The short answer is to remove the MQSERVER environment variable. For further details and references read below.
If you specify the MQSERVER environment variable MQ will only use this information and ignore the the CCDT environment variables (MQCHLLIB and MQCHLTAB).
This is referenced in the IBM MQ Knowledge Center page Configuring > Configuring connections between the server and clients > Using IBM MQ environment variables > MQSERVER > Using MQSERVER.
If you use the MQSERVER environment variable to define the channel
between your IBM® MQ MQI client machine and a server machine, this is
the only channel available to your application, and no reference is
made to the client channel definition table (CCDT).
Further information on how MQ application will determine connection details is referenced in the IBM MQ Knowledge Center page Developing applications > Developing MQI applications with IBM MQ > Writing client procedural applications > Running applications in the IBM MQ MQI client environment > Connecting IBM MQ MQI client applications to queue managers
When an application running in an IBM MQ client environment issues an
MQCONN or MQCONNX call, the client identifies how it is to make the
connection. When an MQCONNX call is issued by an application on an IBM
MQ client, the MQI client library searches for the client channel
information in the following order:
- Using the contents of the ClientConnOffset or ClientConnPtr fields of the MQCNO structure (if supplied). These fields identify the
channel definition structure (MQCD) to be used as the definition of
the client connection channel. Connection details can be overridden by
using a pre-connect exit. For more information, see Referencing
connection definitions using a pre-connect exit from a repository.- If the MQSERVER environment variable is set, the channel it defines is used.
- If an mqclient.ini file is defined and contains a ServerConnectionParms, the channel that it defines is used. For more
information, see Configuring a client using a configuration file and
CHANNELS stanza of the client configuration file.- If the MQCHLLIB and MQCHLTAB environment variables are set, the client channel definition table they point to is used.
- If an mqclient.ini file is defined and contains ChannelDefinitionDirectory and ChannelDefinitionFile attributes, these
attributes are used to locate the client channel definition table. For
more information, see Configuring a client using a configuration file
and CHANNELS stanza of the client configuration file.Finally, if the environment variables are not set, the client searches for a client channel definition table with a path and name
that are established from the DefaultPrefix in the mqs.ini file. If
the search for a client definition table fails, the client uses the
following paths:
- UNIX and Linux systems: /var/mqm/AMQCLCHL.TAB
- Windows: C:Program FilesIBMWebSphere MQamqclchl.tab
- IBM i: /QIBM/UserData/mqm/@ipcc
- IBM MQ Appliance: _AMQCLCHL.TAB. They appear under the mqbackup:// URI.
You cannot specify Cipherspec using the MQSERVER environment variable. This is referenced in the IBM MQ Knowledge Center page Configuring > Configuring connections between the server and clients > Using IBM MQ environment variables > MQSERVER
MQSERVER environment variable is used to define a minimal channel.
MQSERVER specifies the location of the IBM® MQ server and the
communication method to be used.You cannot use MQSERVER to define an SSL channel or a channel with
channel exits. For details of how to define an SSL channel, see
Protecting channels with SSL.
I have created queue manager from IBM Cloud. Connecting using user name and password looks fine however after enabling TLS/SSL got below error.
See the screenshot of the config and code snippet below. Can you help me figure-out anything I missed.
Error message
AMQ9642E: No SSL or TLS certificate for channel 'CLOUD.APP.SVRCONN'.
EXPLANATION:
The channel 'CLOUD.APP.SVRCONN' did not supply a certificate to use during SSL
or TLS handshaking, but a certificate is required by the remote queue manager.
The remote host is 'a6 (130.198.80.166)(31235)'.
The channel did not start.
ACTION:
Ensure that the key repository of the local queue manager or MQ client contains
a certificate which is associated with the queue manager or client. If you have
configured a certificate label, check that the certificate exists.
Alternatively, if appropriate, change the remote channel definition so that its
SSLCAUTH attribute is set to OPTIONAL and it has no SSLPEER value set.
