How to reproduce MQ SSL connection error "Channel negotiation failed" in two way SSL.
Article ID: KB0084663
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix BusinessWorks | - |
| Not Applicable | - |
Description
Description:
Once MQ server asks two way SSL and BW fails to send a client identity, you will get the error.
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2059;AMQ9204: Connection to host 'ncdap-tst1540.core.afcc.com(51515)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2059;AMQ9503: Channel negotiation failed. [3=RNTSTBC01.SVRCONN]],3=ncdap-tst1540.core.afcc.com(51515),5=RemoteConnection.analyseErrorSegment]
Issue/Introduction
How to reproduce MQ SSL connection error "Channel negotiation failed" in two way SSL.
Resolution
1). Disable two way SSL in MQ Server side.
Find the channel used by the Connection Factory.
Open the property page and then the "SSL" tab.
Change the SSL Authentication from "must" to "optional".
2). Provide the correct identity for the "JMS Connection" connecting to the MQ Server in the BW project.
You could enable SSL tracing and check "*** CertificateRequest" sent by the MQ Server to see if the "identity" activity is configured correctly.
Or set the following in the .tra file to set the keystore and import client identity to the jks file.
java.property.javax.net.ssl.keyStore=/apps/tibco/certs/MQClient.jks
java.property.javax.net.ssl.keyStorePassword=password
java.property.javax.net.ssl.keyStoreType=JKS
Find the channel used by the Connection Factory.
Open the property page and then the "SSL" tab.
Change the SSL Authentication from "must" to "optional".
2). Provide the correct identity for the "JMS Connection" connecting to the MQ Server in the BW project.
You could enable SSL tracing and check "*** CertificateRequest" sent by the MQ Server to see if the "identity" activity is configured correctly.
java.property.TIBCO_SECURITY_VENDOR=j2se
java.property.javax.net.debug=ssl,plaintext,record,handshakeOr set the following in the .tra file to set the keystore and import client identity to the jks file.
java.property.javax.net.ssl.keyStore=/apps/tibco/certs/MQClient.jks
java.property.javax.net.ssl.keyStorePassword=password
java.property.javax.net.ssl.keyStoreType=JKS
See the attached (Filename: Channel_negotiation_failed.PNG and Channel_negotiation_failed.xml) for reference.
Additional Information
The expert MQ issue KB page http://www-01.ibm.com/support/docview.wss?uid=swg21614686
Check "Resolving the problem" and its "Cause 1".
Check "Resolving the problem" and its "Cause 1".
Attachments
Feedback
Yes
No
Powered by
