Topic
  • 11 replies
  • Latest Post - ‏2013-04-23T18:22:19Z by peterfa
peterfa
peterfa
38 Posts

Pinned topic SSL Channel not working

‏2013-04-22T12:46:28Z |

I am trying to connect to a queue manager on AIX from a windows desktop, using an SSL channel with CipherSpec.

The error I am getting is the following message on the queue manager side:

AMQ9639: Remote channel 'SSL.SVRCONN' did not specify a CipherSpec.

I have taken what I believe to be the steps needed to set this up, but I guess I have missed something. I created a SVRCONN channel called SSL.SVRCONN, and specified an SSL Cipher Spec of DES_SHA_EXPORT. I created a CLNTCONN channel of the same name specifying DES_SHA_EXPORT in it also, and copied the file AMQCLCHL.TAB from the AIX system to the windows system. I created certificates on both sides, extracted the public part on each side and imported it into the other side. The SSL connection works fine if I do not specify a CipherSpec. The error message is suggesting that I am missing the Cipherspec on the windows side ( which is the remote side ). I have looked at the file AMQCLCHL.TAB with a hex viewer, and I can see that DES_SHA_EXPORT is in there. ( It came from thr CLNTCONN channel I created on the server side ).

Does anyone have an idea as to what I might have missed when adding a CipherSpec value on the SVRCONN and CLNTCONN channels ?

 

Updated on 2014-03-28T16:53:24Z at 2014-03-28T16:53:24Z by Morag Hughson
  • peterfa
    peterfa
    38 Posts
    ACCEPTED ANSWER

    Re: SSL Channel not working

    ‏2013-04-23T18:22:19Z  

    You're going to have to get in touch with the authors of the program to find out how to make use of either a CCDT, or how to explicitly provide the program with the CipherSpec.

    OK. Thanks for all your help with this.

    Much appreciated !

  • peterfa
    peterfa
    38 Posts

    Re: SSL Channel not working

    ‏2013-04-22T12:52:15Z  

    I might add that I did set up the environment variables on the client side, including the unsetting of MQSERVER ( which I understand will negate the use of the client channel definition table ).

    There are the MQ environment variables that I have set:

    C:\>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

  • Morag Hughson
    Morag Hughson
    140 Posts

    Re: SSL Channel not working

    ‏2013-04-23T13:20:54Z  
    • peterfa
    • ‏2013-04-22T12:52:15Z

    I might add that I did set up the environment variables on the client side, including the unsetting of MQSERVER ( which I understand will negate the use of the client channel definition table ).

    There are the MQ environment variables that I have set:

    C:\>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

    You don't mention anything about the application you are using. Have you tried testing this set up with something like amqsputc first? You mention two Java related environment variables - is this a Java application? If it is the manner by which you specify the CCDT is different than that for C applications.

    I would also expect to see an environment variable for the location of your client side key repository too (the place where your certificates are stored). The fact that you don't get an error for that does suggest that the client side of the channel does not think it is using an SSL channel. Perhaps because it has not picked up the CCDT - although how it knew the channel name 'SSL.SVRCONN' to use is then somewhat of a mystery. Perhaps you are specifying the channel name in your application? In which case that would override the use of the CCDT and would explain the issue.

    So, try out your setup with amqsputc - this will help you to verify that your CCDT is working correctly.

    Then, tell us about your application so we know how to advise you to tell it where to find the CCDT.

    Cheers
    Morag

  • peterfa
    peterfa
    38 Posts

    Re: SSL Channel not working

    ‏2013-04-23T13:57:42Z  

    You don't mention anything about the application you are using. Have you tried testing this set up with something like amqsputc first? You mention two Java related environment variables - is this a Java application? If it is the manner by which you specify the CCDT is different than that for C applications.

    I would also expect to see an environment variable for the location of your client side key repository too (the place where your certificates are stored). The fact that you don't get an error for that does suggest that the client side of the channel does not think it is using an SSL channel. Perhaps because it has not picked up the CCDT - although how it knew the channel name 'SSL.SVRCONN' to use is then somewhat of a mystery. Perhaps you are specifying the channel name in your application? In which case that would override the use of the CCDT and would explain the issue.

    So, try out your setup with amqsputc - this will help you to verify that your CCDT is working correctly.

    Then, tell us about your application so we know how to advise you to tell it where to find the CCDT.

    Cheers
    Morag

    Thank you for taking a look at this.

