| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL issue: AMQ9642E: No SSL or TLS certificate for channel |
« View previous topic :: View next topic » |
| Author |
Message
|
| smeunier |
 Posted: Mon Oct 21, 2019 11:12 am Post subject: SSL issue: AMQ9642E: No SSL or TLS certificate for channel |
 |
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
A little back story:
We just upgraded from MQ Version 7.5 to MQ V9.1.0.3 on AIX. We single install and just did dmpmqcfg saved the object and install the V9.1.0.3 version. Installation went well, all aspects of the QMGR check out, applications are happy, but this qmgr has a SSL connection with a remote partner using SSL via the MQ channels.
I see this on the sending channel: AMQ9642E: No SSL or TLS certificate for channel.
I have validated the following
-QMGR Default certificate label matches the actual certificate label in the key.kdb
- Ran a validate against the certificate chain to insure the chain is, and it comes back clean.
- validate the certificate label is in the db, it is.
This gives me the impression it cannot find the label that is specified. The error is being seen on the local(Sender channels) side. Not sure what the remote end is issuing,as the remote partner has not responded to my query yet.
A little more information. If I replace the key.kdb, with the pre-9.1.0.3 upgrade, it had the same certificate name, but was expired. I get an appropriate message with that issue, so i know it can find the certificate. Since the certificate expired, as a test, I exported the prod certificate and imported it into the key.kdb with the appropriate label. This should have given me a good certificate to verify connectivity with, but I get the error mentioned above.
I diff'd the output of the details of both pre and post certificates all the information is essentially the same, especially the labels.
I'm a little lost as to why it cannot find a certificate, when all the commands I use against the label name work just fine.
Not much to be found in the google area, other than make sure the label names are correct and follow the rules, which they do.
Full message:
| Code: |
AMQ9642E: No SSL or TLS certificate for channel 'TESTENV.PARTNERQM'.
EXPLANATION:
The channel 'TESTENV.PARTNERQM' did not supply a certificate to use during
SSL or TLS handshaking, but a certificate is required by the remote queue
manager.
The channel did not start.
ACTION:
Ensure that the key repository of the local queue manager or MQ client contains
a certificate which is associated with the queue manager or client. If you have
configured a certificate label, check that the certificate exists.
Alternatively, if appropriate, change the remote channel definition so that its
SSLCAUTH attribute is set to OPTIONAL and it has no SSLPEER value set.
|
|
|
| Back to top |
|
 |
| exerk |
| Posted: Mon Oct 21, 2019 12:25 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
What label name is specified in the channel definition?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| smeunier |
| Posted: Tue Oct 22, 2019 9:07 am Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
| Quote: |
| What label name is specified in the channel definition? |
The label name is: ibmwebspheremqefk300tst That certificate by that label does exist in the key.kdb. I can list the details on it by that label name. So I'm not sure exactly what the root mean of the error message is implying. |
|
| Back to top |
|
|
| tczielke |
| Posted: Tue Oct 22, 2019 12:46 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
How about on the "DIS QMGR CERTLABL" command. Do you see it set there, as well?
You mentioned this:
| Quote: |
| We just upgraded from MQ Version 7.5 to MQ V9.1.0.3 on AIX. We single install and just did dmpmqcfg saved the object and install the V9.1.0.3 version. |
CERTLABL was not a queue manager or channel attribute at 7.5.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| smeunier |
| Posted: Tue Oct 22, 2019 1:30 pm Post subject: |
|
|
Partisan
Joined: 19 Aug 2002
Posts: 305
Location: Green Mountains of Vermont
|
| Quote: |
| How about on the "DIS QMGR CERTLABL" command. Do you see it set there, as well? |
Yes, when I issue the command, it is specified. in the QMGR CERTLABL. It is added by default. It was only on the channel, because I specified it, trying to resolve this issue. It had no affect, so I removed it from the channel.
AT this point, it seems I had a couple choices. To recreate the certificate for an extension on the expiration date from the CA. Thinking it is a certificate problem, or rebuild the KEY store, which seems extreme, and add the certificate back in. I'm not really sure what/why it cannot find it. I can via SSL commands, so it is there and queryable.............. |
|
| Back to top |
|
|
| tczielke |
| Posted: Tue Oct 22, 2019 2:16 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
If something obvious isn't wrong/missing with your SSL configuration, I would recommend opening a PMR with IBM. IBM obfuscates the queue manager SSL traces, so you can't really read them as a customer to figure out what is going wrong. The SSL traces should give the details on why that queue manager is not sending its certificate.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Wed Oct 23, 2019 12:50 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
Did you check the supported and used CipherSpecs? They've changed from Version 7.5 to 9.
_________________
Regards
Hubert |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Oct 23, 2019 2:42 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You cannot export and import a cert. You can only do that to the public part of the cert. If you need to do that to a private part of the cert you may have to transit through a pk12 store format... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