Channel SSL Config
SSL certificate is setup in the channel
Queue manager SSL Config
SSL certificate is setup in the queue manager
Keystore commands
Created a certificate store and added the certificate qmgrcert downloaded from the queue manager
runmqakm -keydb -create -db key.kdb -pw dcc -type cms -stash
runmqakm -keydb -stashpw -db key.kdb -pw dcc
runmqakm -cert -add -db key.kdb -pw dcc -type pem -file qmgrcert.pem -label qmgrcert
runmqakm -cert -list all -db key.kdb -pw dcc
5724-H72 (C) Copyright IBM Corp. 1994, 2018.
Certificates found
* default, - personal, ! trusted, # secret key
! qmgrcert
! "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US"
! "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"
Code snippet
Pass certificate store into the code
func openQueueManager() (*ibmmq.MQQueueManager, error) {
var cno = ibmmq.NewMQCNO()
cno.Options = ibmmq.MQCNO_CLIENT_BINDING
var cd = ibmmq.NewMQCD()
cd.ChannelName = "CLOUD.APP.SVRCONN"
cd.ConnectionName = "qm1-c28c.qm.au-syd.mq.appdomain.cloud(31235)"
cd.SSLCipherSpec = "TLS_RSA_WITH_AES_256_CBC_SHA256"
cd.SSLClientAuth = ibmmq.MQSCA_REQUIRED
cd.CertificateLabel = "qmgrcert"
cno.ClientConn = cd
var csp = ibmmq.NewMQCSP()
csp.AuthenticationType = ibmmq.MQCSP_AUTH_USER_ID_AND_PWD
csp.UserId = "johnapp"
csp.Password = "xyz"
cno.SecurityParms = csp
var sco = ibmmq.NewMQSCO()
sco.KeyRepository = "C:\work\bin\ssl\key"
sco.CertificateLabel = "qmgrcert"
cno.SSLConfig = sco
var err error
var qmgr ibmmq.MQQueueManager
qmgr, err = ibmmq.Connx("QM1", cno)
if err != nil {
return nil, err
}
return &qmgr, nil
}
Troubleshooting Java/JMS SSL Configurations — Middleware News
This document is intended to help diagnose WebSphere MQ V7 Java™ or JMS SSL setup errors.
It lists most of the common configuration errors that can cause an SSL
connection from a Java/JMS client to a queue manager to fail, and gives
the course of action to resolve the problem.
In each case the
error can be diagnosed by a combination of the error seen in the client
log — either a console output, trace file or SystemOut.log file — and
the queue manager’s error logs.
The document is quite long, so
the easiest way to find the potential error is to search for one of the
errors seen in this list, then filter this list using the error from
the opposite end of the channel. All cases here assume that 2-way
authentication is being attempted (SSLCAUTH set to REQUIRED on the queue
manager’s SVRCONN channel). This is the default, and the errors are
very similar for 1-way authentication (SSLCAUTH set to OPTIONAL).
Symptom
- Instructions on collecting documentation
- Cause 1: Client missing personal certificate
- Cause 2: Missing server personal certificate
- Cause 3: Missing server signer on client
- Cause 4: Missing client signer on server
- Cause 5: Cipher spec mismatch
- Cause 6: No cipher enabled on client
- Cause 7: No cipher enabled on queue manager’s server connection channel
- Cause 8 Using non-FIPS cipher, FIPS enabled on client (not on server)
- Cause 9: Using non_FIPS cipher, FIPS enabled on server (not on client)
- Cause 10: Using FIPS cipher, FIPS not enabled on client
- Cause 11: Using non_FIPS cipher, FIPS enabled at both ends
- Cause 12: Value of SSLPEER on client does not match personal certificate
- Cause 13: Value of SSLPEER on server does not match personal certificate
- Cause 14: Listener not running on server
- Cause 15: Can not find client keystore
- Cause 16: Client keystore password incorrect
- Cause 17: Can not find client truststore
- Cause 18: Client truststore password incorrect
Diagnosing the problem
Two sets of documentation are required:
- SystemOut, console output or Java/JMS trace — this will show the exceptions with stack outputs as seen below
- AMQERR*.LOG files from the queue manager install location. these will contain the AMQxxxx errors as seen below
Back to top
Resolving the problem
| Cause 1 | Client missing personal certificate |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager.