    I ran a test with amqsputc, results are listed below. The client side does not think that there is a CCDT.

    Am I not telling the client side about it correctly ?

    On the client side ( which is windows ) I saved the CCDT as c:\akey\AMQCLCHL.TAB.

    I tell the client side which channel to use with an MQSERVER ( is the correct ? ).

     

     

    DOS Window on Client Side
    -------------------------

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    c:\>set MQSERVER=SSL.SVRCONN/TCP/aktc1infa12a(1419)
    c:\>cd\MQM\bin
    C:\MQM\bin>c:\CCDT1
    C:\MQM\bin>set MQCHLLIB=c:\akey\
    C:\MQM\bin>set MQCHLTAB=AMQCLCHL.TAB

    C:\MQM\bin>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQSERVER=SSL.SVRCONN/TCP/aktc1infa12a(1419)
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

    C:\MQM\bin>amqsputc TEST WMBUXBZ1
    Sample AMQSPUT0 start
    MQCONN ended with reason code 2393

    C:\MQM\bin>

     

    Error Message from Client Side at c:\MQM\errors\AMQERR01.LOG
    -------------------------------------------------------------


    ----- cmqxrfpt.c : 457 --------------------------------------------------------
    4/23/2013 08:34:29 - Process(10088.1) User(mq027721) Program(amqsputc.exe)
                        Host(INFO_KW-HG6CML1)
    AMQ9641: Remote CipherSpec error for channel 'SSL.SVRCONN'.

    EXPLANATION:
    The remote end of channel 'SSL.SVRCONN' has had a CipherSpec error. The channel
    did not start.
    ACTION:
    Review the error logs on the remote system to discover the problem with the
    CipherSpec.
    ----- cmqxrfpt.c : 457 --------------------------------------------------------

     

    Error Message on Server Side at /var/mqm/qmgrs/WMBUXBZ1/errors/AMQERR01.LOG
    -----------------------------------------------------------------------------

    ----- amqrmrsa.c : 565 --------------------------------------------------------
    04/23/13 08:34:46 - Process(41353304.59) User(mqm) Program(amqrmppa)
                        Host(aktc1infa12a)
    AMQ9639: Remote channel 'SSL.SVRCONN' did not specify a CipherSpec.

    EXPLANATION:
    Remote channel 'SSL.SVRCONN' did not specify a CipherSpec when the local
    channel expected one to be specified. The channel did not start.
    ACTION:
    Change the remote channel 'SSL.SVRCONN' to specify a CipherSpec so that both
    ends of the channel have matching CipherSpecs.
    ----- amqcccxa.c : 3047 -------------------------------------------------------
    04/23/13 08:34:46 - Process(41353304.59) User(mqm) Program(amqrmppa)
                        Host(aktc1infa12a)
    AMQ9999: Channel program ended abnormally.

    EXPLANATION:
    Channel program 'SSL.SVRCONN' ended abnormally.
    ACTION:
    Look at previous error messages for channel program 'SSL.SVRCONN' in the error
    files to determine the cause of the failure.
    ----- amqrmrsa.c : 565 --------------------------------------------------------

     

    Channel Definitions from Server Side
    ------------------------------------

    DEFINE CHANNEL ('SSL.SVRCONN') CHLTYPE(SVRCONN) +
           TRPTYPE(TCP) +
           DESCR(' ') +
           HBINT(180) +
           MAXMSGL(104857600) +
           MCAUSER(' ') +
           RCVDATA(' ') +
           RCVEXIT(' ') +
           SCYDATA(' ') +
           SCYEXIT(' ') +
           SENDDATA(' ') +
           SENDEXIT(' ') +
           SSLCAUTH(REQUIRED) +
           SSLCIPH('DES_SHA_EXPORT') +
           SSLPEER(' ') +
           KAINT(AUTO) +
           MONCHL(OFF) +
           COMPMSG(NONE) +
           COMPHDR(NONE) +
           SHARECNV(10) +
           MAXINST(999999999) +
           MAXINSTC(999999999) +
           REPLACE

    DEFINE CHANNEL ('SSL.SVRCONN') CHLTYPE(CLNTCONN) +
           TRPTYPE(TCP) +
           CONNAME('aktc1infa12a(1419)') +
           LOCLADDR(' ') +
           DESCR(' ') +
           HBINT(300) +
           MAXMSGL(4194304) +
           QMNAME('WMBUXBZ1') +
           RCVDATA(' ') +
           RCVEXIT(' ') +
           SCYDATA(' ') +
           SCYEXIT(' ') +
           SENDDATA(' ') +
           SENDEXIT(' ') +
           USERID(' ') +
           SSLCIPH('DES_SHA_EXPORT') +
           SSLPEER(' ') +
           KAINT(AUTO) +
           COMPMSG(NONE) +
           COMPHDR(NONE) +
           SHARECNV(10) +
           AFFINITY(PREFERRED) +
           CLNTWGHT(0) +
           REPLACE


    Note that the CCDT was copied from the server side to the client side.
    File AMQCLCHL.TAB was copied from /var/mqm/qmgrs/WMBUXBZ1/@ipcc to c:\akey\

  • Morag Hughson
    Morag Hughson
    140 Posts

    Re: SSL Channel not working

    ‏2013-04-23T14:47:21Z  
    • peterfa
    • ‏2013-04-23T13:57:42Z

    Thank you for taking a look at this.

    I ran a test with amqsputc, results are listed below. The client side does not think that there is a CCDT.

    Am I not telling the client side about it correctly ?

    On the client side ( which is windows ) I saved the CCDT as c:\akey\AMQCLCHL.TAB.

    I tell the client side which channel to use with an MQSERVER ( is the correct ? ).

     

     

    DOS Window on Client Side
    -------------------------

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    c:\>set MQSERVER=SSL.SVRCONN/TCP/aktc1infa12a(1419)
    c:\>cd\MQM\bin
    C:\MQM\bin>c:\CCDT1
    C:\MQM\bin>set MQCHLLIB=c:\akey\
    C:\MQM\bin>set MQCHLTAB=AMQCLCHL.TAB

    C:\MQM\bin>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQSERVER=SSL.SVRCONN/TCP/aktc1infa12a(1419)
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

    C:\MQM\bin>amqsputc TEST WMBUXBZ1
    Sample AMQSPUT0 start
    MQCONN ended with reason code 2393

    C:\MQM\bin>

     

    Error Message from Client Side at c:\MQM\errors\AMQERR01.LOG
    -------------------------------------------------------------


    ----- cmqxrfpt.c : 457 --------------------------------------------------------
    4/23/2013 08:34:29 - Process(10088.1) User(mq027721) Program(amqsputc.exe)
                        Host(INFO_KW-HG6CML1)
    AMQ9641: Remote CipherSpec error for channel 'SSL.SVRCONN'.

    EXPLANATION:
    The remote end of channel 'SSL.SVRCONN' has had a CipherSpec error. The channel
    did not start.
    ACTION:
    Review the error logs on the remote system to discover the problem with the
    CipherSpec.
    ----- cmqxrfpt.c : 457 --------------------------------------------------------

     

    Error Message on Server Side at /var/mqm/qmgrs/WMBUXBZ1/errors/AMQERR01.LOG
    -----------------------------------------------------------------------------

    ----- amqrmrsa.c : 565 --------------------------------------------------------
    04/23/13 08:34:46 - Process(41353304.59) User(mqm) Program(amqrmppa)
                        Host(aktc1infa12a)
    AMQ9639: Remote channel 'SSL.SVRCONN' did not specify a CipherSpec.

    EXPLANATION:
    Remote channel 'SSL.SVRCONN' did not specify a CipherSpec when the local
    channel expected one to be specified. The channel did not start.
    ACTION:
    Change the remote channel 'SSL.SVRCONN' to specify a CipherSpec so that both
    ends of the channel have matching CipherSpecs.
    ----- amqcccxa.c : 3047 -------------------------------------------------------
    04/23/13 08:34:46 - Process(41353304.59) User(mqm) Program(amqrmppa)
                        Host(aktc1infa12a)
    AMQ9999: Channel program ended abnormally.

