MQ

Hello All,

We have configured a Queue Manager in GCP and we would like to connect to a partner now over SSL. The QM docker container was picked from Dockerhub: Docker Hubhttps://hub.docker.com/r/ibmcom/mq/ initially and then from the deprecation notification: icr.io/ibm-messaging/mq:9.2.5.0-r1

We have modified the configuration to mount persistent  storage and edited the qm.ini to disable OCSP check. The connection to and from the partner works fine without SSL. When SSL is enabled, we can start our SDR channel successfully but their attempt to start the SDR from their end doesn't succeed. There are no FDCs and nothing obvious from the logs that suggest a possible issue. We looked at the network traffic and see that there are some initial packet exchanges, then there is silence for over 5 minutes and by close to the 6th minute a reset connection is issued from our end.

SSL CIPH being used is TLS_RSA_WITH_AES_256_CBC_SHA256.

bash-4.4$ dspmqver

Name:        IBM MQ
Version:     9.2.5.0
Level:       p925-L220208.DE
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 5.4.170+
O/S Details: Red Hat Enterprise Linux 8.5 (Ootpa)
InstName:    Installation1
InstDesc:    IBM MQ V9.2.5.0 (Unzipped)
Primary:     N/A
InstPath:    /opt/mqm
DataPath:    /mnt/mqm/data
MaxCmdLevel: 925
LicenseType: Developer

 
Any help in identifying the issue will be appreciated.

Regards,
BA

------------------------------
B Abraham
------------------------------

Thanks for sharing the error messages that your messaging partner experiences when it starts its SDR.
Do the logs on your side indicate that something tried to connect with?

------------------------------
Matthias Jungbauer
------------------------------

Original Message:
Sent: Mon April 04, 2022 07:18 PM
From: B Abraham
Subject: SSL Connectivity Issues

Hello All,

We have configured a Queue Manager in GCP and we would like to connect to a partner now over SSL. The QM docker container was picked from Dockerhub: Docker Hubhttps://hub.docker.com/r/ibmcom/mq/ initially and then from the deprecation notification: icr.io/ibm-messaging/mq:9.2.5.0-r1

We have modified the configuration to mount persistent  storage and edited the qm.ini to disable OCSP check. The connection to and from the partner works fine without SSL. When SSL is enabled, we can start our SDR channel successfully but their attempt to start the SDR from their end doesn't succeed. There are no FDCs and nothing obvious from the logs that suggest a possible issue. We looked at the network traffic and see that there are some initial packet exchanges, then there is silence for over 5 minutes and by close to the 6th minute a reset connection is issued from our end.

SSL CIPH being used is TLS_RSA_WITH_AES_256_CBC_SHA256.

bash-4.4$ dspmqver

Name:        IBM MQ
Version:     9.2.5.0
Level:       p925-L220208.DE
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 5.4.170+
O/S Details: Red Hat Enterprise Linux 8.5 (Ootpa)
InstName:    Installation1
InstDesc:    IBM MQ V9.2.5.0 (Unzipped)
Primary:     N/A
InstPath:    /opt/mqm
DataPath:    /mnt/mqm/data
MaxCmdLevel: 925
LicenseType: Developer

 
Any help in identifying the issue will be appreciated.

Regards,
BA

------------------------------
B Abraham
------------------------------

What does DISPLAY CHSTATUS(chl-name) show in the SUBSTATE field - both ends.

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
------------------------------

Original Message:
Sent: Mon April 04, 2022 07:18 PM
From: B Abraham
Subject: SSL Connectivity Issues

Hello All,

We have configured a Queue Manager in GCP and we would like to connect to a partner now over SSL. The QM docker container was picked from Dockerhub: Docker Hubhttps://hub.docker.com/r/ibmcom/mq/ initially and then from the deprecation notification: icr.io/ibm-messaging/mq:9.2.5.0-r1

We have modified the configuration to mount persistent  storage and edited the qm.ini to disable OCSP check. The connection to and from the partner works fine without SSL. When SSL is enabled, we can start our SDR channel successfully but their attempt to start the SDR from their end doesn't succeed. There are no FDCs and nothing obvious from the logs that suggest a possible issue. We looked at the network traffic and see that there are some initial packet exchanges, then there is silence for over 5 minutes and by close to the 6th minute a reset connection is issued from our end.

