ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral IBM MQ SupportSSL issue: AMQ9642E: No SSL or TLS certificate for channel

Post new topicReply to topic
SSL issue: AMQ9642E: No SSL or TLS certificate for channel View previous topic :: View next topic
Author Message
smeunier
PostPosted: Mon Oct 21, 2019 11:12 am Post subject: SSL issue: AMQ9642E: No SSL or TLS certificate for channel Reply with quote

Partisan

Joined: 19 Aug 2002
Posts: 301

A little back story:

We just upgraded from MQ Version 7.5 to MQ V9.1.0.3 on AIX. We single install and just did dmpmqcfg saved the object and install the V9.1.0.3 version. Installation went well, all aspects of the QMGR check out, applications are happy, but this qmgr has a SSL connection with a remote partner using SSL via the MQ channels.

I see this on the sending channel: AMQ9642E: No SSL or TLS certificate for channel.

I have validated the following

-QMGR Default certificate label matches the actual certificate label in the key.kdb

- Ran a validate against the certificate chain to insure the chain is, and it comes back clean.

- validate the certificate label is in the db, it is.

This gives me the impression it cannot find the label that is specified. The error is being seen on the local(Sender channels) side. Not sure what the remote end is issuing,as the remote partner has not responded to my query yet.

A little more information. If I replace the key.kdb, with the pre-9.1.0.3 upgrade, it had the same certificate name, but was expired. I get an appropriate message with that issue, so i know it can find the certificate. Since the certificate expired, as a test, I exported the prod certificate and imported it into the key.kdb with the appropriate label. This should have given me a good certificate to verify connectivity with, but I get the error mentioned above.

I diff'd the output of the details of both pre and post certificates all the information is essentially the same, especially the labels.

I'm a little lost as to why it cannot find a certificate, when all the commands I use against the label name work just fine.

Not much to be found in the google area, other than make sure the label names are correct and follow the rules, which they do.

Full message:


Code:

AMQ9642E: No SSL or TLS certificate for channel 'TESTENV.PARTNERQM'.

EXPLANATION:
The channel 'TESTENV.PARTNERQM' did not supply a certificate to use during
SSL or TLS handshaking, but a certificate is required by the remote queue
manager.

The channel did not start.
ACTION:
Ensure that the key repository of the local queue manager or MQ client contains
a certificate which is associated with the queue manager or client. If you have
configured a certificate label, check that the certificate exists.

Alternatively, if appropriate, change the remote channel definition so that its
SSLCAUTH attribute is set to OPTIONAL and it has no SSLPEER value set.

Back to top
View user's profile Send private message
exerk
PostPosted: Mon Oct 21, 2019 12:25 pm Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6110

What label name is specified in the channel definition?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

Back to top
View user's profile Send private message
smeunier
PostPosted: Tue Oct 22, 2019 9:07 am Post subject: Reply with quote

Partisan

Joined: 19 Aug 2002
Posts: 301

Quote:
What label name is specified in the channel definition?


The label name is: ibmwebspheremqefk300tst That certificate by that label does exist in the key.kdb. I can list the details on it by that label name. So I'm not sure exactly what the root mean of the error message is implying.
Back to top
View user's profile Send private message
tczielke
PostPosted: Tue Oct 22, 2019 12:46 pm Post subject: Reply with quote

Sentinel

Joined: 08 Jul 2010
Posts: 849
Location: Illinois, USA

How about on the "DIS QMGR CERTLABL" command. Do you see it set there, as well?

You mentioned this:

Quote:
We just upgraded from MQ Version 7.5 to MQ V9.1.0.3 on AIX. We single install and just did dmpmqcfg saved the object and install the V9.1.0.3 version.


CERTLABL was not a queue manager or channel attribute at 7.5.
_________________
Working with MQ since 2010.

Miami Dolphins 2019 - Tank you for the memories.
Back to top
View user's profile Send private message
smeunier
PostPosted: Tue Oct 22, 2019 1:30 pm Post subject: Reply with quote

Partisan

Joined: 19 Aug 2002
Posts: 301

Quote:
How about on the "DIS QMGR CERTLABL" command. Do you see it set there, as well?


Yes, when I issue the command, it is specified. in the QMGR CERTLABL. It is added by default. It was only on the channel, because I specified it, trying to resolve this issue. It had no affect, so I removed it from the channel.

AT this point, it seems I had a couple choices. To recreate the certificate for an extension on the expiration date from the CA. Thinking it is a certificate problem, or rebuild the KEY store, which seems extreme, and add the certificate back in. I'm not really sure what/why it cannot find it. I can via SSL commands, so it is there and queryable..............
Back to top
View user's profile Send private message
tczielke
PostPosted: Tue Oct 22, 2019 2:16 pm Post subject: Reply with quote

Sentinel

Joined: 08 Jul 2010
Posts: 849
Location: Illinois, USA

If something obvious isn't wrong/missing with your SSL configuration, I would recommend opening a PMR with IBM. IBM obfuscates the queue manager SSL traces, so you can't really read them as a customer to figure out what is going wrong. The SSL traces should give the details on why that queue manager is not sending its certificate.
_________________
Working with MQ since 2010.

Miami Dolphins 2019 - Tank you for the memories.
Back to top
View user's profile Send private message
HubertKleinmanns
PostPosted: Wed Oct 23, 2019 12:50 am Post subject: Reply with quote

Shaman

Joined: 24 Feb 2004
Posts: 724
Location: Germany

Did you check the supported and used CipherSpecs? They've changed from Version 7.5 to 9.
_________________
Regards
Hubert
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Wed Oct 23, 2019 2:42 am Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20138
Location: LI,NY

You cannot export and import a cert. You can only do that to the public part of the cert. If you need to do that to a private part of the cert you may have to transit through a pk12 store format...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexGeneral IBM MQ SupportSSL issue: AMQ9642E: No SSL or TLS certificate for channel
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.