| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| SSL problem cannot recover key (error Code 2059:) help me |
« View previous topic :: View next topic » |
| Author |
Message
|
| 007_pandi |
 Posted: Mon Nov 22, 2004 5:11 am Post subject: SSL problem cannot recover key (error Code 2059:) help me |
 |
|
Novice
Joined: 29 Jul 2002
Posts: 23
|
Hi,
my req is to implement SSL on my application.
MQ Client application is running on Solaris
MQ Qmgr is running on Windows xp.
The following things has been done:
1. I have got the personal certificate from 3rd party ( for Qmgr Server) and Assigned it to QMgr running on Windows XP.
2. Generated self-signed certicate in solaris m/c using java keytool .
(MQClient is running on Solaris).
3. Extracted publickey from the above certicate to a file and added that file to Qmgr keyrepository (QMgr is running on Windows xp).
4. Exported the server side Personal certificate (got at step 1) to a file and import it to solaris m/c using keytool and assigned to cacerts in java directory.
5.Created serverconnection channel and client connection channel in Qmgr (running on Windows xp) and copyied the channeltab file to solaris m/c .
Define channel(test) chltype(svrconn) trptype(tcp) sslciph(TRIPLE_DES_SHA_US)
Define channel(test) chltype(clntconn) trptype(tcp) connname(101.102.103.104) QMname(MYQM) sslciph(TRIPLE_DES_SHA_US)
6. My client java program uses MQEnvironemnt variable to connect to QMgr (running on Windows XP).
Before implementing SSL, no problem in execution.
But after implemented SSL, it is not able to connect to QM and throwing following error in MQ log
AMQ9639: Remote channel TEST' did not specify a CipherSpec.
EXPLANATION:
Remote channel TEST'did not specify a CipherSpec when the local channel
expected one to be specified. The channel did not start.
ACTION:
Change the remote channel TEST'to specify a CipherSpec so that both
ends of the channel have matching CipherSpecs.
Error in Telnet window : (Standalone java client app running)
MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect
Closure reason = 2009
MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect
Closure reason = 2009
Exception from Mainjava.lang.NullPointerException.
The script I have used to execute my java program:
------------------------------------------------------------
MQCHLLIB=/var/mqm/channeldef
export MQCHLLIB
MQCHLTAB=AMQCLCHL.TAB
export MQCHLTAB
java -Djavax.net.ssl.keyStore=/var/mqm/ssl/jkeystore -Djavax.net.sslkeyStoreP
assword=changeit -Djavax.net.ssl.trustStore=/export/home0/j2sdk1.4.2_06/jre/lib/
security/cacerts -Djavax.net.ssl.trustStorePassword=changeit MQUtility
--------------------------------
where jkeystore is the client certifcate keystore generated using java keytool.
It would be greateful if any of our member can help me.
Thanks in Advance
by
Pandi
Last edited by 007_pandi on Thu Nov 25, 2004 6:39 am; edited 1 time in total |
|
| Back to top |
|
 |
| 007_pandi |
| Posted: Wed Nov 24, 2004 6:37 am Post subject: |
|
|
Novice
Joined: 29 Jul 2002
Posts: 23
|
If I remove SSLCIPH value in the server connection channel, it works (I mean without ssl). But the problem is getting while SSL is configured.
I have copied AMQCLCHL.TAB file to solaris m/c & export MQCHLLIB , MQCHLTAB variable to point it. But I feel, my program is not taking this channel table file. How to ensure that my program is taking this channel table file.
I am using the following envoronment details.
Part of my code:
String serverHost = "1.1.1.1"; //sample ip
String qManager = "QM_JPMCTEST";
String port = "1414";
//String svrConnChannel = "SYSTEM.DEF.SVRCONN";
String svrConnChannel = "TEST"; //serverconnection chl & client connection channel name configured as ssl (TRIPLE_DES...)
