ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General Discussion » SSL queue manager to queue manager

Post new topic  Reply to topic
 SSL queue manager to queue manager « View previous topic :: View next topic » 
Author Message
jacquesvdm
PostPosted: Wed Jan 18, 2012 2:25 am    Post subject: SSL queue manager to queue manager Reply with quote

Apprentice

Joined: 18 Jan 2012
Posts: 29

The SSL connection was closed by the remote end of the channel during the SSL handshake.
I have two queue managers using sender receiver channels pairs configured to use SSL. The channels both start successfully and runs for a while. After a few days i noticed that both channels are in retrying state. the error log have this error "The SSL connection was closed by the remote end of the channel during the SSL handshake"
on the other server I have this error
Bad SSL certificate for channel '????'.

A certificate encountered during SSL handshaking is regarded as bad for one of the following reasons: &B (a) it was formatted incorrectly and could not be validated &B (b) it was formatted correctly but failed validation against the Certification Authority (CA) root and other certificates held on the local system &B (c) it was found in a Certification Revocation List (CRL) on an LDAP server &B (d) a CRL was specified but the CRL could not be found on the LDAP server &B (e) an OCSP responder has indicated that it is revoked &P The channel is '????'; in some cases its name cannot be determined and so is shown as '????'. The remote host is 'agent4 (ip address removed)'. The channel did not start.
"

It seems like the Keystore on both ends are no longer valid. after recreating the keystores, regenerate certificates and again exchanging the newly generated keys the channels start again and the cycle starts again.

Anyone else have simular experience.

Thanks
Back to top
View user's profile Send private message
zpat
PostPosted: Wed Jan 18, 2012 3:54 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

You could disable OCSP with this in the qm.ini files.

Quote:
SSL:
OCSPCheckExtensions=No ; Do not try to contact OCSP server
OCSPAuthentication=WARN


IBM have turned it on by default in WMQ v7 and it can cause issues.
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Jan 18, 2012 4:12 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

zpat wrote:
You could disable OCSP with this in the qm.ini files.

Quote:
SSL:
OCSPCheckExtensions=No ; Do not try to contact OCSP server
OCSPAuthentication=WARN


IBM have turned it on by default in WMQ v7 and it can cause issues.

By default the channel would not work at all from its initial start, not work for a while then fail.

jacquesvdm, even if you are not using CRLs, or populating the SSLCRNL attribute of the queue manager, certificate revocation checking is not invoked unless one of the SSL certificates used contains an AuthorityInfoAccess or CrlDistributionPoint X.509 certificate extension.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
jacquesvdm
PostPosted: Wed Jan 18, 2012 4:18 am    Post subject: SSL entries on Windows Reply with quote

Apprentice

Joined: 18 Jan 2012
Posts: 29

Hi
I am working on windows XP and Windows Server 2008 R2. Can I assume that I have to create the SSL stanza SSL using REGEDIT and then insert the three settings as indicated in your email. I do not see SSL settings on my queue manager currently.
Back to top
View user's profile Send private message
exerk
PostPosted: Wed Jan 18, 2012 4:56 am    Post subject: Re: SSL entries on Windows Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

jacquesvdm wrote:
Hi
I am working on windows XP and Windows Server 2008 R2. Can I assume that I have to create the SSL stanza SSL using REGEDIT and then insert the three settings as indicated in your email. I do not see SSL settings on my queue manager currently.

If you're using V7.0.1.7 (the version I'm using) the settings are in the SSL tab of the queue manager view in MQExplorer. Alternatively, use the following command lines:

amqmdain reg <QMGR NAME> -c add -s SSL -v OCSPAuthentication=Optional
amqmdain reg <QMGR NAME> -c add -s SSL -v OCSPCheckExtensions=NO

'Optional' above can be changed to 'Warn' if you prefer, however that will cause a lot of logging of warnings in the queue manager error logs.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
jacquesvdm
PostPosted: Wed Jan 18, 2012 5:06 am    Post subject: Additional SSL configs Reply with quote

Apprentice

Joined: 18 Jan 2012
Posts: 29

Hi
Thanks for this, I am using MQ 7.0.1.7 and saw the settings. I will change them and keep you posted.


regards
Back to top
View user's profile Send private message
jacquesvdm
PostPosted: Wed Jan 18, 2012 11:31 pm    Post subject: SSL issue Reply with quote

Apprentice

Joined: 18 Jan 2012
Posts: 29

just an update, so far so good.
I will now only write an update if it fails again.

Regards

Jacques
Back to top
View user's profile Send private message
zpat
PostPosted: Thu Jan 19, 2012 12:38 am    Post subject: Re: SSL entries on Windows Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

exerk wrote:
amqmdain reg <QMGR NAME> -c add -s SSL -v OCSPAuthentication=Optional
amqmdain reg <QMGR NAME> -c add -s SSL -v OCSPCheckExtensions=NO

'Optional' above can be changed to 'Warn' if you prefer, however that will cause a lot of logging of warnings in the queue manager error logs.


No it won't unless OCSPCheckExtensions=YES is also set.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Jan 19, 2012 1:08 am    Post subject: Re: SSL entries on Windows Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

zpat wrote:
exerk wrote:
amqmdain reg <QMGR NAME> -c add -s SSL -v OCSPAuthentication=Optional
amqmdain reg <QMGR NAME> -c add -s SSL -v OCSPCheckExtensions=NO

'Optional' above can be changed to 'Warn' if you prefer, however that will cause a lot of logging of warnings in the queue manager error logs.


No it won't unless OCSPCheckExtensions=YES is also set.

Again, another school day - thank you!
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General Discussion » SSL queue manager to queue manager
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.