Saturday, 20 May 2017

WebSphere to WebSphere - Problems with WAS to MQ Server Connection Channel

This was driving me batty  for a few hours, until I really focused on the problem.

This was what I was seeing in WAS: -

/opt/ibm/WebSphereProfiles/AppSrv01/logs/AppClusterMember1/SystemOut.log

...
     Caused by [5] --> Message : com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'TESTQMGR.SVRCONN' to host ''. [3=TESTQMGR.SVRCONN]
...
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'TESTQM' with connection mode 'Client' and host name 'mq75.novalocal(1420)'.
com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'mq75.novalocal(1420)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'TESTQMGR.SVRCONN' to host ''. [3=TESTQMGR.SVRCONN]],3=mq75.novalocal(1420),5=RemoteConnection.analyseErrorSegment]
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'TESTQMGR.SVRCONN' to host ''. [3=TESTQMGR.SVRCONN]

...
[5/19/17 13:59:53:500 UTC] 00000119 SystemOut     O <?xml version="1.0" encoding="UTF-8"?>
<p:theMessage xmlns:p="http://SCA_Test" xmlns:ns0="http://SCA_Test" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="p:theMessage"/>SCA
[5/19/17 13:59:53:500 UTC] 00000119 SystemOut     O 
[5/19/17 13:59:53:517 UTC] 00000119 ProcessEngine I   CWWBE0003E: A runtime fault was returned by the implementation of activity 'Invoke'.
        com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'TESTQM' with connection mode 'Client' and host name 'mq75.novalocal(1420)'.
[5/19/17 13:59:53:531 UTC] 00000119 SibMessage    W   [:] CWSJY0003W: JMSCC0109: A message driven bean threw a runtime exception '
                       Message : com.ibm.websphere.sca.ServiceRuntimeException: com.ibm.bpe.api.RuntimeFaultException: CWWBE0003E: A runtime fault was returned by the implementation of activity 'Invoke'.: caused by: com.ibm.bpe.api.RuntimeFaultException: CWWBE0003E: A runtime fault was returned by the implementation of activity 'Invoke'.
                         Class : class com.ibm.websphere.sca.ServiceRuntimeException

...
     Caused by [1] --> Message : com.ibm.bpe.api.RuntimeFaultException: CWWBE0003E: A runtime fault was returned by the implementation of activity 'Invoke'.
...

and in MQ: -

/var/mqm/qmgrs/TESTQM/errors/AMQERR01.LOG

AMQ9639: Remote channel 'TESTQMGR.SVRCONN' did not specify a CipherSpec.

EXPLANATION:
Remote channel 'TESTQMGR.SVRCONN' did not specify a CipherSpec when the local
channel expected one to be specified.

The remote host is 'bpm857 (10.72.0.6)'.

The channel did not start.
ACTION:
Change the remote channel 'TESTQMGR.SVRCONN' on host 'bpm857 (10.72.0.6)' to
specify a CipherSpec so that both ends of the channel have matching
CipherSpecs.


The problem was, as ever, between he chair and the keyboard ( PEBCAK ).

I revisited my Jython script and realised where I'd gone wrong.

Whilst I had created a dedicated SSL configuration to reflect the TLS version ( 1.2 ) and SSL cipher specification ( SSL_RSA_WITH_AES_128_CBC_SHA256 ) I'd obviously been tinkering with the WAS configuration at some point post-execution.

I re-ran my script: -

cellID=AdminControl.getCell()
queueName="TESTQ"
queueManager="TESTQM"
wasUser="wasadmin"
wasPassword="passw0rd"
actSpec="TESTQ_AS"
channelName="TESTQMGR.SVRCONN"
qmgrHostname="mq75.novalocal"
qmgrPortNumber="1420"
configAlias="WAS_to_WMQ"
cipher="SSL_RSA_WITH_AES_128_CBC_SHA256"

AdminTask.createSSLConfig('[-alias '+configAlias+' -type JSSE -scopeName (cell):'+cellID+' -keyStoreName CellDefaultKeyStore -keyStoreScopeName (cell):'+cellID+' -trustStoreName CellDefaultTrustStore -trustStoreScopeName (cell):'+cellID+'  -jsseProvider IBMJSSE2 -sslProtocol TLSv1.2 -clientAuthentication false -clientAuthenticationSupported false -securityLevel HIGH -enabledCiphers '+cipher+' ]')

AdminTask.createDynamicSSLConfigSelection('[-dynSSLConfigSelectionName '+configAlias+' -scopeName (cell):'+cellID+' -dynSSLConfigSelectionDescription '+configAlias+' -dynSSLConfigSelectionInfo *,'+qmgrHostname+','+qmgrPortNumber+' -sslConfigName '+configAlias+' -sslConfigScope (cell):'+cellID+' -certificateAlias ]')

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()


and things started working.

No comments: