Morag, I installed now version 6.0.5.45 of the GSkit tool. When I start channels via "inetd" all channel become active (fine), but when I start channels using the MQ listener the channels from QM2 (with version 3 extensions) to the other ones goes into RETRY mode. In the trace output of "amqrmppa" I found the message "E_SSL_BAD_CERT". Maybe there is a problem in the programm "amqrmppa" ?
Regards Hubert > -----Urspr�ngliche Nachricht----- > Von: MQSeries List [SMTP:[EMAIL PROTECTED] im Auftrag > von Hubert Kleinmanns > Gesendet am: Dienstag, 7. Juni 2005 08:33 > An: [email protected] > Betreff: AW: Tracing SSL on MQ channels - Update > > Morag, > > I just did another test and started receiver MCAs using the inetd instead > of > the listener. Surprise, surprise, the channel QM4.QM3 now becomes active! > The process "amqcrsta" know accepts the key file (whereas the process > "amqrmppa" started by the listener did not). But the channels to the QMgr > QM2 (with version 3 extensions) still do not start! > > I also tried the flags MCATYPE(THREAD) and MCATYPE(PROCESS) - with no > effect. > > Do you have any ideas? > > Hubert > > > > -----Urspr�ngliche Nachricht----- > > Von: MQSeries List [SMTP:[EMAIL PROTECTED] im > Auftrag > > von Hubert Kleinmanns > > Gesendet am: Dienstag, 7. Juni 2005 07:31 > > An: [email protected] > > Betreff: AW: Tracing SSL on MQ channels > > > > Morag, > > > > I have to set up SSL channel between Unix systems (AIX and Sun Solaris), > > between Unix and Windows and between Unix/Windows to mainframes. We have > > an > > internal CA which creates certificates I have to use. Unfortunately > these > > certificates contain version 3 extensions, which are designed for web > > servers. It seems to us, that these extensions do not work with the > GSkit > > tool on Unix systems. Several days ago, I set up a connection from AIX > to > > z/OS. This connection was closed by the mainframe, when I tried to start > > the > > sender channel on AIX. The mainframe people told something about > "invalid > > certificate" - no more comments. > > > > Now I am testing the SSL connections between several Sun Solaris QMgrs. > > These QMgrs run on the the same Sun Solaris box with WMQ 5.3 and CSD10. > I > > am > > testing several ceretificates with different options, to find out, why > > (and > > which) version 3 extensions cause the problems. My test scenarios > consists > > out of three QMgrs: > > > > - QM2 has an official certificate of our internal CA. > > - QM3/QM4 are used for test and comparison reasons. > > > > First I created certificates (using a private CA, not the official one) > > without version 3 extensions for QM3 and QM4. I created both > certificates > > in > > the same way with gsk6cmd and received them into the QMgrs. When I > define > > a > > SSL cipher spec the channel QM3.QM4 becomes active, but the channel > > QM4.QM3 > > not. I found the message "E_SSL_BAD_KEYFILE_LABEL" in the trace file of > > the > > process "amqrmppa". > > > > When I understand, why the channel QM4.QM3 does not start, and this > > problem > > is solved, I will try to connect QM3 with QM2 - which has an official > > certificate with version 3 extensions. The next step will be, to connect > > QM2 > > to the mainframe. > > > > CSD10 includes version 6.0.5.43 of the GSkit tool. I found also a > version > > 6.0.5.45 on IBMs web site. Does it make sense, to install the higher > > version > > of the GSkit tool? > > > > TIA > > Hubert > > > > > > > > > -----Urspr�ngliche Nachricht----- > > > Von: MQSeries List [SMTP:[EMAIL PROTECTED] im > > Auftrag > > > von Morag Hughson > > > Gesendet am: Montag, 6. Juni 2005 19:58 > > > An: [email protected] > > > Betreff: Re: Tracing SSL on MQ channels > > > > > > From the System Administration Guide:- > > > > > > SSL trace > > > > > > If you request SSL trace, note the following: > > > > > > SSL trace is written to the directory /var/mqm/trace. > > > > > > The SSL trace files are AMQ.SSL.TRC and AMQ.SSL.TRC.1. > > > > > > You cannot format SSL trace files; send them unchanged to IBM > > > support. > > > > > > What exactly are you trying to capture trace of in the SSL Handshake? > > > > > > Cheers > > > Morag > > > > > > Morag Hughson > > > WebSphere MQ for z/OS Development > > > Internet: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > Hubert Kleinmanns > > > > > > <Hubert.Kleinmann > > > > > > [EMAIL PROTECTED] > > To > > > > > > COM> > > [email protected] > > > > > > Sent by: MQSeries > > cc > > > > > > List > > > > > > <[EMAIL PROTECTED] > > Subject > > > > > > V.MEDUNIWIEN.AC.A Tracing SSL on MQ channels > > > > > > T> > > > > > > > > > > > > > > > > > > 06/06/2005 17:21 > > > > > > > > > > > > > > > > > > Please respond to > > > > > > MQSeries List > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi all, > > > > > > I am trying to trace MQ during the SSL handshake of a channel start. > > > Before > > > I start the channel, I activate MQ tracing using the command: > > > > > > strmqtrc -t all -t detail -m <name of the QMgr> > > > > > > Afterwards I see several files ending with ".TRC". Then I try to > format > > > the > > > trace files using the command: > > > > > > dspmqtrc -o <output file> <trace file> > > > > > > Now the output files contain the trace data (in an more or less > readable > > > way) and are alway bigger than the trace files - all but one: > > > > > > The file AMQ.SSL.TRC is about 600 KB large, but the output file > > > AMQ.SSL.DSP > > > contains only 132 bytes in three lines: > > > > > > Timestamp Process.Thread Trace Data > > > =========================================== > > > =========================================== > > > > > > > > > Now my Questions: > > > > > > 1. How may I format the file AMQ.SSL.TRC ? > > > > > > 2. Do I have to use other options for strmqtrc or dmpmqtrc (may be > > > undocumented) ? > > > > > > 3. Is there another way, to trace the SSL handshake ? > > > > > > > > > Thanks in advance > > > Hubert > > > > > > Instructions for managing your mailing list subscription are provided > in > > > the Listserv General Users Guide available at http://www.lsoft.com > > > Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html > > > > > > Instructions for managing your mailing list subscription are provided > in > > > the Listserv General Users Guide available at http://www.lsoft.com > > > Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html > > > > Instructions for managing your mailing list subscription are provided in > > the Listserv General Users Guide available at http://www.lsoft.com > > Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html > > Instructions for managing your mailing list subscription are provided in > the Listserv General Users Guide available at http://www.lsoft.com > Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