    EXPLANATION:
    Channel program 'SSL.SVRCONN' ended abnormally.
    ACTION:
    Look at previous error messages for channel program 'SSL.SVRCONN' in the error
    files to determine the cause of the failure.
    ----- amqrmrsa.c : 565 --------------------------------------------------------

     

    Channel Definitions from Server Side
    ------------------------------------

    DEFINE CHANNEL ('SSL.SVRCONN') CHLTYPE(SVRCONN) +
           TRPTYPE(TCP) +
           DESCR(' ') +
           HBINT(180) +
           MAXMSGL(104857600) +
           MCAUSER(' ') +
           RCVDATA(' ') +
           RCVEXIT(' ') +
           SCYDATA(' ') +
           SCYEXIT(' ') +
           SENDDATA(' ') +
           SENDEXIT(' ') +
           SSLCAUTH(REQUIRED) +
           SSLCIPH('DES_SHA_EXPORT') +
           SSLPEER(' ') +
           KAINT(AUTO) +
           MONCHL(OFF) +
           COMPMSG(NONE) +
           COMPHDR(NONE) +
           SHARECNV(10) +
           MAXINST(999999999) +
           MAXINSTC(999999999) +
           REPLACE

    DEFINE CHANNEL ('SSL.SVRCONN') CHLTYPE(CLNTCONN) +
           TRPTYPE(TCP) +
           CONNAME('aktc1infa12a(1419)') +
           LOCLADDR(' ') +
           DESCR(' ') +
           HBINT(300) +
           MAXMSGL(4194304) +
           QMNAME('WMBUXBZ1') +
           RCVDATA(' ') +
           RCVEXIT(' ') +
           SCYDATA(' ') +
           SCYEXIT(' ') +
           SENDDATA(' ') +
           SENDEXIT(' ') +
           USERID(' ') +
           SSLCIPH('DES_SHA_EXPORT') +
           SSLPEER(' ') +
           KAINT(AUTO) +
           COMPMSG(NONE) +
           COMPHDR(NONE) +
           SHARECNV(10) +
           AFFINITY(PREFERRED) +
           CLNTWGHT(0) +
           REPLACE


    Note that the CCDT was copied from the server side to the client side.
    File AMQCLCHL.TAB was copied from /var/mqm/qmgrs/WMBUXBZ1/@ipcc to c:\akey\

    As you yourself noted in your question - if you set MQSERVER that takes precedence over the CCDT. You must remove the MQSERVER environment variable. The channel name will be found in the record in the CCDT - this record is found by looking up the queue manager name that you used when you connected (MQCONN).

    Remove that env var and re-run amqsputc - what happens now?

    Cheers
    Morag

  • peterfa
    peterfa
    38 Posts

    Re: SSL Channel not working

    ‏2013-04-23T15:17:22Z  

    As you yourself noted in your question - if you set MQSERVER that takes precedence over the CCDT. You must remove the MQSERVER environment variable. The channel name will be found in the record in the CCDT - this record is found by looking up the queue manager name that you used when you connected (MQCONN).

    Remove that env var and re-run amqsputc - what happens now?

    Cheers
    Morag

    You are absolutly correct, I must be having a brain failure today !

    I pulled out my own personal cheat sheet on "how to run amqsputc", and it had in it the setting of MQSERVER, which I blindly followed.

    I corrected that, and got an MQRC of 2381. ( missing MQSSLKEYR ).

    I fixed that, and now it works ! ( see information below ).

    I had to rerun the test and then look at the channels while amqsputc was running ( waiting for me to enter something ) so that I could verify which channel it was using. It was using SSL.SVRCONN. I am wondering what happens if I have 2 CLNTCONN channels both pointing to the same queue manager. Which one does it use ?

    Now I'm going to test with the program I wanted to get working on this SSL connection. I'll update this again after that.

     

     

    Next Attempt - DOS window
    --------------------------

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    c:\>ccdt1

    c:\>set MQCHLLIB=c:\akey\

    c:\>set MQCHLTAB=AMQCLCHL.TAB
    c:\>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQSERVER=SYSTEM.ADMIN.SVRCONN/TCP/aktc1infa12a(1415)
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

    c:\>set MQSERVER=

    c:\>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

    c:\>cd\MQM\bin

    C:\MQM\bin>amqsputc TEST WMBUXBZ1
    Sample AMQSPUT0 start
    MQCONN ended with reason code 2381

    C:\MQM\bin>


    Error Message from Client Side
    ------------------------------


    ----- cmqxrfpt.c : 457 --------------------------------------------------------
    4/23/2013 09:52:42 - Process(5248.1) User(mq027721) Program(amqsputc.exe)
                        Host(INFO_KW-HG6CML1)
    AMQ9627: The path and stem name for the SSL key repository have not been
    specified.

