ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » AMQ9660: SSL key repository: password stash file absent or u

Post new topic  Reply to topic
 AMQ9660: SSL key repository: password stash file absent or u « View previous topic :: View next topic » 
Author Message
mqsme
PostPosted: Wed Nov 04, 2015 2:58 pm    Post subject: AMQ9660: SSL key repository: password stash file absent or u Reply with quote

Acolyte

Joined: 16 Sep 2013
Posts: 51

Hi,

I did not enable SSL in the testing environment so no any key.kdb under ssl folder. It ran happily before however recently it keeps having following messages every 5 seconds. can you tell how to troubleshoot it?

Thanks very much.

----- amqrmrsa.c : 516 --------------------------------------------------------
11/04/2015 02:55:43 PM - Process(8148.3915) User(mqm) Program(amqrmppa)
Host(xxx.com)
AMQ9660: SSL key repository: password stash file absent or unusable.

EXPLANATION:
The SSL key repository cannot be used because MQ cannot obtain a password to
access it. Reasons giving rise to this error include:
(a) the key database file and password stash file are not present in the
location configured for the key repository,
(b) the key database file exists in the correct place but that no password
stash file has been created for it,
(c) the files are present in the correct place but the userid under which MQ is
running does not have permission to read them,
(d) one or both of the files are corrupt.

The channel is '????'; in some cases its name cannot be determined and so is
shown as '????'. The channel did not start.
ACTION:
Ensure that the key repository variable is set to where the key database file
is. Ensure that a password stash file has been associated with the key database
file in the same directory, and that the userid under which MQ is running has
read access to both files. If both are already present and readable in the
correct place, delete and recreate them. Restart the channel.
----- amqccisa.c : 3464 -------------------------------------------------------
11/04/2015 02:55:43 PM - Process(8148.3915) User(mqm) Program(amqrmppa)
Host(xxx.com)
AMQ9492: The TCP/IP responder program encountered an error.

EXPLANATION:
The responder program was started but detected an error.
ACTION:
Look at previous error messages in the error files to determine the error
encountered by the responder program.
Back to top
View user's profile Send private message
exerk
PostPosted: Thu Nov 05, 2015 1:31 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

Check all your channels to see whether 'someone' has added a cipher spec into a definition, and the check/get checked all the channels connection to/from your queue manager as 'someone' may have done the same there.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Inisah
PostPosted: Thu Nov 05, 2015 1:52 am    Post subject: Reply with quote

Apprentice

Joined: 21 Mar 2014
Posts: 44

http://www.mqseries.net/phpBB2/viewtopic.php?t=23886&highlight=sslkeyr

I see there are couple of links with the same topics discussed in this forum itself. Please check and see if the suggestions mentioned in the links work. If not post back with your findings..
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Nov 05, 2015 9:30 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

If the ownership of the key files is mqm:mqm make sure that the permissions are rw for user and group.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
mqsme
PostPosted: Thu Nov 05, 2015 11:06 am    Post subject: Reply with quote

Acolyte

Joined: 16 Sep 2013
Posts: 51

@exerk: i checked all my channels, even stopped all of them, still getting the error, so i also suspect it is 'someone' set it on the other side. and the error log only mention ??? as channel, i have no clue which channel is 'under attack'

@inisah: thanks for the link. but i did not use ssl, can't find solution from there.
I tried to refresh security but no luck

1 : dis qmgr sslev sslkeyr sslrkeyc
AMQ8408: Display Queue Manager details.
QMNAME(QMGR1) SSLEV(DISABLED)
SSLKEYR( ) SSLRKEYC(0)

@fjb_saper: sorry i do not use ssl in this testing environment, so do not set up any key.* files
Back to top
View user's profile Send private message
Vitor
PostPosted: Thu Nov 05, 2015 11:10 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

mqsme wrote:
sorry i do not use ssl in this testing environment, so do not set up any key.* files


Why not set it up? Give this queue manager a self signed certificate in a key store; this will get you past this error. Obviously the channel in question still won't start (as whatever SSL configuration is in use won't tie up with the queue manager), but you should get an error about that mismatch that includes the channel name.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Inisah
PostPosted: Fri Nov 06, 2015 1:52 am    Post subject: Reply with quote

Apprentice

Joined: 21 Mar 2014
Posts: 44

Quote:
: i checked all my channels, even stopped all of them, still getting the error, so i also suspect it is 'someone' set it on the other side. and the error log only mention ??? as channel, i have no clue which channel is 'under attack' [


You need to check the destination channel if SSL is enabled. We have seen errors with channels showing as ??? if they are not able to connect to that channel for some reason. [/quote]
Back to top
View user's profile Send private message
mqsme
PostPosted: Fri Nov 06, 2015 10:25 am    Post subject: Reply with quote

Acolyte

Joined: 16 Sep 2013
Posts: 51

Yes, prefereably there is anyway can know which destination is SSL enabled. If no way to find on server level, last resort is to ask different destinations one by one, whether you have turned on SSL accidentally
Back to top
View user's profile Send private message
mqsme
PostPosted: Fri Nov 06, 2015 10:33 am    Post subject: Reply with quote

Acolyte

Joined: 16 Sep 2013
Posts: 51

@Victor: I just tried to setup key store. setup a new cert, placed key.kdb, key.rdb, key.stb, key.crl under MQM ssl folder, refresh security type(ss), but got following error. I tried to put same key.kdb in another server, it can openssl successfully in the other server. But i fail to openssl in this new server, there must be something missing...

$ openssl s_client -showcerts -connect xxx.com:1414
CONNECTED(00000003)
139935324751688:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE



display qmgr shows SSLKEYR has already set to write path (/.../ssl/key) which is same as the other server.

still investigatng what's missing.
Back to top
View user's profile Send private message
Gaya3
PostPosted: Fri Nov 06, 2015 11:30 am    Post subject: Reply with quote

Jedi

Joined: 12 Sep 2006
Posts: 2493
Location: Boston, US

openssl do have its own params, there you can try with couple of more options.

what is the mq error stating, where is it happening
_________________
Regards
Gayathri
-----------------------------------------------
Do Something Before you Die
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » AMQ9660: SSL key repository: password stash file absent or u
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.