Morag, very good tip. I recycled my QMgrs and now it works also using the listeners. So my problem is solved.
Thanks a lot. Hubert > -----Urspr�ngliche Nachricht----- > Von: MQSeries List [SMTP:[EMAIL PROTECTED] im Auftrag > von Morag Hughson > Gesendet am: Dienstag, 7. Juni 2005 10:23 > An: [email protected] > Betreff: Re: AW: Tracing SSL on MQ channels - Update > > If you make changes to the contents of the key repository (i.e. add > certificates) the SSL environment on that process needs to be refreshed. > If > you had previously started channels with amqrmppa (channel pool processes) > then the environment would have already been set up, however, starting the > channel with inetd gives it a whole new process and therefore a brand new > SSL environment which picks up the new changes to the contents of your key > repository. If you recycle your queue managers and try it again, then you > know that the SSL environment contains the correct set of certificates. > > FYI - in V6 you do not need to recycle the queue manager to refresh this > environment, instead we have a command REFRESH SECURITY TYPE(SSL). > > Remember when running with self-signed certificates that the partner key > repository needs a copy of your certificate in order to be able to > authenticate, and remember to label them correctly. > > Cheers > Morag > > Morag Hughson > WebSphere MQ for z/OS Development > Internet: [EMAIL PROTECTED] > > > > > > Hubert Kleinmanns > > <Hubert.Kleinmann > > [EMAIL PROTECTED] To > > COM> [email protected] > > Sent by: MQSeries cc > > List > > <[EMAIL PROTECTED] Subject > > V.MEDUNIWIEN.AC.A AW: Tracing SSL on MQ channels - > > T> Update > > > > > > 07/06/2005 07:33 > > > > > > Please respond to > > MQSeries List > > > > > > > > > > Morag, > > I just did another test and started receiver MCAs using the inetd instead > of > the listener. Surprise, surprise, the channel QM4.QM3 now becomes active! > The process "amqcrsta" know accepts the key file (whereas the process > "amqrmppa" started by the listener did not). But the channels to the QMgr > QM2 (with version 3 extensions) still do not start! > > I also tried the flags MCATYPE(THREAD) and MCATYPE(PROCESS) - with no > effect. > > Do you have any ideas? > > Hubert > > > > -----Urspr�ngliche Nachricht----- > > Von: MQSeries List [SMTP:[EMAIL PROTECTED] > im Auftrag > > von Hubert Kleinmanns > > Gesendet am: Dienstag, 7. Juni 2005 07:31 > > An: [email protected] > > Betreff: AW: Tracing SSL on MQ channels > > > > Morag, > > > > I have to set up SSL channel between Unix systems (AIX and Sun Solaris), > > between Unix and Windows and between Unix/Windows to mainframes. We have > > an > > internal CA which creates certificates I have to use. Unfortunately > these > > certificates contain version 3 extensions, which are designed for web > > servers. It seems to us, that these extensions do not work with the > GSkit > > tool on Unix systems. Several days ago, I set up a connection from AIX > to > > z/OS. This connection was closed by the mainframe, when I tried to start > > the > > sender channel on AIX. The mainframe people told something about > "invalid > > certificate" - no more comments. > > > > Now I am testing the SSL connections between several Sun Solaris QMgrs. > > These QMgrs run on the the same Sun Solaris box with WMQ 5.3 and CSD10. > I > > am > > testing several ceretificates with different options, to find out, why > > (and > > which) version 3 extensions cause the problems. My test scenarios > consists > > out of three QMgrs: > > > > - QM2 has an official certificate of our internal CA. > > - QM3/QM4 are used for test and comparison reasons. > > > > First I created certificates (using a private CA, not the official one) > > without version 3 extensions for QM3 and QM4. I created both > certificates > > in > > the same way with gsk6cmd and received them into the QMgrs. When I > define > > a > > SSL cipher spec the channel QM3.QM4 becomes active, but the channel > > QM4.QM3 > > not. I found the message "E_SSL_BAD_KEYFILE_LABEL" in the trace file of > > the > > process "amqrmppa". > > > > When I understand, why the channel QM4.QM3 does not start, and this > > problem > > is solved, I will try to connect QM3 with QM2 - which has an official > > certificate with version 3 extensions. The next step will be, to connect > > QM2 > > to the mainframe. > > > > CSD10 includes version 6.0.5.43 of the GSkit tool. I found also a > version > > 6.0.5.45 on IBMs web site. Does it make sense, to install the higher > > version > > of the GSkit tool? > > > > TIA > > Hubert > > > > > > > > > -----Urspr�ngliche Nachricht----- > > > Von: MQSeries List [SMTP:[EMAIL PROTECTED] > im > > Auftrag > > > von Morag Hughson > > > Gesendet am: Montag, 6. Juni 2005 19:58 > > > An: [email protected] > > > Betreff: Re: Tracing SSL on MQ channels > > > > > > From the System Administration Guide:- > > > > > > SSL trace > > > > > > If you request SSL trace, note the following: > > > > > > SSL trace is written to the directory /var/mqm/trace. > > > > > > The SSL trace files are AMQ.SSL.TRC and AMQ.SSL.TRC.1. > > > > > > You cannot format SSL trace files; send them unchanged to IBM > > > support. > > > > > > What exactly are you trying to capture trace of in the SSL Handshake? > > > > > > Cheers > > > Morag > > > > > > Morag Hughson > > > WebSphere MQ for z/OS Development > > > Internet: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > Hubert Kleinmanns > > > > > > <Hubert.Kleinmann > > > > > > [EMAIL PROTECTED] > > To > > > > > > COM> > > [email protected] > > > > > > Sent by: MQSeries > > cc > > > > > > List > > > > > > <[EMAIL PROTECTED] > > Subject > > > > > > V.MEDUNIWIEN.AC.A Tracing SSL on MQ channels > > > > > > T> > > > > > > > > > > > > > > > > > > 06/06/2005 17:21 > > > > > > > > > > > > > > > > > > Please respond to > > > > > > MQSeries List > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi all, > > > > > > I am trying to trace MQ during the SSL handshake of a channel start. > > > Before > > > I start the channel, I activate MQ tracing using the command: > > > > > > strmqtrc -t all -t detail -m <name of the QMgr> > > > > > > Afterwards I see several files ending with ".TRC". Then I try to > format > > > the > > > trace files using the command: > > > > > > dspmqtrc -o <output file> <trace file> > > > > > > Now the output files contain the trace data (in an more or less > readable > > > way) and are alway bigger than the trace files - all but one: > > > > > > The file AMQ.SSL.TRC is about 600 KB large, but the output file > > > AMQ.SSL.DSP > > > contains only 132 bytes in three lines: > > > > > > Timestamp Process.Thread Trace Data > > > =========================================== > > > =========================================== > > > > > > > > > Now my Questions: > > > > > > 1. How may I format the file AMQ.SSL.TRC ? > > > > > > 2. Do I have to use other options for strmqtrc or dmpmqtrc (may be > > > undocumented) ? > > > > > > 3. Is there another way, to trace the SSL handshake ? > > > > > > > > > Thanks in advance > > > Hubert > > > > > > Instructions for managing your mailing list subscription are provided > in > > > the Listserv General Users Guide available at http://www.lsoft.com > > > Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html > > > > > > Instructions for managing your mailing list subscription are provided > in > > > the Listserv General Users Guide available at http://www.lsoft.com > > > Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html > > > > Instructions for managing your mailing list subscription are provided in > > the Listserv General Users Guide available at http://www.lsoft.com > > Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html > > Instructions for managing your mailing list subscription are provided in > the Listserv General Users Guide available at http://www.lsoft.com > Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html > > Instructions for managing your mailing list subscription are provided in > the Listserv General Users Guide available at http://www.lsoft.com > Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html