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2059’ (‘MQRC_Q_MGR_NOT_AVAILABLE’) Stack includes: |
| Queue Manager Error Logs |
AMQ9637: Channel is lacking a certificate. |
| Solution | Add a personal certificate to the client’s keystore which has been signed by a certificate in the queue manager’s key database. |
| Cause 2 | Missing server personal certificate |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager.
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’)) Stack includes: |
| Queue Manager Error Logs |
AMQ9637: Channel is lacking a certificate. |
| Solution | Add a personal certificate to the queue manager’s key database which has been signed by a certificate in the client’s truststore, and which has a label of the form»ibmwebspheremqqmname.« |
| Cause 3 | Missing server signer on client |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’) Stack includes: |
| Queue Manager Error Logs |
AMQ9665: SSL connection closed by remote end of channel ‘????’. |
| Solution | Add the certificate used to sign the queue manager’s personal certificate to the client’s truststore. |
| Cause 4 | Missing client signer on server |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
AMQ9633: Bad SSL certificate for channel ‘????’. |
| Solution | Add the certificate used to sign the queue manager’s personal certificate to the client’s truststore. |
| Cause 5 | Cipher spec mismatch |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel ‘SYSTEM.DEF.SVRCONN’. |
| Solution | Ensure that the cipher suite on the client matches the cipher spec on the queue manager’s server connection channel. |
| Cause 6 | No cipher enabled on client |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
AMQ9639: Remote channel ‘SYSTEM.DEF.SVRCONN’ did not specify a CipherSpec. |
| Solution | Ensure that there is a cipher suite set on the client matching the cipher spec on the queue manager’s server connection channel. |
| Cause 7 | No cipher enabled on queue manager’s server connection channel |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager.
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
AMQ9635: Channel ‘SYSTEM.DEF.SVRCONN’ did not specify a valid CipherSpec. |
| Solution | Ensure that there is a cipher spec on the queue manager’s server connection channel matching the cipher suite set on the client.. |
| Cause 8 | Using non-FIPS cipher, FIPS enabled on client (not on server) |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2393’ (‘MQRC_SSL_INITIALIZATION_ERROR’). Stack includes: |
| Queue Manager Error Logs |
No errors seen |
| Solution | Either disable FIPS on the client or ensure both FIPS is enabled on the server and a FIPS-enabled cipher is being used. |
Back to top
| Cause 9 | Using non_FIPS cipher, FIPS enabled on server (not on client) |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
AMQ9616: The CipherSpec proposed is not enabled on the SSL server. |
| Solution | Either disable FIPS on the server or ensure both FIPS is enabled on the client and a FIPS-enabled cipher is being used. |
Back to top
| Cause 10 | Using FIPS cipher, FIPS not enabled on client |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
AMQ9616: The CipherSpec proposed is not enabled on the SSL server. |
| Solution | Either enable FIPS on the client or ensure a non FIPS-enabled cipher is being used. |
Back to top
| Cause 11 | Using non_FIPS cipher, FIPS enabled at both ends |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager.