    EXPLANATION:
    The directory path and file stem name for the SSL key repository have not been
    specified. On a MQ client system there is no default location for this file.
    SSL connectivity is therefore impossible as this file cannot be accessed.  
    ACTION:
    Use the MQSSLKEYR environment variable or MQCONNX API call to specify the
    directory path and file stem name for the SSL key repository.
    ----- amqrssca.c : 203 --------------------------------------------------------


    Next attempt - DOS window
    --------------------------

    This time I added the MQSSLKEYR environment variable to specify the location of the keystore
    on the client side. Here is what I added:
    set MQSSLKEYR=c:\akey\key    ( leaving off the .kdb suffix of the file name, which is key.kdb ).

    AND, it works !!


    C:\MQM\bin>set MQSSLKEYR=c:\akey\key

    C:\MQM\bin>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQSSLKEYR=c:\akey\key
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

    C:\MQM\bin>amqsputc TEST WMBUXBZ1
    Sample AMQSPUT0 start
    target queue is TEST
    xxx

    Sample AMQSPUT0 end

    C:\MQM\bin>

     

     

     

     

     

     

     

     

  • peterfa
    peterfa
    38 Posts

    Re: SSL Channel not working

    ‏2013-04-23T15:17:37Z  

    As you yourself noted in your question - if you set MQSERVER that takes precedence over the CCDT. You must remove the MQSERVER environment variable. The channel name will be found in the record in the CCDT - this record is found by looking up the queue manager name that you used when you connected (MQCONN).

    Remove that env var and re-run amqsputc - what happens now?

    Cheers
    Morag

    You are absolutly correct, I must be having a brain failure today !

    I pulled out my own personal cheat sheet on "how to run amqsputc", and it had in it the setting of MQSERVER, which I blindly followed.

    I corrected that, and got an MQRC of 2381. ( missing MQSSLKEYR ).

    I fixed that, and now it works ! ( see information below ).

    I had to rerun the test and then look at the channels while amqsputc was running ( waiting for me to enter something ) so that I could verify which channel it was using. It was using SSL.SVRCONN. I am wondering what happens if I have 2 CLNTCONN channels both pointing to the same queue manager. Which one does it use ?

    Now I'm going to test with the program I wanted to get working on this SSL connection. I'll update this again after that.

     

     

    Next Attempt - DOS window
    --------------------------

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    c:\>ccdt1

    c:\>set MQCHLLIB=c:\akey\

    c:\>set MQCHLTAB=AMQCLCHL.TAB
    c:\>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQSERVER=SYSTEM.ADMIN.SVRCONN/TCP/aktc1infa12a(1415)
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

    c:\>set MQSERVER=

    c:\>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

    c:\>cd\MQM\bin

    C:\MQM\bin>amqsputc TEST WMBUXBZ1
    Sample AMQSPUT0 start
    MQCONN ended with reason code 2381

    C:\MQM\bin>


    Error Message from Client Side
    ------------------------------


    ----- cmqxrfpt.c : 457 --------------------------------------------------------
    4/23/2013 09:52:42 - Process(5248.1) User(mq027721) Program(amqsputc.exe)
                        Host(INFO_KW-HG6CML1)
    AMQ9627: The path and stem name for the SSL key repository have not been
    specified.

    EXPLANATION:
    The directory path and file stem name for the SSL key repository have not been
    specified. On a MQ client system there is no default location for this file.
    SSL connectivity is therefore impossible as this file cannot be accessed.  
    ACTION:
    Use the MQSSLKEYR environment variable or MQCONNX API call to specify the
    directory path and file stem name for the SSL key repository.
    ----- amqrssca.c : 203 --------------------------------------------------------


    Next attempt - DOS window
    --------------------------

    This time I added the MQSSLKEYR environment variable to specify the location of the keystore
    on the client side. Here is what I added:
    set MQSSLKEYR=c:\akey\key    ( leaving off the .kdb suffix of the file name, which is key.kdb ).

    AND, it works !!


    C:\MQM\bin>set MQSSLKEYR=c:\akey\key

    C:\MQM\bin>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQSSLKEYR=c:\akey\key
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

    C:\MQM\bin>amqsputc TEST WMBUXBZ1
    Sample AMQSPUT0 start
    target queue is TEST
    xxx

    Sample AMQSPUT0 end

    C:\MQM\bin>

     

     

     

     

     

     

     

     

  • peterfa
    peterfa
    38 Posts

    Re: SSL Channel not working

    ‏2013-04-23T15:39:37Z  
    • peterfa
    • ‏2013-04-23T15:17:37Z

    You are absolutly correct, I must be having a brain failure today !

