| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ and SSL (please help) |
« View previous topic :: View next topic » |
| Author |
Message
|
| Pandora |
 Posted: Wed Oct 30, 2013 7:17 am Post subject: MQ and SSL (please help) |
 |
|
Newbie
Joined: 30 Oct 2013
Posts: 2
|
Sorry if this is common knowledge or has been asked before, but I'm having a really hard time trying to get our new SSL-setup to work.
I have all the queues configured and they all speak to each other. I can send and receive messages from our MQ machine, but when I try to connect to this machine from another local machine, it just doesn't work. Our network looks like this:
Mars (client host) <---> Venus (our MQ) <---> Pluto (their MQ)
Venus is the machine that runs MQ (7.5.0.1 and Linux), Mars is a machine that sits on our side of the network and where all the clients are running (also Linux and same MQ version) and Pluto is the remote MQ-server. Running eg. /opt/mqm/samp/bin/amqsget on Venus works as expected, but alas not from Mars, which is the problem. Prior to SSL we just defined the MQSERVER environment variable to eg. "OUT.QUEUE/TCP/venus(1414)" and everything just worked. Doing that now gives me the error (on Mars):
AMQ9639: Remote channel 'OUT.QUEUE' did not specify a CipherSpec.
So I googled that and someone said that MQSERVER and SSL are not compatible and that we had to copy the @ipcc/AMQCLCHL.TAB to a local directory on Mars and then set the environment variables MQCHLLIB and MQCHLTAB accordingly. So I did that, but it still doesn't work:
MQCONN ended with reason code 2058
and now I'm fresh out of ideas. I have verified (through strace) that amqsget reads the AMQCLCHL.TAB, but it doesn't seem to do anything about it. This is the last lines before it exits with the above error:
| Code: |
open("/var/mqm/connect/AMQCLCHL.TAB", O_RDONLY) = 3
read(3, "AMQR", 4) = 4
stat("/var/mqm/connect/AMQCLCHL.TAB", {st_mode=S_IFREG|0644, st_size=2042, ...}) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "AMQR", 4) = 4
read(3, "\362\7\0\0\336\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 20) = 20
read(3, "SYSTEM.DEF.CLNTCONN ", 20) = 20
lseek(3, 4, SEEK_SET) = 4
read(3, "\362\7\0\0\336\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 20) = 20
read(3, "SYSTEM.DEF.CLNTCONN \n\0\0\0\6\0\0\0\2\0\0\0"..., 2014) = 2014
lseek(3, 4, SEEK_SET) = 4
read(3, "\362\7\0\0\336\7\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 20) = 20
read(3, "SYSTEM.DEF.CLNTCONN ", 20) = 20
close(3) = 0
<then some cleanup and exit> |
So then I thought maybe that SYSTEM.DEF.CLNTCONN wasn't configured properly, but it is as far as I can see:
| Code: |
display channel ('SYSTEM.DEF.CLNTCONN')
1 : display channel ('SYSTEM.DEF.CLNTCONN')
AMQ8414: Display Channel details.
CHANNEL(SYSTEM.DEF.CLNTCONN) CHLTYPE(CLNTCONN)
AFFINITY(PREFERRED) ALTDATE(2013-10-30)
ALTTIME(15.25.35) CLNTWGHT(0)
COMPHDR(NONE) COMPMSG(NONE)
CONNAME(<ip-address-to-Vens>(1414)) DEFRECON(NO)
KAINT(AUTO)
MAXMSGL(4194304)
SHARECNV(10)
TRPTYPE(TCP) |
Anyone have any clues to what I'm doing wrong or what my next debugging strategy might be? Thanks for all your help. |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Wed Oct 30, 2013 7:22 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
On Venus you presumably have a SVRCONN channel with SSL parameters enabled.
On Venus you should create a CLNTCONN channel with the same name as the SVRCONN channel to be used, and make sure that this new CLNTCONN channel has the correct SSL attributes set.
THEN make a copy of the AMQCLCHL.tab file, rename that copy to something that makes sense, and move that copy to MARS.
Set the env variables on MARS to point to the location and name of this new channel table file.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Oct 30, 2013 8:18 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
So 2058 says the Qmgr name you specified on the /opt/mqm/samp/bin/amqsgetc was found in the CCDT but does not match the actual QmgrName and that you did reach MQ Server on the port.
PS: Don't use any channel (or object) that starts with SYSTEM.* |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Oct 30, 2013 9:25 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Might be obvious questions, and I apologise if they are:
1. Does your queue manager have an SSL key store with all the relevant CA certificates, and a personal certificate for the queue manager?
2. Do you have SSL key stores for each of your clients? (I'm assuming they're running under different userids)
3. You state "...Running eg. /opt/mqm/samp/bin/amqsget on Venus works as expected, but alas not from Mars...". Can I assume from that that you ran amqsgetc from Mars?
4. Have you defined a specific SVRCONN and CLNTCONN, with the relevant SSL attributes populated, and exported the resulting CCDT file to the client box?
As an observation, if your WMQ Client installation is at least WMQ V7.0.1 (which it should be) stop using the environment variables and use the mqclient.ini file instead - it's a lot more flexible and easier IMHO.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Pandora |
| Posted: Thu Oct 31, 2013 4:26 am Post subject: |
|
|
Newbie
Joined: 30 Oct 2013
Posts: 2
|
Wow! After three days of googling, brute force trial and error, more googling, headscratching, swearing, even more googling, praying and general frustration it finally works! Much thanks to you guys: the SVRCONN and CLNTCONN channels were missing and so (I guess) AMQCLCHL.TAB didn't have enough information to make the connection to our MQ server.
Big Thanks!  |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