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2393’ (‘MQRC_SSL_INITIALIZATION_ERROR’). Stack includes: |
| Queue Manager Error Logs |
No errors seen.. |
| Solution | Either disable FIPS at both ends or ensure a FIPS-enabled cipher is being used. |
Back to top
| Cause 12 | Value of SSLPEER on client does not match personal certificate |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2398’ (‘MQRC_SSL_PEER_NAME_MISMATCH’). Stack includes: |
| Queue Manager Error Logs |
No errors seen |
| Solution | Ensure the value of SSLPEER matches the distinguished name of the personal certificate. |
Back to top
| Cause 13 | Value of SSLPEER on server does not match personal certificate |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2059’ (‘MQRC_Q_MGR_NOT_AVAILABLE’). Stack includes: |
| Queue Manager Error Logs |
AMQ9636: SSL distinguished name does not match peer name, channel ‘SYSTEM.DEF.SVRCONN’. |
| Solution | Ensure the value of SSLPEER matches the distinguished name of the personal certificate. |
Back to top
| Cause 14 | Listener not running on server |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager.
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2059’ (‘MQRC_Q_MGR_NOT_AVAILABLE’). Stack includes: |
| Queue Manager Error Logs |
No errors seen |
| Solution | Start the listener on the queue manager. |
Back to top
| Cause 15 | Can not find client keystore |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
No errors seen |
| Solution | Specify the correct name and location for the client keystore. |
Back to top
| Cause 16 | Client keystore password incorrect |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
No errors seen |
| Solution | Specify the correct password for the client keystore. |
Back to top
| Cause 17 | Can not find client truststore |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
No errors seen.. |
| Solution | Specify the correct name and location for the client truststore. |
Back to top
| Cause 18 | Client truststore password incorrect |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
No errors seen. |
| Solution | Specify the correct password for the client truststore. |
Popular posts from this blog
MQ Series: — It is an IBM web sphere product which is evolved in 1990’s. MQ series does transportation from one point to other. It is an EAI tool (Middle ware) VERSIONS:-5.0, 5.1, 5.3, 6.0, 7.0(new version). The currently using version is 6.2 Note: – MQ series supports more than 35+ operating systems. It is platform Independent. For every OS we have different MQ series software’s. But the functionality of MQ series Default path for installing MQ series is:- C: programfilesBMclipseSDK30 C: programfilesIBMWebsphereMQ After installation it will create a group and user. Some middleware technologies are Tibco, SAP XI. MQ series deals with two things, they are OBJECTS, SERVICES. In OBJECTS we have • QUEUES • CHANNELS • PROCESS • AUTHENTICATION • QUERY MANAGER. In SERVICES we have LISTENERS. Objects: – objects are used to handle the transactions with the help of services. QUEUE MANAGER maintains all the objects and services. QUEUE: – it is a database structure
Reason code list ================= The following is a list of reason codes, in numeric order, providing detailed information to help you understand them, including: * An explanation of the circumstances that have caused the code to be raised * The associated completion code * Suggested programmer actions in response to the code * 0 (0000) (RC0): MQRC_NONE * 900 (0384) (RC900): MQRC_APPL_FIRST * 999 (03E7) (RC999): MQRC_APPL_LAST * 2001 (07D1) (RC2001): MQRC_ALIAS_BASE_Q_TYPE_ERROR * 2002 (07D2) (RC2002): MQRC_ALREADY_CONNECTED * 2003 (07D3) (RC2003): MQRC_BACKED_OUT * 2004 (07D4) (RC2004): MQRC_BUFFER_ERROR * 2005 (07D5) (RC2005): MQRC_BUFFER_LENGTH_ERROR * 2006 (07D6) (RC2006): MQRC_CHAR_ATTR_LENGTH_ERROR * 2007 (07D7) (RC2007): MQRC_CHAR_ATTRS_ERROR * 2008 (07D8) (RC2008): MQRC_CHAR_ATTRS_TOO_SHORT * 2009 (07D9) (RC2009): MQRC_CONNECTION_BROKEN * 2010 (07DA) (RC2010): MQRC_DATA_LENGTH_ERROR * 2011 (07DB) (RC2011): MQRC_DYNAMIC_Q_NAME_ERROR * 2012 (07DC) (RC201
Creating a log file when you install or uninstall WebSphere MQ WebSphere MQ for Windows is installed using the Microsoft Installer (MSI). If you install the MQ server or client through launchpad , MQPARMS or setup.exe , then a log file is automatically generated in %temp% during installation. Alternatively you can supply parameters on the installation MSI command msiexec to generate a log file, or enable MSI logging system-wide (which generates MSI logs for all install and uninstall operations). If you uninstall through the Windows Add/Remove programs option, no log file is generated. You should either uninstall from the MSI command line and supply parameters to generate a log file, or enable MSI logging system-wide (which generates MSI logs for all install and uninstall operations). For details on how to enable MSI logging, see the following article in the WebSphere MQ product documentation: Advanced installation using msiexec For details on how to enable system-w
This was driving me batty for a few hours, until I really focused on the problem.