    I pulled out my own personal cheat sheet on "how to run amqsputc", and it had in it the setting of MQSERVER, which I blindly followed.

    I corrected that, and got an MQRC of 2381. ( missing MQSSLKEYR ).

    I fixed that, and now it works ! ( see information below ).

    I had to rerun the test and then look at the channels while amqsputc was running ( waiting for me to enter something ) so that I could verify which channel it was using. It was using SSL.SVRCONN. I am wondering what happens if I have 2 CLNTCONN channels both pointing to the same queue manager. Which one does it use ?

    Now I'm going to test with the program I wanted to get working on this SSL connection. I'll update this again after that.

     

     

    Next Attempt - DOS window
    --------------------------

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    c:\>ccdt1

    c:\>set MQCHLLIB=c:\akey\

    c:\>set MQCHLTAB=AMQCLCHL.TAB
    c:\>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQSERVER=SYSTEM.ADMIN.SVRCONN/TCP/aktc1infa12a(1415)
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

    c:\>set MQSERVER=

    c:\>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

    c:\>cd\MQM\bin

    C:\MQM\bin>amqsputc TEST WMBUXBZ1
    Sample AMQSPUT0 start
    MQCONN ended with reason code 2381

    C:\MQM\bin>


    Error Message from Client Side
    ------------------------------


    ----- cmqxrfpt.c : 457 --------------------------------------------------------
    4/23/2013 09:52:42 - Process(5248.1) User(mq027721) Program(amqsputc.exe)
                        Host(INFO_KW-HG6CML1)
    AMQ9627: The path and stem name for the SSL key repository have not been
    specified.

    EXPLANATION:
    The directory path and file stem name for the SSL key repository have not been
    specified. On a MQ client system there is no default location for this file.
    SSL connectivity is therefore impossible as this file cannot be accessed.  
    ACTION:
    Use the MQSSLKEYR environment variable or MQCONNX API call to specify the
    directory path and file stem name for the SSL key repository.
    ----- amqrssca.c : 203 --------------------------------------------------------


    Next attempt - DOS window
    --------------------------

    This time I added the MQSSLKEYR environment variable to specify the location of the keystore
    on the client side. Here is what I added:
    set MQSSLKEYR=c:\akey\key    ( leaving off the .kdb suffix of the file name, which is key.kdb ).

    AND, it works !!


    C:\MQM\bin>set MQSSLKEYR=c:\akey\key

    C:\MQM\bin>set MQ
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQSSLKEYR=c:\akey\key
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java

    C:\MQM\bin>amqsputc TEST WMBUXBZ1
    Sample AMQSPUT0 start
    target queue is TEST
    xxx

    Sample AMQSPUT0 end

    C:\MQM\bin>

     

     

     

     

     

     

     

     


    I ran the program I was trying to test, which is CQQueueTool.exe.

    It thinks that the client side is not specifying a CipherSpec. I am thinking that this program may be doing

    something "tricky". I did set up the environment variables the same way I had set them up for amqsputc. See

    below. What might this program be doing to negate what I had set up in the environment variables ?

     

    DOS window
    -----------

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    c:\>mqcqssl
    Enter Payroll Number: 27721
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQSSLKEYR=c:\akey\key\
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java
    Enter the password for mq027721@cbsh.com:
    Attempting to start cmd /K "C:\Program Files\CommerceQuest\QueueTool\CQQueueTool.exe" as user "mq027721@cbsh.com"

    ...
    C:\Program Files\CommerceQuest\QueueTool>


    Copy of .bat file  mqcqssl.bat
    ------------------------------

    @echo off
    rem set INCENTIVE=27721
    set /P INCENTIVE=Enter Payroll Number:
    set EXECPATH=C:\Program Files\CommerceQuest\QueueTool\
    set APPDATA=C:\Documents and Settings\MQ0%INCENTIVE%\Local Settings\Temp
    set PATH=%PATH%;%EXECPATH%
    rem set mqserver=SSL.SVRCONN/TCP/aktc1infa12a(1419)
    set mqserver=
    set MQCHLLIB=c:\akey\
    set MQCHLTAB=AMQCLCHL.TAB
    set MQSSLKEYR=c:\akey\key\
    cd %EXECPATH%
    set MQ
    runas.exe /env /user:mq0%INCENTIVE%@cbsh.com "cmd /K \"%EXECPATH%CQQueueTool.exe\""


    Error Message on Client Side
    ----------------------------

    ----- cmqxrfpt.c : 457 --------------------------------------------------------
    4/23/2013 10:26:17 - Process(12324.1) User(MQ027721) Program(CQQueueTool.exe)
                        Host(INFO_KW-HG6CML1)
    AMQ9641: Remote CipherSpec error for channel 'SSL.SVRCONN'.

