| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Connection between QMs having SHA1 and SHA2 certs failed |
« View previous topic :: View next topic » |
| Author |
Message
|
| kordi |
 Posted: Fri Oct 16, 2015 3:30 am Post subject: Connection between QMs having SHA1 and SHA2 certs failed |
 |
|
Centurion
Joined: 28 May 2012
Posts: 145
Location: PL
|
Hello,
I have a task to change all existing certificates from SHA1 to SHA2 and after that SSL to TLS. What I found out is that when QM1 has SHA1 (Signature Algorithm: MD5withRSA, Key Size:1024) and QM2 has SHA2 (Signature Algorithm: SHA256withRSA, Key Size: 2048) SSL channels are not able to connect (below are logs from QM1 and QM2). That would do my work more difficult because I cannot just go one QM after another and change certs but I have to do that on all connected with each other Queue Managers.
Any advice would be much appreciated.
QM1 logs:
AMQ9637: Channel is lacking a certificate.
EXPLANATION:
The channel is lacking a certificate to use for the SSL handshake. The channel
name is 'QM1.QM2' (if '????' it is unknown at this stage in the SSL
processing).
The remote host is 'xyz (10.10.10.10)'.
The channel did not start.
ACTION:
Make sure the appropriate certificates are correctly configured in the key
repositories for both ends of the channel.
======================
QM2 logs
AMQ9654: Validation checks for the remote personal certificate failed. The
channel did not start.
EXPLANATION:
An SSL certificate received from the remote system was not corrupt but failed
validation checks on something other than its ASN.1 fields and date. It is
possible that the certificate chain could not be built for for one of the
following reasons: - The certificate Subject DN is more than 1024 characters
long. - The DN contains unsupported duplicate attribute values. - The DN is
missing.
The channel is 'QM1.QM2'; in some cases its name cannot be determined and
so is shown as '????'.
ACTION:
Ensure that the remote system has a valid personal certificate and restart the
channel. Restart the channel. |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Fri Oct 16, 2015 4:10 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9396
Location: US: west coast, almost. Otherwise, enroute.
|
What happens when you change BOTH ends of the channel to the same SHA2 spec? You should be doing this in a test environment.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| kordi |
| Posted: Thu Oct 29, 2015 6:56 am Post subject: |
|
|
Centurion
Joined: 28 May 2012
Posts: 145
Location: PL
|
| The problem was lack of CA on both sides of connection. I add CA certs only to the remote QMGR. It turned out that kdb where SHA-2 cert exists must also have SHA-2 CA certs. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