This was what I was seeing in WAS: —
/opt/ibm/WebSphereProfiles/AppSrv01/logs/AppClusterMember1/SystemOut.log
…
Caused by [5] —> Message : com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel ‘TESTQMGR.SVRCONN’ to host ». [3=TESTQMGR.SVRCONN]
…
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager ‘TESTQM’ with connection mode ‘Client’ and host name ‘mq75.novalocal(1420)’.
com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’).
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host ‘mq75.novalocal(1420)’ rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel ‘TESTQMGR.SVRCONN’ to host ». [3=TESTQMGR.SVRCONN]],3=mq75.novalocal(1420),5=RemoteConnection.analyseErrorSegment]
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel ‘TESTQMGR.SVRCONN’ to host ». [3=TESTQMGR.SVRCONN]
…
[5/19/17 13:59:53:500 UTC] 00000119 SystemOut O <?xml version=»1.0″ encoding=»UTF-8″?>
<p:theMessage xmlns:p=»http://SCA_Test» xmlns:ns0=»http://SCA_Test» xmlns:xsi=»http://www.w3.org/2001/XMLSchema-instance» xsi:type=»p:theMessage»/>SCA
[5/19/17 13:59:53:500 UTC] 00000119 SystemOut O
[5/19/17 13:59:53:517 UTC] 00000119 ProcessEngine I CWWBE0003E: A runtime fault was returned by the implementation of activity ‘Invoke’.
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager ‘TESTQM’ with connection mode ‘Client’ and host name ‘mq75.novalocal(1420)’.
[5/19/17 13:59:53:531 UTC] 00000119 SibMessage W [:] CWSJY0003W: JMSCC0109: A message driven bean threw a runtime exception ‘
Message : com.ibm.websphere.sca.ServiceRuntimeException: com.ibm.bpe.api.RuntimeFaultException: CWWBE0003E: A runtime fault was returned by the implementation of activity ‘Invoke’.: caused by: com.ibm.bpe.api.RuntimeFaultException: CWWBE0003E: A runtime fault was returned by the implementation of activity ‘Invoke’.
Class : class com.ibm.websphere.sca.ServiceRuntimeException
…
Caused by [1] —> Message : com.ibm.bpe.api.RuntimeFaultException: CWWBE0003E: A runtime fault was returned by the implementation of activity ‘Invoke’.
…
and in MQ: —
/var/mqm/qmgrs/TESTQM/errors/AMQERR01.LOG
…
AMQ9639: Remote channel ‘TESTQMGR.SVRCONN’ did not specify a CipherSpec.
EXPLANATION:
Remote channel ‘TESTQMGR.SVRCONN’ did not specify a CipherSpec when the local
channel expected one to be specified.
The remote host is ‘bpm857 (10.72.0.6)’.
The channel did not start.
ACTION:
Change the remote channel ‘TESTQMGR.SVRCONN’ on host ‘bpm857 (10.72.0.6)’ to
specify a CipherSpec so that both ends of the channel have matching
CipherSpecs.
…
The problem was, as ever, between he chair and the keyboard ( PEBCAK ).
I revisited my Jython script and realised where I’d gone wrong.
Whilst I had created a dedicated SSL configuration to reflect the TLS version ( 1.2 ) and SSL cipher specification ( SSL_RSA_WITH_AES_128_CBC_SHA256 ) I’d obviously been tinkering with the WAS configuration at some point post-execution.
