This was driving me batty for a few hours, until I really focused on the problem.
This was what I was seeing in WAS: -
/opt/ibm/WebSphereProfiles/AppSrv01/logs/AppClusterMember1/SystemOut.log
...
Caused by [5] --> Message : com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'TESTQMGR.SVRCONN' to host ''. [3=TESTQMGR.SVRCONN]
...
...
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'TESTQM' with connection mode 'Client' and host name 'mq75.novalocal(1420)'.
com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'mq75.novalocal(1420)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'TESTQMGR.SVRCONN' to host ''. [3=TESTQMGR.SVRCONN]],3=mq75.novalocal(1420),5=RemoteConnection.analyseErrorSegment]
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'TESTQMGR.SVRCONN' to host ''. [3=TESTQMGR.SVRCONN]
...
com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2397' ('MQRC_JSSE_ERROR').
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9204: Connection to host 'mq75.novalocal(1420)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'TESTQMGR.SVRCONN' to host ''. [3=TESTQMGR.SVRCONN]],3=mq75.novalocal(1420),5=RemoteConnection.analyseErrorSegment]
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'TESTQMGR.SVRCONN' to host ''. [3=TESTQMGR.SVRCONN]
...
[5/19/17 13:59:53:500 UTC] 00000119 SystemOut O <?xml version="1.0" encoding="UTF-8"?>
<p:theMessage xmlns:p="http://SCA_Test" xmlns:ns0="http://SCA_Test" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="p:theMessage"/>SCA
[5/19/17 13:59:53:500 UTC] 00000119 SystemOut O
[5/19/17 13:59:53:517 UTC] 00000119 ProcessEngine I CWWBE0003E: A runtime fault was returned by the implementation of activity 'Invoke'.
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'TESTQM' with connection mode 'Client' and host name 'mq75.novalocal(1420)'.
[5/19/17 13:59:53:531 UTC] 00000119 SibMessage W [:] CWSJY0003W: JMSCC0109: A message driven bean threw a runtime exception '
Message : com.ibm.websphere.sca.ServiceRuntimeException: com.ibm.bpe.api.RuntimeFaultException: CWWBE0003E: A runtime fault was returned by the implementation of activity 'Invoke'.: caused by: com.ibm.bpe.api.RuntimeFaultException: CWWBE0003E: A runtime fault was returned by the implementation of activity 'Invoke'.
Class : class com.ibm.websphere.sca.ServiceRuntimeException
...
<p:theMessage xmlns:p="http://SCA_Test" xmlns:ns0="http://SCA_Test" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="p:theMessage"/>SCA
[5/19/17 13:59:53:500 UTC] 00000119 SystemOut O
[5/19/17 13:59:53:517 UTC] 00000119 ProcessEngine I CWWBE0003E: A runtime fault was returned by the implementation of activity 'Invoke'.
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'TESTQM' with connection mode 'Client' and host name 'mq75.novalocal(1420)'.
[5/19/17 13:59:53:531 UTC] 00000119 SibMessage W [:] CWSJY0003W: JMSCC0109: A message driven bean threw a runtime exception '
Message : com.ibm.websphere.sca.ServiceRuntimeException: com.ibm.bpe.api.RuntimeFaultException: CWWBE0003E: A runtime fault was returned by the implementation of activity 'Invoke'.: caused by: com.ibm.bpe.api.RuntimeFaultException: CWWBE0003E: A runtime fault was returned by the implementation of activity 'Invoke'.
Class : class com.ibm.websphere.sca.ServiceRuntimeException
...
Caused by [1] --> Message : com.ibm.bpe.api.RuntimeFaultException: CWWBE0003E: A runtime fault was returned by the implementation of activity 'Invoke'.
...
...
and in MQ: -
/var/mqm/qmgrs/TESTQM/errors/AMQERR01.LOG
…
AMQ9639: Remote channel 'TESTQMGR.SVRCONN' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'TESTQMGR.SVRCONN' did not specify a CipherSpec when the local
channel expected one to be specified.
The remote host is 'bpm857 (10.72.0.6)'.
The channel did not start.
ACTION:
Change the remote channel 'TESTQMGR.SVRCONN' on host 'bpm857 (10.72.0.6)' to
specify a CipherSpec so that both ends of the channel have matching
CipherSpecs.
…
EXPLANATION:
Remote channel 'TESTQMGR.SVRCONN' did not specify a CipherSpec when the local
channel expected one to be specified.
The remote host is 'bpm857 (10.72.0.6)'.
The channel did not start.
ACTION:
Change the remote channel 'TESTQMGR.SVRCONN' on host 'bpm857 (10.72.0.6)' to
specify a CipherSpec so that both ends of the channel have matching
CipherSpecs.
…
The problem was, as ever, between he chair and the keyboard ( PEBCAK ).
I revisited my Jython script and realised where I'd gone wrong.
Whilst I had created a dedicated SSL configuration to reflect the TLS version ( 1.2 ) and SSL cipher specification ( SSL_RSA_WITH_AES_128_CBC_SHA256 ) I'd obviously been tinkering with the WAS configuration at some point post-execution.
I re-ran my script: -
cellID=AdminControl.getCell()
queueName="TESTQ"
queueManager="TESTQM"
wasUser="wasadmin"
wasPassword="passw0rd"
actSpec="TESTQ_AS"
channelName="TESTQMGR.SVRCONN"
qmgrHostname="mq75.novalocal"
qmgrPortNumber="1420"
configAlias="WAS_to_WMQ"
cipher="SSL_RSA_WITH_AES_128_CBC_SHA256"
AdminTask.createSSLConfig('[-alias '+configAlias+' -type JSSE -scopeName (cell):'+cellID+' -keyStoreName CellDefaultKeyStore -keyStoreScopeName (cell):'+cellID+' -trustStoreName CellDefaultTrustStore -trustStoreScopeName (cell):'+cellID+' -jsseProvider IBMJSSE2 -sslProtocol TLSv1.2 -clientAuthentication false -clientAuthenticationSupported false -securityLevel HIGH -enabledCiphers '+cipher+' ]')
AdminTask.createDynamicSSLConfigSelection('[-dynSSLConfigSelectionName '+configAlias+' -scopeName (cell):'+cellID+' -dynSSLConfigSelectionDescription '+configAlias+' -dynSSLConfigSelectionInfo *,'+qmgrHostname+','+qmgrPortNumber+' -sslConfigName '+configAlias+' -sslConfigScope (cell):'+cellID+' -certificateAlias ]')
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
AdminTask.createDynamicSSLConfigSelection('[-dynSSLConfigSelectionName '+configAlias+' -scopeName (cell):'+cellID+' -dynSSLConfigSelectionDescription '+configAlias+' -dynSSLConfigSelectionInfo *,'+qmgrHostname+','+qmgrPortNumber+' -sslConfigName '+configAlias+' -sslConfigScope (cell):'+cellID+' -certificateAlias ]')
AdminConfig.save()
AdminNodeManagement.syncActiveNodes()
and things started working.
No comments:
Post a Comment