SSL CIPH being used is TLS_RSA_WITH_AES_256_CBC_SHA256.

bash-4.4$ dspmqver

Name:        IBM MQ
Version:     9.2.5.0
Level:       p925-L220208.DE
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 5.4.170+
O/S Details: Red Hat Enterprise Linux 8.5 (Ootpa)
InstName:    Installation1
InstDesc:    IBM MQ V9.2.5.0 (Unzipped)
Primary:     N/A
InstPath:    /opt/mqm
DataPath:    /mnt/mqm/data
MaxCmdLevel: 925
LicenseType: Developer

 
Any help in identifying the issue will be appreciated.

Regards,
BA

------------------------------
B Abraham
------------------------------

Hello Morag,

At our end, the receiver channel does not show any status as such and hence we won't have a substate.  The sender side is on z/OS and the channel goes into a BINDING until it gets disconnected.

Strangely we saw the channel in RUNNING state a couple of times but it took more than 13 minutes for the connection to establish. Sequence of events:

1. SDR initiates a manual channel start
2. TCP packets gets exchanged between SDR/RCV
3. No packets for about 6 minutes
4. RCVR sends a RESET
5 SDR Retries and connection gets established.

Below is the log from SDR side as shared by them:

10.46.45 STC20407 +CSQX500I MQ@U CSQXRCTL Channel XXXX_03021102.C1 started manual channel start

10.59.00 STC20407 +CSQX208E MQ@U CSQXRCTL Error receiving data, 668 error received after 13 minutes
668 channel XXXX_YYYYYYYY.C1
668 connection xx.xx.xx.xx
668 (queue manager ????)
668 TRPTYPE=TCP RC=00000461 (ECONNRESET) reason=769E0291
10.59.00 STC20407 +CSQX638E MQ@U CSQXRCTL SSL communications error for channel
669 XXXX_YYYYYYYY.C1, connection xx.xx.xx.xx
10.59.00 STC20407 +CSQX599E MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 ended abnormally

10.59.00 STC20407 +CSQX500I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 started channel actually starts session

11.07.35 STC20407 +CSQX545I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 closing because disconnect interval expires
522 disconnect interval expired
11.07.35 STC20407 +CSQX501I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 no longer active channel goes into INACTIVE state

A repeat of the above.

11.11.42 STC20407 +CSQX500I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 started

11.24.00 STC20407 +CSQX208E MQ@U CSQXRCTL Error receiving data, 894
894 channel XXXX_YYYYYYYY.C1
894 connection xx.xx.xx.xx
894 (queue manager ????)
894 TRPTYPE=TCP RC=00000461 (ECONNRESET) reason=769E0291

11.24.00 STC20407 +CSQX638E MQ@U CSQXRCTL SSL communications error for channel
896 XXXX_YYYYYYYY.C1, connection xx.xx.xx.xx
11.24.00 STC20407 +CSQX599E MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 ended abnormally

11.24.08 STC20407 +CSQX500I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 started
11.29.09 STC20407 +CSQX545I MQ@U CSQXRCTL Channel DTC0U_03021102.C1 closing because
582 disconnect interval expired
11.29.09 STC20407 +CSQX501I MQ@U CSQXRCTL Channel DTC0U_03021102.C1 no longer active

Regards,
BA

------------------------------
B Abraham
------------------------------

Original Message:
Sent: Tue April 05, 2022 03:17 PM
From: Morag Hughson
Subject: SSL Connectivity Issues

What does DISPLAY CHSTATUS(chl-name) show in the SUBSTATE field - both ends.

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Mon April 04, 2022 07:18 PM
From: B Abraham
Subject: SSL Connectivity Issues

Hello All,

We have configured a Queue Manager in GCP and we would like to connect to a partner now over SSL. The QM docker container was picked from Dockerhub: Docker Hubhttps://hub.docker.com/r/ibmcom/mq/ initially and then from the deprecation notification: icr.io/ibm-messaging/mq:9.2.5.0-r1

We have modified the configuration to mount persistent  storage and edited the qm.ini to disable OCSP check. The connection to and from the partner works fine without SSL. When SSL is enabled, we can start our SDR channel successfully but their attempt to start the SDR from their end doesn't succeed. There are no FDCs and nothing obvious from the logs that suggest a possible issue. We looked at the network traffic and see that there are some initial packet exchanges, then there is silence for over 5 minutes and by close to the 6th minute a reset connection is issued from our end.

SSL CIPH being used is TLS_RSA_WITH_AES_256_CBC_SHA256.

bash-4.4$ dspmqver

Name:        IBM MQ
Version:     9.2.5.0
Level:       p925-L220208.DE
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 5.4.170+
O/S Details: Red Hat Enterprise Linux 8.5 (Ootpa)
InstName:    Installation1
InstDesc:    IBM MQ V9.2.5.0 (Unzipped)
Primary:     N/A
InstPath:    /opt/mqm
DataPath:    /mnt/mqm/data
MaxCmdLevel: 925
LicenseType: Developer

 
Any help in identifying the issue will be appreciated.

Regards,
BA

------------------------------
B Abraham
------------------------------

And so what is the SUBSTATE of the SENDER channel? That will show how far through the BINDING process the channel has got.

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
------------------------------

Original Message:
Sent: Tue April 05, 2022 06:02 PM
From: B Abraham
Subject: SSL Connectivity Issues

Hello Morag,

At our end, the receiver channel does not show any status as such and hence we won't have a substate.  The sender side is on z/OS and the channel goes into a BINDING until it gets disconnected.

Strangely we saw the channel in RUNNING state a couple of times but it took more than 13 minutes for the connection to establish. Sequence of events:

1. SDR initiates a manual channel start
2. TCP packets gets exchanged between SDR/RCV
3. No packets for about 6 minutes
4. RCVR sends a RESET
5 SDR Retries and connection gets established.

Below is the log from SDR side as shared by them:

10.46.45 STC20407 +CSQX500I MQ@U CSQXRCTL Channel XXXX_03021102.C1 started manual channel start

10.59.00 STC20407 +CSQX208E MQ@U CSQXRCTL Error receiving data, 668 error received after 13 minutes
668 channel XXXX_YYYYYYYY.C1
668 connection xx.xx.xx.xx
668 (queue manager ????)
668 TRPTYPE=TCP RC=00000461 (ECONNRESET) reason=769E0291
10.59.00 STC20407 +CSQX638E MQ@U CSQXRCTL SSL communications error for channel
669 XXXX_YYYYYYYY.C1, connection xx.xx.xx.xx
10.59.00 STC20407 +CSQX599E MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 ended abnormally

10.59.00 STC20407 +CSQX500I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 started channel actually starts session

11.07.35 STC20407 +CSQX545I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 closing because disconnect interval expires
522 disconnect interval expired
11.07.35 STC20407 +CSQX501I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 no longer active channel goes into INACTIVE state

A repeat of the above.

11.11.42 STC20407 +CSQX500I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 started

11.24.00 STC20407 +CSQX208E MQ@U CSQXRCTL Error receiving data, 894
894 channel XXXX_YYYYYYYY.C1
894 connection xx.xx.xx.xx
894 (queue manager ????)
894 TRPTYPE=TCP RC=00000461 (ECONNRESET) reason=769E0291

11.24.00 STC20407 +CSQX638E MQ@U CSQXRCTL SSL communications error for channel
896 XXXX_YYYYYYYY.C1, connection xx.xx.xx.xx
11.24.00 STC20407 +CSQX599E MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 ended abnormally

11.24.08 STC20407 +CSQX500I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 started
11.29.09 STC20407 +CSQX545I MQ@U CSQXRCTL Channel DTC0U_03021102.C1 closing because
582 disconnect interval expired
11.29.09 STC20407 +CSQX501I MQ@U CSQXRCTL Channel DTC0U_03021102.C1 no longer active

Regards,
BA

------------------------------
B Abraham

Original Message:
Sent: Tue April 05, 2022 03:17 PM
From: Morag Hughson
Subject: SSL Connectivity Issues

What does DISPLAY CHSTATUS(chl-name) show in the SUBSTATE field - both ends.

