Service Virtualization

Hi, we already have working mq model up and running from long time.. but recently we wanted to have another set of mq queues created on different queue manager and different channel but MQ host is same as previous mq manager and mq channel (the existing working one) . as part of new queues on new queue manager I have got new .cer  certificate for client to authenticate and I have imported that into lisa truststore and restarted the server.. After done with all changes, I have deployed the mq model as per the new queue manager but it stops due to error.. as per the error message below is the details.. [i did some research about this error and most pages says it is due to certificate..however we tried with few valid certificates I would like to check here if I am missing anything  ? ] com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2059'. at com.ibm.mq.MQManagedConnectionJ11.(MQManagedConnectionJ11.java:230) at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553) at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593) at com.ibm.mq.StoredManagedConnection.(StoredManagedConnection.java:95) at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198) at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893) at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780) at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729) at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177) at com.ibm.mq.MQQueueManager.(MQQueueManager.java:745) at com.itko.lisa.jms.mq.MQJavaEngine.commonPrepare(MQJavaEngine.java:191) at com.itko.lisa.jms.mq.MQJavaEngine.prepare(MQJavaEngine.java:155) at com.itko.lisa.jms.JMSNode.openExec(JMSNode.java:1634) at com.itko.lisa.jms.JMSNodeEditor$31.doCallback(JMSNodeEditor.java:2222) at com.itko.util.swing.panels.ProcessingDialog$2.run(ProcessingDialog.java:194) at java.lang.Thread.run(Unknown Source) Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host 'ABC123'(60200)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=ABC.CLIENT.01.01]],3=ABC123(60200),5=RemoteConnection.analyseErrorSegment] at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2059) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1334) at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:924) at com.ibm.mq.MQManagedConnectionJ11.(MQManagedConnectionJ11.java:219) ... 15 more Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=ABC.CLIENT.01.01] at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:3836) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2741) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1021) at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:714) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:355) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:264) at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:144) at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1681) ... 18 more

As far as I know, MQ error 2059 (MQRC_Q_MGR_NOT_AVAILABLE) has nothing to do with SSL.  The documentation is pretty vague, but I think it has more to do with some kind of misconfiguration in the Queue Manager or Channel.  Are other applications able to use the same QM and Channel?

> I have got new .cer  certificate for client to authenticate and I have imported that into lisa truststore

If you are using two-way SSL, where it requires the client use a specific private key/public certificate, then that does not go into a trust store.  With the old MQ steps you have to use the following properties in local.properties (which may affect other things that use SSL):

javax.net.ssl.keyStore=<path to key store containing just your client certificate>

javax.net.ssl.keyStorePassword=<password for that key store>

Thanks for quick reply..

Yes this queue manager and channel is being used by legacy MQ stubs which are maintained in database

flow..

webservice - MQ - mqstubs (database)

what we are trying now is

webservice - mq - lisa

that means we have got just new queues created on existing queue manager and channel but only queue names are different, so that we can use those queues to talk to lisa without impacting existing mqstubs connectivity.

also as I said.. this is not first time we are establishing mq connectivity.. we already have existing mq model running on different queue manager and different channel..

that time we have used ibmwebsphere.crt which was given by mq admin. we have created keystore and truststore in lisa server and imported ibmwebshere.crt into truststore..after done with this we have also configured local.properties with below parameter and this works fine.

  javax.net.ssl.keyStore=/opt/lisa/CA/DevTest801/Projects/Certificates/keystores/keystore.jks 

  javax.net.ssl.keyStorePassword= <YourCertificatePwd>

  javax.net.ssl.trustStore=/opt/lisa/CA/DevTest801/Projects/Certificates/keystores/truststore.jks 

  javax.net.ssl.trustStorePassword= <YourCertificatePwd>

now, similar way our mq admin shared new .crt for new queue manager and that should go into truststore..

because no reason why it should not work while all mq set up is same and certificate also configured...

as per the below link, it says problem with certificate :

https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.tro.doc/q123400_.htm

[search for content ' Channel negotiation failed']

the complete logs from devtest consoled failure is :

============================================================================

| Exception:

============================================================================

| Message:     MQ LISA6.INQUIRE subscribe

----------------------------------------------------------------------------

| Trapped Exception: MQJE001: Completion Code '2', Reason '2059'.

| Trapped Message:   com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2059'.

