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 27, 2011 4:45 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Was that aimed at the OP or me? If me, the only career I've had is the one where I went off the road and into a ditch! 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Sep 27, 2011 4:57 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
It was aimed not at you. More like a self-inflicted wound.
One of my more embarrassing moments was creating a new channel pair with SSL - following the prescribed procedure, checking off each step - as I had done over-and-over in the past. But the channel would not transmit messages.
Ah! Transmitting messages is the one thing I failed to test before launching into SSL.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| tim42 |
| Posted: Tue Sep 27, 2011 8:30 am Post subject: |
|
|
Newbie
Joined: 26 Sep 2011
Posts: 5
|
I've just done it!
"All Services initialized successfully"
I created all certificates and configured everything from scratch and WAS and MQ are connecting!
| exerk wrote: |
Have you imported the WAS self-signed certificate into the queue manager key store?
|
Yes, I've imported it but I have not set SSL configuration/NodeDefaultSSLSettings correctly at first time (at WAS console).
Also I had to update ssl.client.props file (WAS), set the following properties according to new WASServerTrustFile.jks trust file:
com.ibm.ssl.trustStore
com.ibm.ssl.trustStorePassword
com.ibm.ssl.trustStoreType
| bruce2359 wrote: |
Is it vital? Wow... You mean life or death, don't you?
|
Sorry for my English)) I meant "important, significant" or something like this)
I'm very happy now! 
Thank you for your attention to the problem!  |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Sep 27, 2011 8:34 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| tim42 wrote: |
| bruce2359 wrote: |
Is it vital? Wow... You mean life or death, don't you?
|
Sorry for my English)) I meant "important, significant" or something like this) |
Without the stash file, it would have to ask a human for the password every time the keystore needed to be opened.
So if you don't stash the password, you have to mostly expect that it won't be able to access the keystore. |
|
| Back to top |
|
|
| tim42 |
| Posted: Tue Sep 27, 2011 11:06 pm Post subject: |
|
|
Newbie
Joined: 26 Sep 2011
Posts: 5
|
| mqjeff wrote: |
Without the stash file, it would have to ask a human for the password every time the keystore needed to be opened.
So if you don't stash the password, you have to mostly expect that it won't be able to access the keystore. |
Ok, I'll bear this in mind, thank you. |
|
| Back to top |
|
|
|
|
