| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL CHANNEL CLOSES WITH AMQ9207 ERROR and Probe Id CO052000 |
« View previous topic :: View next topic » |
| Author |
Message
|
| shojan |
 Posted: Mon Nov 18, 2013 10:05 pm Post subject: SSL CHANNEL CLOSES WITH AMQ9207 ERROR and Probe Id CO052000 |
 |
|
Novice
Joined: 20 May 2013
Posts: 10
|
Hello,
I'm having problem in receiving message beyond 32KB size via SSL enabled Sender-Receiver channel.
Let me explain my MQ architecture first,
We are using BIG-IP F5 as a proxy between two Queue Managers(In real scenario these Queue Managers are spread across WAN connectivity). In the Sender side we have done SSL offloading in F5 and in the receiver side SSL decryption is done by Queue Manager itself.
(QMA - F5(SSl)) Sender - Receiver(QMB(SSL))
I'm able to send messages of size less than 32KB successfully. And any message beyond 32KB soon the receiver channel logs "BAD data received" and the channel goes to retry mode.
In the reverse way from QMB i/m able to send messages of any size with SSL enabled.
Without SSL i'm able to send messages of any size from QMA to QMB.
Below FFST is generated when the channel goes to retry mode.
Operating System :- Linux 2.6.18-308.el5 |
| PIDS :- 5724H7230 |
| LVLS :- 7.0.1.9 |
| Product Long Name :- WebSphere MQ for Linux (x86-64 platform) |
| Vendor :- IBM |
| Probe Id :- CO052000 |
| Application Name :- MQM |
| Component :- cciTcpReceive |
| SCCS Info :- lib/comms/amqccita.c, 1.329.1.8 |
| Line Number :- 3643 |
| Build Date :- Jul 18 2012 |
| CMVC level :- p701-109-120718 |
| Build Type :- IKAP - (Production) |
| Effective UserID :- 788 (mqm) |
| Real UserID :- 788 (mqm) |
| Program Name :- amqrmppa |
| Addressing mode :- 64-bit |
| Process :- 7000 |
| Process(Thread) :- 13803 |
| Thread :- 15 |
| ThreadingModel :- PosixThreads |
| QueueManager :- QMA |
| UserApp :- FALSE |
| ConnId(1) IPCC :- 95 |
| ConnId(3) QM-P :- 7545 |
| Last HQC :- 1.0.0-1564600 |
| Last HSHMEMB :- 0.0.0-0 |
| Major Errorcode :- rrcE_BAD_DATA_RECEIVED |
| Minor Errorcode :- OK |
| Probe Type :- MSGAMQ9207 |
| Probe Severity :- 2 |
| Probe Description :- AMQ9207: The data received from host '*.*.*.* |
| (*.*.*.*)' is not valid.
MQM Function Stack
ccxResponder
rrxResponder
rriReceiveData
ccxReceive
cciSslSecureReceive
xcsFFST
Let me know if you need further trace information from FFST
I have done enough googling and one scenario matches with the problem i face . But that problem has occured for an server connection channel
http://www-01.ibm.com/support/docview.wss?uid=swg1IZ80413
Google gave me further information on this
http://www-01.ibm.com/support/docview.wss?uid=swg21413653
I have asked my F5 admin to escalate this issue to F5 support as well. Mean time thought of checking if any one came across such issue or knows a fix for it.
please help
Let me know if you need any other information for diagnosing.
Thanks |
|
| Back to top |
|
 |
| shojan |
| Posted: Tue Nov 19, 2013 11:19 pm Post subject: |
|
|
Novice
Joined: 20 May 2013
Posts: 10
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Nov 20, 2013 3:11 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
It's generally not recommended to put anything as a proxy between two queue managers.
If you need to do it, the thing that does typically work is the support Pac MQ Internet Passthru. But I don't know off the top of my head if that can accept an incoming non-SSL connection and establish an outgoing SSl connection - I'd be surprised if it couldn't, but I don't know either way.
Otherwise, I'd first try to remove the SSL part of this, and see if you can just get a normal MQ channel working with the F5 in the middle. If you can't, then you won't be able to get the SSL one working either. |
|
| Back to top |
|
|
| shojan |
| Posted: Wed Nov 20, 2013 3:22 am Post subject: |
|
|
Novice
Joined: 20 May 2013
Posts: 10
|
yeah, I have tried that as well. Without SSL I'm able to send message of any size via F5 between two Queue Managers.
I tried an other way round as well. Tried sending a message of 1MB via SSL enabled Queue Manager(QMB) and the message got decrypted by F5(SSL) and the message came in successfully to QMA.
So the only problem is when SSL is offloaded to F5 and when it acts as a source.
The failing data is
Dump of Transmission Segment Header
0x986b250 30333533 31333033 3133340D 0A582032 03531303134..X 2
0x986b260 46333033 31333533 30324233 30333133 F303135302B30313
0x986b270 41343632 37344435 33343732 42334133 A46274D53472B3A3
0x986b280 32333232 37344635 32343732 4234350D 232274F52472B45.
This part should start with TSHM.
What could be done to get the message start with TSHM when SSL is enabled.[/quote] |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Nov 20, 2013 3:43 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
the TSHM should be included in the decrypted packets, not the encrypted packets.
It sounds like you are having issues with the SSL configuration of the F5 - that it's trying to do things that MQ doesn't like from an SSL perspective.
Again, IBM doesn't recommend nor really support having QM-QM channels with anything inbetween them, and I thiink they even less support having something that's NOT MQ act as an SSL partner.
Again, I'd look at MQIPT. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