----------------------------------------------------------------------------

STACK TRACE

com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2059'.

  at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:230)

  at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:553)

  at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:593)

  at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:95)

  at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:198)

  at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:893)

  at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:780)

  at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:729)

  at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:177)

  at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:745)

  at com.itko.lisa.jms.mq.MQJavaEngine.commonPrepare(MQJavaEngine.java:191)

  at com.itko.lisa.jms.mq.MQJavaEngine.prepare(MQJavaEngine.java:155)

  at com.itko.lisa.jms.JMSNode.openExec(JMSNode.java:1652)

  at com.itko.lisa.jms.JMSNode.execute(JMSNode.java:1897)

  at com.itko.lisa.test.TestNode.executeNode(TestNode.java:981)

  at com.itko.lisa.test.TestCase.execute(TestCase.java:1280)

  at com.itko.lisa.test.TestCase.execute(TestCase.java:1195)

  at com.itko.lisa.test.TestCase.executeNextNode(TestCase.java:1180)

  at com.itko.lisa.test.TestCase.executeTest(TestCase.java:1124)

  at com.itko.lisa.coordinator.Instance.run(Instance.java:204)

Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host 'SVV.UK.COM(60200)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=RTM.CLIENT.01.01]],3=SVV.UK.COM(60200),5=RemoteConnection.analyseErrorSegment]

  at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:2059)

  at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1334)

  at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:924)

  at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:219)

  ... 19 more

Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=RTM.CLIENT.01.01]

  at com.ibm.mq.jmqi.remote.impl.RemoteConnection.analyseErrorSegment(RemoteConnection.java:3836)

  at com.ibm.mq.jmqi.remote.impl.RemoteConnection.receiveTSH(RemoteConnection.java:2741)

  at com.ibm.mq.jmqi.remote.impl.RemoteConnection.initSess(RemoteConnection.java:1021)

  at com.ibm.mq.jmqi.remote.impl.RemoteConnection.connect(RemoteConnection.java:714)

  at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSessionFromNewConnection(RemoteConnectionSpecification.java:355)

  at com.ibm.mq.jmqi.remote.impl.RemoteConnectionSpecification.getSession(RemoteConnectionSpecification.java:264)

  at com.ibm.mq.jmqi.remote.impl.RemoteConnectionPool.getSession(RemoteConnectionPool.java:144)

  at com.ibm.mq.jmqi.remote.api.RemoteFAP.jmqiConnect(RemoteFAP.java:1681)

  ... 22 more

Okay, that link definitely ties the 2059 error to the client-side key store.

Do you have different client-side keys/certificates to use for each of your queue managers?  I suspect it's actually impossible to do that using only the javax.net.ssl.* properties, which can only reference a single key store.

Can you try combining both client-side keys/certificates into a single key store?  Maybe it will work if you make sure the keys/certificates have the correct aliases inside the key store.  Try putting each of them in the same key store under the alias 'ibmwebspheremq<QM name in lowercase>', where '<QM name in lowercase>' is the name of each key/certificate's respective queue manager.

yes, we have different certs for different queue manager though all are hosted in same MQ server. Yes I am doing the same, importing the new .crt into existing truststore and restarted the servers.. because there is nothing else to do as already root certificates, lisa host server certificates everything is included in the truststore only new queue manager certificate needs to go in.

alias I have used different (hope name of alias does not matter what I use as long as I give different name each time).. since for trial and error method I have imported few certs into existing trust store and tried, nothing worked.. do you suggest I should delete the certs which are imported and did not work ? before importing another certificate ?..

There is no key for cert here.. because it is just server checks for client to present particular ibmwebsphere certificate.. which is also configured on mq server side

> importing the new .crt into existing truststore

> because it is just server checks for client to present particular ibmwebsphere certificate..

I'm still confused, because you seem to be talking about two different things like they're the same thing.

Server side certificates, certificates the server presents to the client, are what you put into a *Trust Store*.  Those are certificates that the client *trusts*.

