| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Error 2393 in MQMON - MO71 |
« View previous topic :: View next topic » |
| Author |
Message
|
| saurabh25281 |
 Posted: Tue May 14, 2019 5:11 am Post subject: Error 2393 in MQMON - MO71 |
 |
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
Hi All,
We are trying to use MO71 to connect to remote Queue Manager which are secured by using SSL over SVRCONN channels. However we are getting 2393 SSL Initialization error code in MO71. The eventviewer logs on the client side shows the below error.
However, I was able to connect to the Queue Manager using MQ Explorer using the same keystore, with the only difference that MQ Explorer allows JKS keystore whereas MQMON uses CMS keystores.
I tried disabling the OCSP feature by modifying the mqclient.ini file as below, but with no effect.
| Code: |
SSL:
OCSPAuthentication=OPTIONAL
OCSPCheckExtensions=NO
CDPCheckExtensions=NO |
| Quote: |
Remote SSL certificate revocation status check failed for channel 'xxxxx.00001.ADMIN'.
IBM MQ failed to determine the revocation status of the remote SSL certificate for one of the following reasons: &B (a) The channel was unable to contact any of the CRL servers or OCSP responders for the certificate. &B (b) None of the OCSP responders contacted knows the revocation status of the certificate. &B (c) An OCSP response was received, but the digital signature of the response could not be verified. &P The details of the certificate in question are 'xxxxxxxxx'. &P The channel name is 'xxxxx.00001.ADMIN'. In some cases the channel name cannot be determined and so is shown as '????'. The channel did not start. &P IBM MQ does not allow the channel to start unless the certificate revocation status can be determined.
If the certificate contains an AuthorityInfoAccess extension, ensure that the OCSP server named in the certificate extension is available and is correctly configured. &P If the certificate contains a CrlDistributionPoint extension, ensure that the CRL server named in the certificate extension is available and is correctly configured. &P If you have specified any CRL or OCSP servers to IBM MQ, check that those servers are available and are correctly configured. &P Ensure that the local key repository has the necessary SSL certificates to verify the digital signature of the response from the OCSP server.
ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=xxxxx?cACertificate?base?objectClass=certificationAuthority
, accessMethod: caIssuers
accessLocation: URIName: http://sslcrl.url%20Issuing%20CA%20SSL1.crt
, accessMethod: caIssuers
accessLocation: URIName: http://sslcrl.url%20Issuing%20CA%20SSL1.crt
, accessMethod: ocsp
accessLocation: URIName: http://url/ocsp
]] |
Can someone please provide pointers on the configurations where I am going wrong.
Regards |
|
| Back to top |
|
 |
| hughson |
| Posted: Tue May 14, 2019 8:03 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
If you haven't restarted the MO71 executable since editing the mqclient.ini, please do so as the MQ Client caches the values found in that file in the running process and may not therefore be using the new values.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Tue May 14, 2019 12:49 pm Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
Thanks Morag for the tip, restarting the MQMON worked for me.
However, i am confused about the permission that was required for the SYSTEM.DEFAULT.MODEL.QUEUE queue i.e. put, dsp. For MQ Explorer, we only need the get, inq, dsp on the SYSTEM.MQEXPLORER.REPLY.MODEL queue.
Although I must admit, that I only tested the connectivity as a test for both MQMON and MQExplorer and the above authorizations are the bare minimum for connecting to a Qmgr.
Isn't both the Reply queue for MQMON & MQExplorer supposed to have similar access? If not can you point me to some MQMON documentation that speaks about authorization for MQMON specific queues.
Regards
Saurabh[/b] |
|
| Back to top |
|
|
| hughson |
| Posted: Tue May 14, 2019 10:03 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
MO71 uses its reply queue to communicate between threads as well and so requires put authoritiy. MQ Explorer only uses its reply queue to get replies from the command server so only needs get and not put.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Wed May 15, 2019 1:22 am Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
| I have observed that MQMON does not require "get" authorization for atleast connecting with MQMON as opposed to MQExplorer. Do you think we would still need atleast the same authorization as MQExplorer for basic MQMON operations. |
|
| Back to top |
|
|
| hughson |
| Posted: Wed May 15, 2019 1:45 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
If you have not issued a command to the command server yet, then you will have not had to get any messages yet, but as soon as you do anything you will need to get messages from the reply queue.
I believe Mq Explorer will display qmgr details immediately so you can't connect without also issuing a command.
Does that make sense?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Mon May 20, 2019 2:50 am Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
