| Author |
Message
|
| ankurlodhi |
 Posted: Mon Oct 01, 2012 9:54 am Post subject: MQ SSL certificate communication between ZOS and Solaris. |
 |
|
Master
Joined: 19 Oct 2010
Posts: 266
|
Hi
I implemented a SSL certificate bit size (2048) on solaris box which communicates with a ZOS box.
after implmenting the ssl certificate i bounced the MQ becase it is MQ 5.3.
when the application guys tried to put the message on the queue the got the following error.
INFO [2012-10-01 11:10:33,051] Servlet.Engine.Transports : 7 com.dowjones.gryphon.mq.model (MQDAO.java:102) - Message sent with ID:: JMSMessageID = 'ID:414d51205052445052545745423220205069b1d220000601'
INFO [2012-10-01 11:10:33,053] Servlet.Engine.Transports : 7 com.dowjones.gryphon.mq.model (MQDAO.java:104) - Message on queue with body:: MQ.CommonRouter("O-knMlxwJhyBA8yAONx0I0E ",{000,006,{"Cmd","IE "},{"Tran_Source","G"},{"Product-code","J"},{"Account-Number"," "},{"Phone-Number"," "},{"Email-Address","pjoyce@babsoncapital.com "}})
INFO [2012-10-01 11:10:38,067] Servlet.Engine.Transports : 7 com.dowjones.gryphon.mq.model (MQDAO.java:127) - MQDAO: Did not received reply from OLF. Msg on queue timed out
later when i reverted the changes it all worked fine.
which means it was because of the SSL certificates but how can i know if the problem was Created from the ZOS side or the Solaris side. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Mon Oct 01, 2012 10:05 am Post subject: Re: MQ SSL certificate communication between ZOS and Solaris |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ankurlodhi wrote: |
| how can i know if the problem was Created from the ZOS side or the Solaris side. |
Check:
- Channel logs on Solaris side
- Channel logs on the z/OS side
- RACF errors on z/OS side
And get off WMQv5.3. It's not the cause of your problem (probably, unless 5.3 doesn't like keys that large) but seriously....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ankurlodhi |
| Posted: Mon Oct 01, 2012 10:12 am Post subject: |
|
|
Master
Joined: 19 Oct 2010
Posts: 266
|
these are the logs from the solaris side.
EXPLANATION:
The SSL connection was closed by the remote end of the channel during the SSL
handshake. The channel is 'MQM.PPWEB2.TO.MQSB'; in some cases its name cannot
be determined and so is shown as '????'. The channel did not start.
ACTION:
Check the remote end of the channel for SSL-related errors. Fix them and
restart the channel.
10/01/12 11:16:06
AMQ9526: Message sequence number error for channel 'MQM.PPWEB2.TO.MQSB'.
EXPLANATION:
The local and remote queue managers do not agree on the next message sequence
number. A message with sequence number 289 has been sent when sequence number
20 was expected.
ACTION:
Determine the cause of the inconsistency. It could be that the synchronization
information has become damaged, or has been backed out to a previous version.
If the situation cannot be resolved, the sequence number can be manually reset
at the sending end of the channel using the RESET CHANNEL command.
10/01/12 11:18:35
AMQ9507: Channel 'MQM.PPWEB2.TO.MQSB' is currently in-doubt.
EXPLANATION:
The requested operation cannot complete because the channel is in-doubt with
host 'MQSB'.
ACTION:
Examine the status of the channel, and either restart a channel to resolve the
in-doubt state, or use the RESOLVE CHANNEL command to correct the problem
manually. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Mon Oct 01, 2012 10:51 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
You can manually reset the channel sequence numbers on both ends, then restart the channel and use MQPING to verify connection.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Oct 01, 2012 11:21 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| You can manually reset the channel sequence numbers on both ends, then restart the channel and use MQPING to verify connection. |
Or just resolve the in-doubt status
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ankurlodhi |
| Posted: Mon Oct 01, 2012 12:03 pm Post subject: |
|
|
Master
Joined: 19 Oct 2010
Posts: 266
|
| so this probabely means the problem is arising from the ZOS side. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Oct 01, 2012 12:22 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9405
Location: US: west coast, almost. Otherwise, enroute.
|
| ankurlodhi wrote: |
| so this probabely means the problem is arising from the ZOS side. |
No. Most often this situation arises because one end of the channel is deleted and re-defined. When the channels next attempt to start, the seqwrap fields no longer match, and the channel fails.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| ankurlodhi |
| Posted: Mon Oct 01, 2012 1:00 pm Post subject: |
|
|
Master
Joined: 19 Oct 2010
Posts: 266
|
| but when after reverting the change everything just worked fine. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Oct 01, 2012 1:07 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| ankurlodhi wrote: |
| but when after reverting the change everything just worked fine. |
How did you revert the change, i.e. remove the SSL, without resetting the channels?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| ankurlodhi |
| Posted: Tue Oct 02, 2012 5:16 am Post subject: |
|
|
Master
Joined: 19 Oct 2010
Posts: 266
|
the channels already had SSL certificates implemented on them but those certs are going to expire in a few time.
what i had done over is.
1)took the back up of old key files.
2)started the ikey man.
3)replaced the old certificate with the new certificate.
4)added the internal CA to the key file.
5) recyled the MQ.
when it didn't worked.
i just but the old key file back in it's place. which overwrited all the the changes i had made. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Oct 03, 2012 12:18 pm Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
| ankurlodhi wrote: |
| 4)added the internal CA to the key file. |
Truststores can only have one root CA and must be the first cert added. You cannot have a root CA, replace SSL certs, add a new root CA and expect it to work.
Create new truststore file with no certs, add the root CA as the first cert, then import the new/updated SSL certs.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
|
|
