TEC606483: MQ Agent cannot connect to MQ Server. ssl handshake failure. Reason code 2397 MQRC_JSSE_ERROR

Document created by Yanna Employee on May 26, 2016Last modified by SamCreek on May 26, 2016
Version 2Show Document
  • View in full screen mode

Document ID:  TEC606483
Last Modified Date:  2/21/2014

Author: Yanna

  • Products
    • CA Application Performance Management
  • Releases
    • CA Application Performance Management:Release:9.1 SP2
    • CA Application Performance Management:Release:9.1.0
    • CA Application Performance Management:Release:9.1.1
    • CA Application Performance Management:Release:CA APM 9.5
  • Components
    • INTROSCOPE

 

 

Description:

The MQ Agent fails to connect to the MQ Server when using SSL set to Required Client Authentication.

When the SSL channel is configured for non-required client authentication, it allows full connectivity, but when the channel is set to required client authentication the connection fails.

Note that the functionality works even when not using SSL.

When SHA or MD5 is configured on channel APM.SSL.SVRCONN, the Client/MQ server connection negotiation throws a JSSE exception. This occurs even when the MQ server certificate has been added to the client and the client certificate has been added to the server.

The following messages are logged in the Agent Log:

ERROR] [com.wily.powerpack.websphereMQ.agent.MQMonitor.TracerDriverThread] MQMonitor: For configuration instanceMQAPMTST@test_dev_machine and the drivers(namelist,cluster) an error occurred in sending query to MQ. The target MQ (test_dev_machine:port#) may be down. Reason code 2397 MQRC_JSSE_ERROR

$ openssl s_client -connect test_dev_machine :port# -prexit CONNECTED(00000003)

14815:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188

Solution:

The root problem is due to the following two factors:

1) The keystore contains extraneous private keys: one from a Local CA, and another from an OpenSSL CA generated by the MQ Admin.

To resolve this issue, the truststore was reduced to a single trustedCertEntry and the keystore was reduced to a single PrivateKeyEntry.

The Local CA key was selected instead of the required OpenSSL CA private key required by the MQ server. The key required by the MQ server must be used.

2) The keystore has password 'AAA' and the internal key (alias ibmwebspheremqTest_Dev) has a different password, 'BBB'.

This results in unable to recover key errors when the agent starts up and tries to negotiate the MQ SSL connection.

Resolution:

Use a single private key in keystore and ensure that the keystore password and importedprivate key password are identical to the value in MQMonitor.properties keystore.password.

 

 

 

Search the Entire CA APM Knowledge Base

 

search-kb.jpg

 

Attachments

    Outcomes