| Author |
Message
|
| Inforz |
 Posted: Sun Nov 10, 2019 7:31 pm Post subject: SSLPeer value not updating |
 |
|
Centurion
Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India
|
Hi,
My work environment has a MQ cluster with 6 qmgrs in it, out of which two are FR and rest are PR.
All of the below qmgrs are of MQ v7.0.1.9
Server1(AIX 1.6) has below qmgrs
EF1 - FR
EG1 - PR
EB1 - PR
Server2(AIX 1.6) has below qmgrs
EF2 - FR
EG2 - PR
EB2 - PR
EG1 & EB1 have cluster channels defined to EF1
EG2 & EB2 have cluster channels defined to EF2
SSL renewal was performed recently and the DN was advised by signing authority to be changed on the existing values of the Org(O) and Email attributes and it was updated as advised for the new certs.
Now when applying new certs to each qmgrs and doing ssl refresh(refresh security type(ssl)), cluster channels went in retrying state with below error when I did ping of those channels.
AMQ9636: SSL distinguished name does not match peer name, channel ''.
I made the SSLpeer attributes to generic ie., SSLPEER(CN="*",OU="*",O="*")
(ie., for all cluster channels did a stop chl, then updated ssl peer as above, then started it)
After this change the channels were still in retrying state.
when displayed the channel, I see they are updated as did for the sslpeer value.
However, when I did a dis clusqmgr(*), on server1, on its 3 qmgrs in it, I see the output has ssl peer value updated only for the qmgrs present in server1 and was showing the old ssl peer value that was present before the SSL renewal for the qmgrs present in server2.
Similarly, when I did a dis clusqmgr(*), on server2, on its 3 qmgrs in it, I see the output has ssl peer value updated only for the qmgrs present in server2 and was showing the old ssl peer value that was present before the SSL renewal for the qmgrs present in server1.
Did a refresh cluster repos(yes) as well on both cluster FRs, but no change.
Please advise.
Thanks, |
|
| Back to top |
|
 |
| Inforz |
| Posted: Sun Nov 10, 2019 11:57 pm Post subject: |
|
|
Centurion
Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India
|
Since the cluster channels are in retrying state, I think the sslpeer update is not passed on between two FRs. and that is why they are showing old sslpeer value only when displayed from opposite FR.
Seems to be a deadlock situation, any help would be much appreciated. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Nov 11, 2019 12:33 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1967
Location: Bay of Plenty, New Zealand
|
| Inforz wrote: |
| Since the cluster channels are in retrying state, I think the sslpeer update is not passed on between two FRs. and that is why they are showing old sslpeer value only when displayed from opposite FR. |
Just to confirm I understand your situation. You have made an alteration to the SSLPEER field of a cluster channel to match the new certificates being rolled out, and delivery of that change cannot roll out round the cluster because the channel won't start because it doesn't match the certificate?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Inforz |
| Posted: Mon Nov 11, 2019 12:35 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India
|
| Quote: |
Just to confirm I understand your situation. You have made an alteration to the SSLPEER field of a cluster channel to match the new certificates being rolled out, and delivery of that change cannot roll out round the cluster because the channel won't start because it doesn't match the certificate?
|
Yeah correct. I can see there are msgs piled up in SCTQ as well. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Nov 11, 2019 12:42 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1967
Location: Bay of Plenty, New Zealand
|
Others may have different suggestions, but I wonder if the best option is to create a second set of cluster channels? Once they are up and running and your messages are moving again, you can delete the old ones.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| Inforz |
| Posted: Mon Nov 11, 2019 1:52 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India
|
| Thanks Hughson, will give a try and let you know. |
|
| Back to top |
|
|
| Inforz |
| Posted: Tue Nov 26, 2019 10:04 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2011
Posts: 139
Location: Chennai, India
|
Hi Hughson, it worked fine. Thanks a lot!!
And I deleted the old physical channel definitions. However, the virtual cluster channels that got created dynamically are not vanishing and they remain in retrying state. I stopped them and they remain in stopped state and are not disappearing.
Please suggest to get them off. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Nov 26, 2019 11:57 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9486
Location: US: west coast, almost. Otherwise, enroute.
|
I’d suggest:
Stop the channel, mode force if necessary.
Remove the channel from the cluster: ALTER CHL(channelnsme) CLUSTER().
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Nov 28, 2019 2:42 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1967
Location: Bay of Plenty, New Zealand
|
| Inforz wrote: |
I stopped them and they remain in stopped state and are not disappearing.
Please suggest to get them off. |
Try this command:-
| Code: |
| STOP CHANNEL(name) STATUS(INACTIVE) |
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
