ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » SSLPeer value not updating

Post new topic  Reply to topic
 SSLPeer value not updating « View previous topic :: View next topic » 
Author Message
Inforz
PostPosted: Sun Nov 10, 2019 7:31 pm    Post subject: SSLPeer value not updating Reply with quote

Centurion

Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India

Hi,

My work environment has a MQ cluster with 6 qmgrs in it, out of which two are FR and rest are PR.

All of the below qmgrs are of MQ v7.0.1.9

Server1(AIX 1.6) has below qmgrs
EF1 - FR
EG1 - PR
EB1 - PR

Server2(AIX 1.6) has below qmgrs
EF2 - FR
EG2 - PR
EB2 - PR

EG1 & EB1 have cluster channels defined to EF1
EG2 & EB2 have cluster channels defined to EF2

SSL renewal was performed recently and the DN was advised by signing authority to be changed on the existing values of the Org(O) and Email attributes and it was updated as advised for the new certs.

Now when applying new certs to each qmgrs and doing ssl refresh(refresh security type(ssl)), cluster channels went in retrying state with below error when I did ping of those channels.

AMQ9636: SSL distinguished name does not match peer name, channel ''.

I made the SSLpeer attributes to generic ie., SSLPEER(CN="*",OU="*",O="*")
(ie., for all cluster channels did a stop chl, then updated ssl peer as above, then started it)
After this change the channels were still in retrying state.

when displayed the channel, I see they are updated as did for the sslpeer value.

However, when I did a dis clusqmgr(*), on server1, on its 3 qmgrs in it, I see the output has ssl peer value updated only for the qmgrs present in server1 and was showing the old ssl peer value that was present before the SSL renewal for the qmgrs present in server2.

Similarly, when I did a dis clusqmgr(*), on server2, on its 3 qmgrs in it, I see the output has ssl peer value updated only for the qmgrs present in server2 and was showing the old ssl peer value that was present before the SSL renewal for the qmgrs present in server1.

Did a refresh cluster repos(yes) as well on both cluster FRs, but no change.

Please advise.


Thanks,
Back to top
View user's profile Send private message
Inforz
PostPosted: Sun Nov 10, 2019 11:57 pm    Post subject: Reply with quote

Centurion

Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India

Since the cluster channels are in retrying state, I think the sslpeer update is not passed on between two FRs. and that is why they are showing old sslpeer value only when displayed from opposite FR.

Seems to be a deadlock situation, any help would be much appreciated.
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Nov 11, 2019 12:33 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Inforz wrote:
Since the cluster channels are in retrying state, I think the sslpeer update is not passed on between two FRs. and that is why they are showing old sslpeer value only when displayed from opposite FR.


Just to confirm I understand your situation. You have made an alteration to the SSLPEER field of a cluster channel to match the new certificates being rolled out, and delivery of that change cannot roll out round the cluster because the channel won't start because it doesn't match the certificate?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Inforz
PostPosted: Mon Nov 11, 2019 12:35 am    Post subject: Reply with quote

Centurion

Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India

Quote:


Just to confirm I understand your situation. You have made an alteration to the SSLPEER field of a cluster channel to match the new certificates being rolled out, and delivery of that change cannot roll out round the cluster because the channel won't start because it doesn't match the certificate?



Yeah correct. I can see there are msgs piled up in SCTQ as well.
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Nov 11, 2019 12:42 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Others may have different suggestions, but I wonder if the best option is to create a second set of cluster channels? Once they are up and running and your messages are moving again, you can delete the old ones.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Inforz
PostPosted: Mon Nov 11, 2019 1:52 am    Post subject: Reply with quote

Centurion

Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India

Thanks Hughson, will give a try and let you know.
Back to top
View user's profile Send private message
Inforz
PostPosted: Tue Nov 26, 2019 10:04 am    Post subject: Reply with quote

Centurion

Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India

Hi Hughson, it worked fine. Thanks a lot!!

And I deleted the old physical channel definitions. However, the virtual cluster channels that got created dynamically are not vanishing and they remain in retrying state. I stopped them and they remain in stopped state and are not disappearing.

Please suggest to get them off.
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue Nov 26, 2019 11:57 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

I’d suggest:

Stop the channel, mode force if necessary.
Remove the channel from the cluster: ALTER CHL(channelnsme) CLUSTER().
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
hughson
PostPosted: Thu Nov 28, 2019 2:42 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

Inforz wrote:
I stopped them and they remain in stopped state and are not disappearing.

Please suggest to get them off.


Try this command:-

Code:
STOP CHANNEL(name) STATUS(INACTIVE)

_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » SSLPeer value not updating
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.