String sendQueue = "TEST.OUT";
String strTxtMsg = "SSLTEsting on Nov 23 Nov, 2004";
MQEnvironment.hostname = hostName;
MQEnvironment.channel = mqChannelName;
MQEnvironment.port = portNumber;
//MQEnvironment.sslCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA";
MQEnvironment.properties.put(MQC.TRANSPORT_PROPERTY, MQC.TRANSPORT_MQSERIES_CLIENT);
Following log displayed in window-----------------------------------
*******inside getMessage********
*******Before connecting to Qmgr*****
*****MQEnvironment.hostname=1.1.1.1
***MQEnvironment.channel=TEST
****MQEnvironment.port=1414
***Qmgr Name=QM_JPMCTEST
*** MQEnvironment properties ={transport=MQSeries Client}
MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect
Closure reason = 2009
MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect
Closure reason = 2009
com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect
Closure reason = 2009
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:239)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:276)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:296)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:80)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:171)
at com.ibm.mq.MQQueueManager.obtainBaseMQQueueManager(MQQueueManager.java:737)
at com.ibm.mq.MQQueueManager.construct(MQQueueManager.java:671)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:400)
........
Caused by: com.ibm.mqservices.MQInternalException: MQJE001: An MQException occurred: Completion Code 2, Reason 2009
MQJE016: MQ queue manager closed channel immediately during connect
Closure reason = 2009
at com.ibm.mq.MQInternalCommunications.establishChannel(MQInternalCommunications.java:1534)
at com.ibm.mq.MQInternalCommunications.<init>(MQInternalCommunications.java:522)
at com.ibm.mq.MQSESSIONClient.MQCONN(MQSESSIONClient.java:1314)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:216)
... 10 more
Exception from Mainjava.lang.NullPointerException
--------------------
Log information in QueueManager log
-------------------------------------------------------------------------------
11/24/2004 19:35:56
AMQ9639: Remote channel 'TEST' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'TEST' did not specify a CipherSpec when the local channel
expected one to be specified. The channel did not start.
ACTION:
Change the remote channel 'TEST' to specify a CipherSpec so that both ends of
the channel have matching CipherSpecs.
--------------------------------------------------------
It would be very greateful If anyone can help. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 24, 2004 4:23 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
It is all in the wording. Your qmgr has ssl and is running fine.
Now you are either trying to connect to a remote qmgr wich has no ssl setup on its corresponding channel. The REMOTE channel (TEST) has no ssl setup. !!
You do not specify which way you are trying to connect to the qmgr but I suspect it is java. You need to setup your java client with all the needed ssl characteristics. Read up in the manual on how to do this.
Enjoy  |
|
| Back to top |
|
|
| 007_pandi |
| Posted: Wed Nov 24, 2004 8:52 pm Post subject: |
|
|
Novice
Joined: 29 Jul 2002
Posts: 23
|
Thanks for your reply.
In my client m/c (Solaris), there is no MQServer installed. only I have copied mq jar files (mq.jar,mqbind.jar,...ect) to work on this. It is working fine without SSL. Problem is on while using SSL.
I have added following line. As per mannual, it is must to add this line for MQBase java program that uses SSL.
MQEnvironment.sslCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA";
Now I am getting following error on Cient machine (Solaris).
MQJE001: An MQException occurred: Completion Code 2, Reason 2059
MQJE013: Error accessing socket streams
MQJE001: An MQException occurred: Completion Code 2, Reason 2059
MQJE013: Error accessing socket streams
com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2059
MQJE013: Error accessing socket streams
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:239)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:276)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:296)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:80)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:171)
at com.ibm.mq.MQQueueManager.obtainBaseMQQueueManager(MQQueueManager.java:737)
at com.ibm.mq.MQQueueManager.construct(MQQueueManager.java:671)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:400)
at com.jpmc.glossistar.utils.mq.MQUtility.getMessage(MQUtility.java:252)
at com.jpmc.glossistar.utils.mq.MQUtility.getMessage(MQUtility.java:144)
at com.jpmc.glossistar.utils.mq.MQUtility.main(MQUtility.java:371)
Caused by: com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2059
MQJE013: Error accessing socket streams
at com.ibm.mq.SSLHelper.createSSLSocketInstance(SSLHelper.java:470)
at com.ibm.mq.SSLHelper.createSSLSocket(SSLHelper.java:118)
at com.ibm.mq.MQInternalCommunications.createSocketConnection(MQInternalCommunications.java:1345)
at com.ibm.mq.MQInternalCommunications.access$000(MQInternalCommunications.java:113)
at com.ibm.mq.MQInternalCommunications$1.run(MQInternalCommunications.java:497)
at java.security.AccessController.doPrivileged(Native Method)
at com.ibm.mq.MQInternalCommunications.<init>(MQInternalCommunications.java:493)
at com.ibm.mq.MQSESSIONClient.MQCONN(MQSESSIONClient.java:1314)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:216)
... 10 more
Exception from Mainjava.lang.NullPointerException
-------------------------------------
I am using Java version on solaris m/c
java version "1.4.2_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_06-b03)
Java HotSpot(TM) Client VM (build 1.4.2_06-b03, mixed mode)
----------------------------
I am having following doubts:
