| Author |
Message
|
| Studv01 |
 Posted: Wed Feb 25, 2015 9:37 pm Post subject: SSL Problem : AMQ9633: Bad SSL certificate for channel |
 |
|
Apprentice
Joined: 23 Jan 2015
Posts: 27
|
Team
we have two queue managers running at different versions. QMGR1 is running with MQ V 7.5.0.2 and QMGR 2 running with 6.0.2.8. I have Sender Channel defined between from QMGR1 and QMGR2 as below
AMQ8414: Display Channel details.
CHANNEL(QMGR1.QMGR2.CH01) CHLTYPE(SDR)
CONNAME(abcd.net(xxxx)) MCANAME( )
MCATYPE(PROCESS) MCAUSER( )
NPMSPEED(FAST) PASSWORD( )
PROPCTL(COMPAT) RCVDATA( )
RCVEXIT( ) RESETSEQ(1)
SHORTTMR(60) SSLCIPH(NULL_SHA)
SSLPEER(CN=QMGR2) STATCHL(QMGR)
TPNAME( ) TRPTYPE(TCP)
USEDLQ(YES) USERID( )
XMITQ(XMIT.QUEUE.QX01)
and the XMIT queue defined on QMGR1 as below
AMQ8409: Display Queue details.
QUEUE(XMIT.QUEUE.QX01) TYPE(QLOCAL)
ACCTQ(QMGR)
HARDENBO INITQ(SYSTEM.CHANNEL.INITQ)
TRIGDATA(QMGR1.QMGR2.CH01)
TRIGMPRI(0) TRIGTYPE(FIRST)
USAGE(XMITQ)
Applications write to a remote queue in QMGR1 and it is defined as below
AMQ8409: Display Queue details.
QUEUE(REMOTE.QUEUE.QR01)
TYPE(QREMOTE)
RQMNAME(QMGR2)
RNAME(LOCAL.QUEUE.ON.QMGR2)
XMITQ(XMIT.QUEUE.QX01)
The Receiver Channel at QMGR2 is
AMQ8414: Display Channel details.
CHANNEL(QMGR1.QMGR2.CH01) CHLTYPE(RCVR)
MAXMSGL(4194304) MCAUSER( )
SSLCAUTH(REQUIRED) SSLCIPH(NULL_SHA)
SSLPEER(CN=QMGR1) STATCHL(OFF)
TRPTYPE(TCP)
when I started the sender channel on QMGR1 I have the following exception
----- amqzfubx.c : 624 --------------------------------------------------------
02/25/2015 08:48:44 PM - Process(25883.1) User(mqm) Program(runmqchl)
Host(xxxxxxxxxxxxxxx)
VRMF(7.5.0.2) QMgr(QMGR1)
AMQ9002: Channel 'QMGR1.QMGR2.CH01' is starting.
EXPLANATION:
Channel 'QMGR1.QMGR2.CH01' is starting.
ACTION:
None.
-------------------------------------------------------------------------------
02/25/2015 08:48:44 PM - Process(25883.1) User(mqm) Program(runmqchl)
Host(xxxxxxxxxxxxxxxxx) Installation(Installation1)
VRMF(7.5.0.2) QMgr(QMGR1)
AMQ9633: Bad SSL certificate for channel 'QMGR1.QMGR2.CH01'.
EXPLANATION:
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system
(c) it was found in a Certification Revocation List (CRL) on an LDAP server
(d) a CRL was specified but the CRL could not be found on the LDAP server
(e) an OCSP responder has indicated that it is revoked
The channel is 'QMGR1.QMGR2.CH01'; in some cases its name cannot be
determined and so is shown as '????'. The remote host is 'abcd.net(xxxx)'. The channel did not start.
The details of the certificate which could not be validated are '????'.
The certificate validation error was 575010.
ACTION:
Check which of the possible causes applies on your system. Correct the error,
and restart the channel. |
|
| Back to top |
|
 |
| Studv01 |
| Posted: Wed Feb 25, 2015 9:42 pm Post subject: |
|
|
Apprentice
Joined: 23 Jan 2015
Posts: 27
|
also I have updated qm.ini with the following OCSP value in QMGR2
"OCSPCheckExtensions=no" and recycled queue manager
and at QMGR1 I have the following Variable set in .profile for mqm
## MQ SSL VERIABLE ##
export AMQ_SSL_OCSP_NO_CHECK_AIA=1
please advice |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Feb 26, 2015 5:54 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Studv01 wrote: |
| please advice |
| Studv01 wrote: |
A certificate encountered during SSL handshaking is regarded as bad for one of
the following reasons:
(a) it was formatted incorrectly and could not be validated
(b) it was formatted correctly but failed validation against the Certification
Authority (CA) root and other certificates held on the local system
(c) it was found in a Certification Revocation List (CRL) on an LDAP server
(d) a CRL was specified but the CRL could not be found on the LDAP server
(e) an OCSP responder has indicated that it is revoked
|
How much of this have you checked? You don't talk about the SSL set up on these 2 queue managers at all in your post. Also:
| Studv01 wrote: |
| QMGR 2 running with 6.0.2.8 |
That's not only out of support, it's very old. Is it possible that QMGR2 is using a cert type / cypher spec that QMGR1 doesn't believe in?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu Feb 26, 2015 12:28 pm Post subject: Re: SSL Problem : AMQ9633: Bad SSL certificate for channel |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 939
Location: Illinois, USA
|
| Studv01 wrote: |
The certificate validation error was 575010.
|
Note that the MQ manual documents a 575010 as:
"No certificate chain was built"
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| belchman |
| Posted: Wed May 13, 2015 3:54 am Post subject: |
|
|
Partisan
Joined: 31 Mar 2006
Posts: 386
Location: Ohio, USA
|
Some folks wonder why it is hard to get help with problems. This is a good example.
Ask a question on how to resolve an issue, get several helpful people engaged and then "fall off the face of the earth" with no more comment and not even a thanks.
Shameful!
_________________
Make three correct guesses consecutively and you will establish a reputation as an expert. ~ Laurence J. Peter |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed May 13, 2015 4:38 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| belchman wrote: |
Some folks wonder why it is hard to get help with problems. This is a good example.
Ask a question on how to resolve an issue, get several helpful people engaged and then "fall off the face of the earth" with no more comment and not even a thanks.
Shameful! |
This is an interesting view on the normal complains - "Oh, you aren't being nice enough", "Oh you aren't responding quickly enough", "Oh, you aren't doing my job for me!"
But yes, it is the other side of the same poor behavior. |
|
| Back to top |
|
|
|
|
