| Author |
Message
|
| riyaz_tak |
 Posted: Mon Jul 07, 2014 1:24 am Post subject: sender channe that's in retrying, it reports SSl error AMQ96 |
 |
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Hi
We have customer whose sender channel is in retry state after outage.
They are trying to send the message but getting below Error in their MQ error log :
AMQ9638: SSL communications error for channel 'XXXXXX'.
EXPLANATION:
Cause . . . . . : An unexpected SSL communications error occurred for a channel, as reported in the preceding messages. The channel is 'XXXXX';in some cases its name cannot be determined and so is shown as '????'. The channel did not start.
Recovery . . . : Investigate the problem reported in the preceding
messages. Review the local and remote console logs for reports of network
errors. Correct the errors and restart the channel.
We are not receiving any request from them and there is no entry in our MQ logs.
They are able to telnet our system.
We are using wmq 7.0.1.11 and solaris 10.
Could you please suggest probable reason for this error?
Regards
Riyaz |
|
| Back to top |
|
 |
| exerk |
| Posted: Mon Jul 07, 2014 2:17 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
What was the nature of the outage, and what changes were made during the outage?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Jul 07, 2014 4:51 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
you say they are able to telnet to your system. But are they able to telnet to your MQ port?
Channel auth records would not apply as stated you are still at 7.0.1
As asked by my colleague, what changed during the interval?
- ips, network config, vpn tunnels, NAT, firewalls, routing, content of /etc/hosts, etc... ???
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Mon Jul 07, 2014 5:23 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Outage + SSL leads me to ask, 'Did anything change in the Keystore files'?
Were they restored from a backup?' Have they become corrupt?
At the very least these questions should be discounted.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Mon Jul 07, 2014 9:06 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Hi All
Thanks for the reply.
No changes were done in the outage.client simply restarted the MQ.
We also didn't make any changes.
As of now we have turn off the SSL encryption to resume the messaging.
I checked certificate at our end and it's not corrupted either.
There is no network issue.
We are using gsk7bas 7.0.4.45,gsk7bas64 7.0.4.45 and WMQ 7.0.1.11 on Solaris 10 box.
Please let me know know if you need more information on this.
Regards
Riyaz |
|
| Back to top |
|
|
| MQsysprog |
| Posted: Mon Jul 07, 2014 9:57 pm Post subject: |
|
|
Centurion
Joined: 24 Feb 2014
Posts: 116
|
|
| Back to top |
|
|
| JosephGramig |
| Posted: Tue Jul 08, 2014 5:21 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
If nothing changed and this is a restart, then maybe you just happened to get caught at the moment a Certificate expired.
Look at the details of both Qmgrs certificates.
| Code: |
| gsk7cmd -cert -details -label <QmgrLabel> -db keystore.kdb |
I'm assuming you have mutual authentication specified on the channels SSL params. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Tue Jul 08, 2014 8:47 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
| @JosephGramig Certificate has not expired.I have already checked.Any other idea? |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Jul 09, 2014 4:36 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
If none of the certs expired and the keystore passwd didn't expire, then something did change. This would not just passively fail for no reason. Is there any kind of cert revocation component configured?
What error did you get in your Qmgr's error log?
You and they should be able to build a second set of channels just for testing. |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Wed Jul 09, 2014 4:53 am Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
QM's error log at client end:
AMQ9638: SSL communications error for channel 'XXXXXX'.
EXPLANATION:
Cause . . . . . : An unexpected SSL communications error occurred for a channel, as reported in the preceding messages. The channel is 'XXXXX';in some cases its name cannot be determined and so is shown as '????'. The channel did not start.
Recovery . . . : Investigate the problem reported in the preceding
messages. Review the local and remote console logs for reports of network
errors. Correct the errors and restart the channel.
We didn't get any error log at our end. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Jul 09, 2014 5:02 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
A simple test: remove SSL from the channel definitions. Do the channels go to RUNNING without SSL?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Wed Jul 09, 2014 8:54 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
| bruce2359 wrote: |
| A simple test: remove SSL from the channel definitions. Do the channels go to RUNNING without SSL? |
riyaz_talk did say they removed SSL to resume...
Please display both channel definitions... |
|
| Back to top |
|
|
| riyaz_tak |
| Posted: Wed Jul 09, 2014 9:52 pm Post subject: |
|
|
Voyager
Joined: 05 Jan 2012
Posts: 92
|
Hi
Below is the channel definition at our end .I don't have client channel definition.
define channel ('channel_name') +
chltype (rcvr) +
trptype (tcp) +
sslcauth (required) +
sslciph (RC4_MD5_EXPORT) +
mcauser ('rubbish') +
maxmsgl (65536) +
scyexit ('/u1/mqu/lib/exit.so(secExit)') +
scydata ('cfg/sec.cfg') +
sslpeer ('CN=xxx,O=xxxx,ST=xxx,C=XX') |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jul 11, 2014 4:45 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I see there is a security exit on the channel.
Did an upgrade happen at any of the channel endpoints?
Does the security exit need to be changed / upgraded /recompiled in any way?
Does the channel work with the security exit and no SSL?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Inisah |
| Posted: Tue Jul 29, 2014 5:48 am Post subject: |
|
|
Apprentice
Joined: 21 Mar 2014
Posts: 44
|
| Did you try 'REFRESH SECURITY' at both sender and receiver ends? |
|
| Back to top |
|
|
|
|