-------------------------------------
1. For java 1.4 , should I need to add JSSE.jar or Any jars to be set in the classpath.
----------------------
I am using following command to run the program
java -Djavax.net.ssl.keyStore=/var/mqm/ssl/QM_JPMCTEST/mqkeystore -Djavax.net.sslkeyStorePassword=changeit -Djavax.net.ssl.tr
ustStore=/var/mqm/ssl/QM_JPMCTEST/mqkeystore -Djavax.net.ssl.trustStorePassword=changeit mq.MQUtility
where mqkeystore has client personal certifcate + server CA. client personal certificate has been generated by using the following command
keytool -genkey -keystore /var/mqm/ssl/QM_JPMCTEST/mqkeystore -storepass changeit -keypass changeit -dname "cn=MQSSL, ou=Test, o=IBM, c=US, st=MD" -alias mqclient -keyalg RSA -keysize 2048
please help me how to proceed to point out the problem?
Thanks & Regards,
pandi |
|
| Back to top |
|
|
| 007_pandi |
| Posted: Thu Nov 25, 2004 6:37 am Post subject: Getting 2059 error (cannot recover key) |
|
|
Novice
Joined: 29 Jul 2002
Posts: 23
|
Hi,
---------------------
while running the program, I am getting following error in client side ssl error log. No error found in MQ Qmgr log.
keyStore is : /var/mqm/ssl/QMJPMCTEST1/QMJPMCTEST1KEYSTORE
keyStore type is : jks
init keystore
init keymanager of type SunX509
default context init failed: java.security.UnrecoverableKeyException: Cannot recover key
Exception from Mainjava.lang.NullPointerException
------------------
MQ Error in client side
MQJE001: An MQException occurred: Completion Code 2, Reason 2059
MQJE013: Error accessing socket streams
MQJE001: An MQException occurred: Completion Code 2, Reason 2059
MQJE013: Error accessing socket streams
com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2059
MQJE013: Error accessing socket streams
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:239)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:276)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:296)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:80)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:171)
at com.ibm.mq.MQQueueManager.obtainBaseMQQueueManager(MQQueueManager.java:737)
at com.ibm.mq.MQQueueManager.construct(MQQueueManager.java:671)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:400)
at com.jpmc.glossistar.utils.mq.MQUtility6.getMessage(MQUtility6.java:252)
at com.jpmc.glossistar.utils.mq.MQUtility6.getMessage(MQUtility6.java:144)
at com.jpmc.glossistar.utils.mq.MQUtility6.main(MQUtility6.java:371)
Caused by: com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2059
MQJE013: Error accessing socket streams
at com.ibm.mq.SSLHelper.createSSLSocketInstance(SSLHelper.java:470)
at com.ibm.mq.SSLHelper.createSSLSocket(SSLHelper.java:118)
at com.ibm.mq.MQInternalCommunications.createSocketConnection(MQInternalCommunications.java:1345)
at com.ibm.mq.MQInternalCommunications.access$000(MQInternalCommunications.java:113)
at com.ibm.mq.MQInternalCommunications$1.run(MQInternalCommunications.java:497)
at java.security.AccessController.doPrivileged(Native Method)
at com.ibm.mq.MQInternalCommunications.<init>(MQInternalCommunications.java:493)
at com.ibm.mq.MQSESSIONClient.MQCONN(MQSESSIONClient.java:1314)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:216)
... 10 more
----------------------------------------------------------
---------
The following commands I have used to generate key & add it to client keystore. For server side, I howe downloaded 3rd party personal certificate.