I re-ran my script: —
cellID=AdminControl.getCell()
queueName=»TESTQ»
queueManager=»TESTQM»
wasUser=»wasadmin»
wasPassword=»passw0rd»
actSpec=»TESTQ_AS»
channelName=»TESTQMGR.SVRCONN»
qmgrHostname=»mq75.novalocal»
qmgrPortNumber=»1420″
configAlias=»WAS_to_WMQ»
cipher=»SSL_RSA_WITH_AES_128_CBC_SHA256″
AdminTask.createSSLConfig(‘[-alias ‘+configAlias+’ -type JSSE -scopeName (cell):’+cellID+’ -keyStoreName CellDefaultKeyStore -keyStoreScopeName (cell):’+cellID+’ -trustStoreName CellDefaultTrustStore -trustStoreScopeName (cell):’+cellID+’ -jsseProvider IBMJSSE2 -sslProtocol TLSv1.2 -clientAuthentication false -clientAuthenticationSupported false -securityLevel HIGH -enabledCiphers ‘+cipher+’ ]’)
AdminTask.createDynamicSSLConfigSelection(‘[-dynSSLConfigSelectionName ‘+configAlias+’ -scopeName (cell):’+cellID+’ -dynSSLConfigSelectionDescription ‘+configAlias+’ -dynSSLConfigSelectionInfo *,’+qmgrHostname+’,’+qmgrPortNumber+’ -sslConfigName ‘+configAlias+’ -sslConfigScope (cell):’+cellID+’ -certificateAlias ]’)
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
and things started working.
Skip to navigation
Skip to main content
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
-
Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
-
Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
-
Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
-
Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issue
- The IBM Resource Adapter fails to start on JBoss EAP with the following exception:
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'NAME_OF_THE_CHANNEL' to host ''. [3=CCID_REDWD_SSL]
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:4640)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:3376)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1411)
at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:1007)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:409)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:305)
at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:155)
at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1724)
... 23 more
Environment
- Red Hat JBoss EAP
- 7
- IBM MQ
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
Current Customers and Partners
Log in for full access
Log In
Содержание
- Troubleshooting IBM MQ Java/JMS SSL Configurations
- Troubleshooting
- Problem
- Symptom
- Diagnosing The Problem
- Resolving The Problem
Troubleshooting IBM MQ Java/JMS SSL Configurations
Troubleshooting
Problem
Symptom
Diagnosing The Problem
Two sets of documentation are required:
- SystemOut, console output or Java/JMS trace — this will show the exceptions with stack outputs as seen below
- AMQERR*.LOG files from the queue manager install location. these will contain the AMQxxxx errors as seen below
Resolving The Problem
| Cause 1 | Client missing personal certificate |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager.
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2059’ (‘MQRC_Q_MGR_NOT_AVAILABLE’) Stack includes: |
| Queue Manager Error Logs |
AMQ9637: Channel is lacking a certificate. |
| Solution | Add a personal certificate to the client’s keystore which has been signed by a certificate in the queue manager’s key database. |
| Cause 2 | Missing server personal certificate |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager.
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’)) Stack includes: |
| Queue Manager Error Logs |
AMQ9637: Channel is lacking a certificate. |
| Solution | Add a personal certificate to the queue manager’s key database which has been signed by a certificate in the client’s truststore, and which has a label of the form»ibmwebspheremqqmname.« |
| Cause 3 | Missing server signer on client |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’) Stack includes: |
| Queue Manager Error Logs |
AMQ9665: SSL connection closed by remote end of channel ‘. ‘. |
| Solution | Add the certificate used to sign the queue manager’s personal certificate to the client’s truststore. |
| Cause 4 | Missing client signer on server |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
AMQ9633: Bad SSL certificate for channel ‘. ‘. |
| Solution | Add the certificate used to sign the queue manager’s personal certificate to the client’s truststore. |
| Cause 5 | Cipher spec mismatch |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
AMQ9631: The CipherSpec negotiated during the SSL handshake does not match the required CipherSpec for channel ‘SYSTEM.DEF.SVRCONN’. |
| Solution | Ensure that the cipher suite on the client matches the cipher spec on the queue manager’s server connection channel. |
| Cause 6 | No cipher enabled on client |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
AMQ9639: Remote channel ‘SYSTEM.DEF.SVRCONN’ did not specify a CipherSpec. |
| Solution | Ensure that there is a cipher suite set on the client matching the cipher spec on the queue manager’s server connection channel. |
| Cause 7 | No cipher enabled on queue manager’s server connection channel |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager.