    EXPLANATION:
    The remote end of channel 'SSL.SVRCONN' has had a CipherSpec error. The channel
    did not start.
    ACTION:
    Review the error logs on the remote system to discover the problem with the
    CipherSpec.
    ----- cmqxrfpt.c : 457 --------------------------------------------------------


    Error Message on Server Side:
    -----------------------------

    ----- amqrmrsa.c : 565 --------------------------------------------------------
    04/23/13 10:26:35 - Process(41353304.66) User(mqm) Program(amqrmppa)
                        Host(aktc1infa12a)
    AMQ9639: Remote channel 'SSL.SVRCONN' did not specify a CipherSpec.

    EXPLANATION:
    Remote channel 'SSL.SVRCONN' did not specify a CipherSpec when the local
    channel expected one to be specified. The channel did not start.
    ACTION:
    Change the remote channel 'SSL.SVRCONN' to specify a CipherSpec so that both
    ends of the channel have matching CipherSpecs.
    ----- amqcccxa.c : 3047 -------------------------------------------------------
    04/23/13 10:26:35 - Process(41353304.66) User(mqm) Program(amqrmppa)
                        Host(aktc1infa12a)
    AMQ9999: Channel program ended abnormally.

    EXPLANATION:
    Channel program 'SSL.SVRCONN' ended abnormally.
    ACTION:
    Look at previous error messages for channel program 'SSL.SVRCONN' in the error
    files to determine the cause of the failure.
    ----- amqrmrsa.c : 565 --------------------------------------------------------
     

     

     

  • Morag Hughson
    Morag Hughson
    140 Posts

    Re: SSL Channel not working

    ‏2013-04-23T16:08:37Z  
    • peterfa
    • ‏2013-04-23T15:39:37Z


    I ran the program I was trying to test, which is CQQueueTool.exe.

    It thinks that the client side is not specifying a CipherSpec. I am thinking that this program may be doing

    something "tricky". I did set up the environment variables the same way I had set them up for amqsputc. See

    below. What might this program be doing to negate what I had set up in the environment variables ?

     

    DOS window
    -----------

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    c:\>mqcqssl
    Enter Payroll Number: 27721
    MQCHLLIB=c:\akey\
    MQCHLTAB=AMQCLCHL.TAB
    MQSSLKEYR=c:\akey\key\
    MQ_FILE_PATH=C:\MQM
    MQ_JAVA_DATA_PATH=C:\MQM
    MQ_JAVA_INSTALL_PATH=C:\MQM\Java
    Enter the password for mq027721@cbsh.com:
    Attempting to start cmd /K "C:\Program Files\CommerceQuest\QueueTool\CQQueueTool.exe" as user "mq027721@cbsh.com"

    ...
    C:\Program Files\CommerceQuest\QueueTool>


    Copy of .bat file  mqcqssl.bat
    ------------------------------

    @echo off
    rem set INCENTIVE=27721
    set /P INCENTIVE=Enter Payroll Number:
    set EXECPATH=C:\Program Files\CommerceQuest\QueueTool\
    set APPDATA=C:\Documents and Settings\MQ0%INCENTIVE%\Local Settings\Temp
    set PATH=%PATH%;%EXECPATH%
    rem set mqserver=SSL.SVRCONN/TCP/aktc1infa12a(1419)
    set mqserver=
    set MQCHLLIB=c:\akey\
    set MQCHLTAB=AMQCLCHL.TAB
    set MQSSLKEYR=c:\akey\key\
    cd %EXECPATH%
    set MQ
    runas.exe /env /user:mq0%INCENTIVE%@cbsh.com "cmd /K \"%EXECPATH%CQQueueTool.exe\""


    Error Message on Client Side
    ----------------------------

    ----- cmqxrfpt.c : 457 --------------------------------------------------------
    4/23/2013 10:26:17 - Process(12324.1) User(MQ027721) Program(CQQueueTool.exe)
                        Host(INFO_KW-HG6CML1)
    AMQ9641: Remote CipherSpec error for channel 'SSL.SVRCONN'.