client keystore generation:
keytool -genkey -keystore QMJPMCTEST1KEYSTORE -storepass changeit -keypass changeit -dname "cn=ibmwebspheremqroot, o=IBM, c=US, st=MD" -alias qmjpmctest1client -keyalg RSA -keysize 2048
extract public key from client keystore:
keytool -export -keystore QMJPMCTEST1KEYSTORE -storepass changeit -alias qmjpmctest1client -file qmjpmctest1client.cer
-------
import server's CA files (3 files . one is for root CA and others in intermediate CA)
keytool -import -keystore /var/mqm/ssl/QMJPMCTEST1/qmjpmctest1_cacerts -storepass changeit -keypass changeit -alias globalsignrootca -file /var/mqm/ssl/QMJPMCTEST1/GLOBALSIGNROOTCA.cer
keytool -import -keystore /var/mqm/ssl/QMJPMCTEST1/qmjpmctest1_cacerts -storepass changeit -keypass changeit -alias globalsignpersign1ca -file /var/mqm/ssl/QMJPMCTEST1/GLOBALSIGNPERSIGN1CA.cer
keytool -import -keystore /var/mqm/ssl/QMJPMCTEST1/qmjpmctest1_cacerts -storepass changeit -keypass changeit -alias globalsignprisign1ca -file /var/mqm/ssl/QMJPMCTEST1/GLOBALSIGNPRICLASS1CA.cer
where GLOBALSIGNROOTCA.cer,GLOBALSIGNPERSIGN1CA.cer and GLOBALSIGNPRICLASS1CA.cer are MQ server's CA
-------------------------
The following command I am using to run the program
java -Djavax.net.ssl.keyStore=/var/mqm/ssl/QMJPMCTEST1/QMJPMCTEST1KEYSTORE -Djavax.net.sslkeyStorePassword=changeit -Djavax.n
et.ssl.trustStore=/var/mqm/ssl/QMJPMCTEST1/qmjpmctest1_cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.debug=
ssl com.jpmc.glossistar.utils.mq.MQUtility6 > qmjpmctest1.error
----------------
Thanks for any kind of help to proceed further
by
Pandiarajan.J |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Nov 25, 2004 1:38 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
You'll have to wait for somebody who actually implemented SSL to answer.
From recent posts (memory, you should really do a search on the site) I believe that your SSL set up is lacking. For the server you will have to add all the certificates used by the client + the chain up to the root authority in the client certificate chain...
I might be mistaken. Read up on the manuals for a client connection with SSL
Enjoy |
|
| Back to top |
|
|
| 007_pandi |
| Posted: Sun Nov 28, 2004 8:51 pm Post subject: |
|
|
Novice
Joined: 29 Jul 2002
Posts: 23
|
Hi All,
Thanks for all your support. We have successfully implemented SSL configuration.
The problem was , MQBase java program was referring some other .keystore file defaultly instead of the one which is passed by us as an argument.
So thro' java program (using javax.net.ssl.SSLContext and System.property options), we have mentioned the acutal .keystore file (which is having client side personal certificate) and it is working fine.
by
Pandiarajan.J |
|
| Back to top |
|
|
| jonny |
| Posted: Mon Jan 24, 2005 8:48 am Post subject: |
|
|
Acolyte
Joined: 03 Jul 2003
Posts: 57
|
Hi Pandi,
I am having a similar problem
I am getting the following error:
MQJE013: Error accessing socket streams
and you mentioned on your post that you managed to fix the probelm, and you gave the following explanation:
| Quote: |
The problem was , MQBase java program was referring some other .keystore file defaultly instead of the one which is passed by us as an argument.
So thro' java program (using javax.net.ssl.SSLContext and System.property options), we have mentioned the acutal .keystore file (which is having client side personal certificate) and it is working fine.
|
I don't know much about Java, I am just an MQ administrator, who is trying to get SSL configured for a Java client using JMS, could you please explain to me how I will need to change the javax.net.ssl.SSLContext and system.property options.
Thanks |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