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
AMQ9635: Channel ‘SYSTEM.DEF.SVRCONN’ did not specify a valid CipherSpec. |
| Solution | Ensure that there is a cipher spec on the queue manager’s server connection channel matching the cipher suite set on the client.. |
| Cause 8 | Using non-FIPS cipher, FIPS enabled on client (not on server) |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2393’ (‘MQRC_SSL_INITIALIZATION_ERROR’). Stack includes: |
| Queue Manager Error Logs |
No errors seen |
| Solution | Either disable FIPS on the client or ensure both FIPS is enabled on the server and a FIPS-enabled cipher is being used. |
| Cause 9 | Using non_FIPS cipher, FIPS enabled on server (not on client) |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
AMQ9616: The CipherSpec proposed is not enabled on the SSL server. |
| Solution | Either disable FIPS on the server or ensure both FIPS is enabled on the client and a FIPS-enabled cipher is being used. |
| Cause 10 | Using FIPS cipher, FIPS not enabled on client |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
AMQ9616: The CipherSpec proposed is not enabled on the SSL server. |
| Solution | Either enable FIPS on the client or ensure a non FIPS-enabled cipher is being used. |
| Cause 11 | Using non_FIPS cipher, FIPS enabled at both ends |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager.
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2393’ (‘MQRC_SSL_INITIALIZATION_ERROR’). Stack includes: |
| Queue Manager Error Logs |
No errors seen.. |
| Solution | Either disable FIPS at both ends or ensure a FIPS-enabled cipher is being used. |
| Cause 12 | Value of SSLPEER on client does not match personal certificate |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2398’ (‘MQRC_SSL_PEER_NAME_MISMATCH’). Stack includes: |
| Queue Manager Error Logs |
No errors seen |
| Solution | Ensure the value of SSLPEER matches the distinguished name of the personal certificate. |
| Cause 13 | Value of SSLPEER on server does not match personal certificate |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2059’ (‘MQRC_Q_MGR_NOT_AVAILABLE’). Stack includes: |
| Queue Manager Error Logs |
AMQ9636: SSL distinguished name does not match peer name, channel ‘SYSTEM.DEF.SVRCONN’. |
| Solution | Ensure the value of SSLPEER matches the distinguished name of the personal certificate. |
| Cause 14 | Listener not running on server |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager.
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2059’ (‘MQRC_Q_MGR_NOT_AVAILABLE’). Stack includes: |
| Queue Manager Error Logs |
No errors seen |
| Solution | Start the listener on the queue manager. |
| Cause 15 | Can not find client keystore |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
No errors seen |
| Solution | Specify the correct name and location for the client keystore. |
| Cause 16 | Client keystore password incorrect |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
No errors seen |
| Solution | Specify the correct password for the client keystore. |
| Cause 17 | Can not find client truststore |
| SystemOut.log or Console Output | JMSWMQ0018: Failed to connect to queue manager
JMSCMQ0001: WebSphere MQ call failed with compcode ‘2’ (‘MQCC_FAILED’) reason ‘2397’ (‘MQRC_JSSE_ERROR’). Stack includes: |
| Queue Manager Error Logs |
No errors seen.. |
| Solution | Specify the correct name and location for the client truststore. |