ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportIHS 8.5.5 and ACE11.0.0.4, Certificate issue.

Post new topicReply to topic
IHS 8.5.5 and ACE11.0.0.4, Certificate issue. View previous topic :: View next topic
Author Message
gxv3858
PostPosted: Wed Jun 12, 2019 2:02 am Post subject: IHS 8.5.5 and ACE11.0.0.4, Certificate issue. Reply with quote

Novice

Joined: 13 Oct 2008
Posts: 16

Good day to all.


While trying to call an application installed in ACE 11 using URL,

https:/xxxx.com/proxy/sap/client/consult/v1,
The plugin logs and the IHS error logs is showing me this error message:

[Mon May 27 10:34:11 2019] [error] [27/May/2019:10:34:11.36708] 0000047e 2d781700 - ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_SOCKET_CLOSED(gsk rc = 420) PARTNER CERTIFICATE DN=No Information Available, Serial=No Information Available
[Mon May 27 10:34:11 2019] [error] [27/May/2019:10:34:11.36752] 0000047e 2d781700 - ERROR: ws_common: websphereGetStream: Could not open stream
[Mon May 27 10:34:11 2019] [error] [27/May/2019:10:34:11.36765] 0000047e 2d781700 - ERROR: ws_common: websphereExecute: Failed to create the stream
---------------------------------------------------------------------------------

My http configuration for SSL looks like this:

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
SSLEnable
SSLProtocolEnable TLSv12
SSLProtocolDisable SSLv2 SSLv3
SSLServerCert selfSigned
KeyFile /v01s01/ibm/IHS/ihsserverkey.kdb
</VirtualHost>[Less]
---------------------------------------------------------------------------------

Tried to activate TLStrace in server.yaml, it worked just for some time, now its not working anymore the Integration node is not starting up if I set TLStrace : true.

The information I received from IBM is that my self signed certificate is corrupted, but they do not know why.

All I did was to create one self signed inside Ikeyman, exported, inserted this cert into my IHS KDB and the other was in the keystore ( trsutstore ) under Signer certificates at the ACE11 side.
----------------------------------------------------------------------------------

But so far no success in establish a SSL comunication from IHS to ACE11.

Customer does not want implement a signed certificate to secure this connection.

Does anybody know how to help me on this issue?
Back to top
View user's profile Send private message
LJM
PostPosted: Wed Jun 12, 2019 3:29 am Post subject: Reply with quote

Novice

Joined: 05 Jul 2018
Posts: 20

assuming the ACE URL is accessable directly just fine ?

and you have IHS in front of this ( +N ) for load balancing/ redundacy

eg IHS --> ACE11(a ) , ACE11 ( b )

and only via the IHS this fails ?
Back to top
View user's profile Send private message
gxv3858
PostPosted: Wed Jun 12, 2019 5:19 am Post subject: Reply with quote

Novice

Joined: 13 Oct 2008
Posts: 16

LJM wrote:
assuming the ACE URL is accessable directly just fine ?

and you have IHS in front of this ( +N ) for load balancing/ redundacy

eg IHS --> ACE11(a ) , ACE11 ( b )

and only via the IHS this fails ?


Yes this only fails when IHS is used.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Jun 12, 2019 5:54 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20130
Location: LI,NY

So both ACE11(a) and ACE11(b) have the IHS signer cert in their truststore?

_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
gxv3858
PostPosted: Wed Jun 12, 2019 6:12 am Post subject: Reply with quote

Novice

Joined: 13 Oct 2008
Posts: 16

fjb_saper wrote:
So both ACE11(a) and ACE11(b) have the IHS signer cert in their truststore?


Yes correct , the IHS signer certificates are inside ACE11 truststore.

Caught them when accessing the https://xxxx.xxxx.com. There are 3 certificates in this chain.
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportIHS 8.5.5 and ACE11.0.0.4, Certificate issue.
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.