    EXPLANATION:
    The remote end of channel 'SSL.SVRCONN' has had a CipherSpec error. The channel
    did not start.
    ACTION:
    Review the error logs on the remote system to discover the problem with the
    CipherSpec.
    ----- cmqxrfpt.c : 457 --------------------------------------------------------


    Error Message on Server Side:
    -----------------------------

    ----- amqrmrsa.c : 565 --------------------------------------------------------
    04/23/13 10:26:35 - Process(41353304.66) User(mqm) Program(amqrmppa)
                        Host(aktc1infa12a)
    AMQ9639: Remote channel 'SSL.SVRCONN' did not specify a CipherSpec.

    EXPLANATION:
    Remote channel 'SSL.SVRCONN' did not specify a CipherSpec when the local
    channel expected one to be specified. The channel did not start.
    ACTION:
    Change the remote channel 'SSL.SVRCONN' to specify a CipherSpec so that both
    ends of the channel have matching CipherSpecs.
    ----- amqcccxa.c : 3047 -------------------------------------------------------
    04/23/13 10:26:35 - Process(41353304.66) User(mqm) Program(amqrmppa)
                        Host(aktc1infa12a)
    AMQ9999: Channel program ended abnormally.

    EXPLANATION:
    Channel program 'SSL.SVRCONN' ended abnormally.
    ACTION:
    Look at previous error messages for channel program 'SSL.SVRCONN' in the error
    files to determine the cause of the failure.
    ----- amqrmrsa.c : 565 --------------------------------------------------------
     

     

     

    I am wondering what happens if I have 2 CLNTCONN channels both pointing to the same queue manager. Which one does it use ?

    The channel will pick the one that is alphabetically first unless CLNTWGHT is set to a non-zero value. CLNTWGHT can be used (if set to non zero value) to ensure when lots of clients are coming in, that they are distributed between the choices as per the weights specified.

    What might this program be doing to negate what I had set up in the environment variables ?

    It could be programatically providing the channel details inside the program. Do you have usage instructions for this application?

    Cheers
    Morag

  • peterfa
    peterfa
    38 Posts

    Re: SSL Channel not working

    ‏2013-04-23T16:27:52Z  

    I am wondering what happens if I have 2 CLNTCONN channels both pointing to the same queue manager. Which one does it use ?

    The channel will pick the one that is alphabetically first unless CLNTWGHT is set to a non-zero value. CLNTWGHT can be used (if set to non zero value) to ensure when lots of clients are coming in, that they are distributed between the choices as per the weights specified.

    What might this program be doing to negate what I had set up in the environment variables ?

    It could be programatically providing the channel details inside the program. Do you have usage instructions for this application?

    Cheers
    Morag

    I think you are right. This program can connect to more than 1 queue manager, and it accepts parameters to tell it how to connect to each one. For the connection to a queue manager, the user can provide the following:

    Queue Manager Name

    Conname

    Channel name ( the svrconn channel to use )

    Security Exit

    Security User Data

    Send Exit

    Send User Data

    Receive Exit

    Receive User Data

    I don't know if any of these can be used to indicate an SSL connection. The SVRCONN channel name can refer to a channel that has a CipherSpec specified, that seems to be about it.

     

  • Morag Hughson
    Morag Hughson
    140 Posts

    Re: SSL Channel not working

    ‏2013-04-23T18:12:32Z  
    • peterfa
    • ‏2013-04-23T16:27:52Z

    I think you are right. This program can connect to more than 1 queue manager, and it accepts parameters to tell it how to connect to each one. For the connection to a queue manager, the user can provide the following:

    Queue Manager Name

    Conname

    Channel name ( the svrconn channel to use )

    Security Exit

    Security User Data

    Send Exit

    Send User Data

    Receive Exit

    Receive User Data

    I don't know if any of these can be used to indicate an SSL connection. The SVRCONN channel name can refer to a channel that has a CipherSpec specified, that seems to be about it.

     

    You're going to have to get in touch with the authors of the program to find out how to make use of either a CCDT, or how to explicitly provide the program with the CipherSpec.

  • peterfa
    peterfa
    38 Posts

    Re: SSL Channel not working

    ‏2013-04-23T18:22:19Z  

    You're going to have to get in touch with the authors of the program to find out how to make use of either a CCDT, or how to explicitly provide the program with the CipherSpec.

    OK. Thanks for all your help with this.

    Much appreciated !