Client side certificates, which consist of a private key for the client to use and a corresponding public certificate that the client presents to the server, are put into a *Key Store*.  These are certificates that the server requires the client to send before accepting the connection.  With client side certificates the corresponding private key is also necessary so the client can actually encrypt data so it matches the certificate's public key.

The Trust Store and Key Store files have the same format, but they have different purposes.  You can put as many certificates as you like into a Trust Store and it will work; the client will "trust" all of them.  Putting multiple key/certificate pairs into a Key Store, however, is much less likely to work if you can't explicitly tell the client which key/cert to use with which connection, which you can't with the old IBM MQ step.

With that out of the way:  Are you using multiple *client side certificates*?

Thanks Kevin.. the explanation you given above is very clear..

so now let me clarify the question we have here.. what we use here is server side certificates.. so that is the reason when we did this connection initially we got server side certificate used by particular queue manager and I have imported that into trust store..  (and that works fine)

Now, we have again got another queue manager and new server side certificate used for that queue manager.. so as like previous method I have imported the new server side certificate (.crt) into truststore..

so am I missing anything here ? any other things I need to check here .. please suggest

The link you provided earlier documents the 2059 error as specifically related to the *client* side certificate, either a non-matching client side certificate or a missing client side key store.  Are you sure the new queue manager does not require a client certificate?

Thanks Kevin.. Yes I need to troubleshoot this issue with mq admin to understand more.. the other thing I have noticed is.. some settings/configuration which is related to channel.. because apart from the above two queue manager which I have mentioned , we have another queue manager in different mq server and which has different channel as well.. for troubleshot purpose we have created a new channel there and new queues as well.. then we trusted that queue manager certificate in lisa trust store.. that again worked fine without any issues..

again, in that queue manager, there is a existing one more channel (used to connect to live system) but that did not work and error shows was 2059 - channel negotiation failed..

i will try these over next week and let you know..

I don't know your setup, but here's where I find the client-side certificate setting on Windows in MQ Explorer:

[Your Queue Manager] -> Advanced -> Channels -> [Your Channel] -> Properties:

SSL -> Authentication of parties initiating connection:

If set to 'Required' then your channel requires a client-side certificate that matches one in the QM's configured key store.  If set to 'Optional' then your channel does not require a client-side certificate.

Thanks.. yes you are right... we have seen that today, whenever 'required' is present we are having trouble with those channels. wherever it is 'optional' we did not see any issues.

we have added the ssl peer map in the channel authentication records of mq , with the cn name same as the client certificate CN but still we did not get through it..

Looks like the certificate we use is not valid, so requested for valid entrust certificate for LISA server box.

You should be able to use the IBM Key Management tool to either generate a self-signed key/certificate inside the MQ server-side key store and export it for use with LISA, or import an external certificate into the MQ server-side key store.  The process is pretty straightforward but I can help you with it if you want.

Jagath,

Were you able to get this to work?

Regards,

Reid

Thanks , it got fixed long ago.. sorry I have not updated here 

What was the solution. can you please provide. I am able to deploy a MQ SSL based virtual service on the server and perform unit test,it works fine. But when I am trying to stage the same unit test on the server, it is throwing below error.

Exception Executing Messaging/ESB Step: com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2059'. ============================================================================ | Step:        MQ ---------------------------------------------------------------------------- | Message:     MQJE001: Completion Code '2', Reason '2059'. ---------------------------------------------------------------------------- | Trapped Exception: MQJE001: Completion Code '2', Reason '2059'. | Trapped Message:   com.ibm.mq.MQException: MQJE001: Completion Code '2', Reason '2059'.

Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host 'AU3CSQ1MQ.APPS.ANZ(1414)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=AU3CSQ1.CSP.PNV]],3=AU3CSQ1MQ.APPS.ANZ(1414),5=RemoteConnection.analyseErrorSegment]      at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:2019)      at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:1233)      at com.ibm.mq.MQSESSION.MQCONNX_j(MQSESSION.java:915)      at com.ibm.mq.MQManagedConnectionJ11. <init>(MQManagedConnectionJ11.java:227)      ... 19 more Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=AU3CSQ1.CSP.PNV]

> Channel negotiation failed

This error means usually means you are missing a client-side SSL certificate.  Maybe you have this installed on the VSE server but not on your Simulator server?