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Mon April 04, 2022 07:18 PM
From: B Abraham
Subject: SSL Connectivity Issues

Hello All,

We have configured a Queue Manager in GCP and we would like to connect to a partner now over SSL. The QM docker container was picked from Dockerhub: Docker Hubhttps://hub.docker.com/r/ibmcom/mq/ initially and then from the deprecation notification: icr.io/ibm-messaging/mq:9.2.5.0-r1

We have modified the configuration to mount persistent  storage and edited the qm.ini to disable OCSP check. The connection to and from the partner works fine without SSL. When SSL is enabled, we can start our SDR channel successfully but their attempt to start the SDR from their end doesn't succeed. There are no FDCs and nothing obvious from the logs that suggest a possible issue. We looked at the network traffic and see that there are some initial packet exchanges, then there is silence for over 5 minutes and by close to the 6th minute a reset connection is issued from our end.

SSL CIPH being used is TLS_RSA_WITH_AES_256_CBC_SHA256.

bash-4.4$ dspmqver

Name:        IBM MQ
Version:     9.2.5.0
Level:       p925-L220208.DE
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 5.4.170+
O/S Details: Red Hat Enterprise Linux 8.5 (Ootpa)
InstName:    Installation1
InstDesc:    IBM MQ V9.2.5.0 (Unzipped)
Primary:     N/A
InstPath:    /opt/mqm
DataPath:    /mnt/mqm/data
MaxCmdLevel: 925
LicenseType: Developer

 
Any help in identifying the issue will be appreciated.

Regards,
BA

------------------------------
B Abraham
------------------------------

Hello Morag,

Below is what we have been provided by the partner QM on the channel status:

display chstatus(XXXXX_YYYYYYYY.C1) all

CHSTATUS(XXXXX_YYYYYYYY.C1)
CHLDISP(PRIVATE)
XMITQ(XXXXX_YYYYYYYY.XMT01)
CONNAME(10.12.34.56(1414))
CURRENT
CHLTYPE(SDR)
STATUS(BINDING)
SUBSTATE(SSLHANDSHK)
INDOUBT(NO)
LSTSEQNO(0)
LSTLUWID(0000000000000000)
CURMSGS(0)
CURSEQNO(0)
CURLUWID(0000000000000000)
LSTMSGTI()
LSTMSGDA()
MSGS(0)
BYTSSENT(0)
BYTSRCVD(0)
BATCHES(0)
CHSTATI(15.48.08)
CHSTADA(2022-04-07)
BUFSSENT(0)
BUFSRCVD(0)
LONGRTS(999999871)
SHORTRTS(0)
MONCHL(OFF)
STOPREQ(NO)
KAINT(0)
QMNAME(MQMU)
RQMNAME()
SECPROT(NONE)
SSLCERTI()
SSLCERTU()
SSLCIPH()
SSLRKEYS(0)
SSLKEYTI()
SSLKEYDA()
SSLPEER()
RPRODUCT()
RVERSION()
STATCHL(OFF)
LOCLADDR()
BATCHSZ(50)
MAXMSGL(4194304)
COMPHDR(
NONE
NONE
)
COMPMSG(
NONE
NONE
)
HBINT(300)
NPMSPEED(NORMAL)
END CHSTATUS DETAILS


------------------------------
B Abraham
------------------------------

Original Message:
Sent: Tue April 05, 2022 06:09 PM
From: Morag Hughson
Subject: SSL Connectivity Issues

And so what is the SUBSTATE of the SENDER channel? That will show how far through the BINDING process the channel has got.

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Tue April 05, 2022 06:02 PM
From: B Abraham
Subject: SSL Connectivity Issues

Hello Morag,

At our end, the receiver channel does not show any status as such and hence we won't have a substate.  The sender side is on z/OS and the channel goes into a BINDING until it gets disconnected.

Strangely we saw the channel in RUNNING state a couple of times but it took more than 13 minutes for the connection to establish. Sequence of events:

1. SDR initiates a manual channel start
2. TCP packets gets exchanged between SDR/RCV
3. No packets for about 6 minutes
4. RCVR sends a RESET
5 SDR Retries and connection gets established.

Below is the log from SDR side as shared by them:

10.46.45 STC20407 +CSQX500I MQ@U CSQXRCTL Channel XXXX_03021102.C1 started manual channel start

10.59.00 STC20407 +CSQX208E MQ@U CSQXRCTL Error receiving data, 668 error received after 13 minutes
668 channel XXXX_YYYYYYYY.C1
668 connection xx.xx.xx.xx
668 (queue manager ????)
668 TRPTYPE=TCP RC=00000461 (ECONNRESET) reason=769E0291
10.59.00 STC20407 +CSQX638E MQ@U CSQXRCTL SSL communications error for channel
669 XXXX_YYYYYYYY.C1, connection xx.xx.xx.xx
10.59.00 STC20407 +CSQX599E MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 ended abnormally

10.59.00 STC20407 +CSQX500I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 started channel actually starts session

11.07.35 STC20407 +CSQX545I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 closing because disconnect interval expires
522 disconnect interval expired
11.07.35 STC20407 +CSQX501I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 no longer active channel goes into INACTIVE state

A repeat of the above.

11.11.42 STC20407 +CSQX500I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 started

11.24.00 STC20407 +CSQX208E MQ@U CSQXRCTL Error receiving data, 894
894 channel XXXX_YYYYYYYY.C1
894 connection xx.xx.xx.xx
894 (queue manager ????)
894 TRPTYPE=TCP RC=00000461 (ECONNRESET) reason=769E0291

11.24.00 STC20407 +CSQX638E MQ@U CSQXRCTL SSL communications error for channel
896 XXXX_YYYYYYYY.C1, connection xx.xx.xx.xx
11.24.00 STC20407 +CSQX599E MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 ended abnormally

11.24.08 STC20407 +CSQX500I MQ@U CSQXRCTL Channel XXXX_YYYYYYYY.C1 started
11.29.09 STC20407 +CSQX545I MQ@U CSQXRCTL Channel DTC0U_03021102.C1 closing because
582 disconnect interval expired
11.29.09 STC20407 +CSQX501I MQ@U CSQXRCTL Channel DTC0U_03021102.C1 no longer active

Regards,
BA

------------------------------
B Abraham

Original Message:
Sent: Tue April 05, 2022 03:17 PM
From: Morag Hughson
Subject: SSL Connectivity Issues

What does DISPLAY CHSTATUS(chl-name) show in the SUBSTATE field - both ends.

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Mon April 04, 2022 07:18 PM
From: B Abraham
Subject: SSL Connectivity Issues

Hello All,

We have configured a Queue Manager in GCP and we would like to connect to a partner now over SSL. The QM docker container was picked from Dockerhub: Docker Hubhttps://hub.docker.com/r/ibmcom/mq/ initially and then from the deprecation notification: icr.io/ibm-messaging/mq:9.2.5.0-r1

We have modified the configuration to mount persistent  storage and edited the qm.ini to disable OCSP check. The connection to and from the partner works fine without SSL. When SSL is enabled, we can start our SDR channel successfully but their attempt to start the SDR from their end doesn't succeed. There are no FDCs and nothing obvious from the logs that suggest a possible issue. We looked at the network traffic and see that there are some initial packet exchanges, then there is silence for over 5 minutes and by close to the 6th minute a reset connection is issued from our end.

SSL CIPH being used is TLS_RSA_WITH_AES_256_CBC_SHA256.

bash-4.4$ dspmqver

Name:        IBM MQ
Version:     9.2.5.0
Level:       p925-L220208.DE
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 5.4.170+
O/S Details: Red Hat Enterprise Linux 8.5 (Ootpa)
InstName:    Installation1
InstDesc:    IBM MQ V9.2.5.0 (Unzipped)
Primary:     N/A
InstPath:    /opt/mqm
DataPath:    /mnt/mqm/data
MaxCmdLevel: 925
LicenseType: Developer

 
Any help in identifying the issue will be appreciated.

Regards,
BA

------------------------------
B Abraham
------------------------------