You are correct Morag, the problem was the load balancer, AWS Classic Load Balancer wouldn't keep the connection for a reason that I couldn't identify yet, but switching to a AWS NLB solved the problem, thanks so much for you help here.
Kind regards
Luis Specian
Original Message:
Sent: Wed August 23, 2023 06:37 AM
From: Morag Hughson
Subject: IBM MQ 9.3 migration of TLS certificates and Queue Manager Channels
TCP/IP return code 110 (ETIMEDOUT) suggests something is timing out. Odd that it is making it to the other side but then not being able to stay connected.
Certainly it is true that you need to get the channel to run successfully without TLS settings before there is any point is reinstating the SSLCIPH attribute. It cannot work until the clear channel can run.
I am not certain whether the internal address is an issue or not. It would appear it can resolve it to an IP address, and connect to it.
I would be somewhat concerned with the load balancer side of things though. What sort of load balancer. How does it know where to send the socket, etc. etc. Perhaps try without the load balancer first to rule that in/out as an issue.
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Wed August 23, 2023 04:12 AM
From: Luis Specian
Subject: IBM MQ 9.3 migration of TLS certificates and Queue Manager Channels
Hello Morag, thank so much for your message, it is a error that is quite misleading, now I have something else to looking into
I tested the channel with blank SSLCIPH,
On the receiver side I get
2023-08-23T07:25:49.141Z AMQ9002I: Channel 'test' is starting. [CommentInsert1(test)]
2023-08-23T07:25:49.141Z AMQ9299I: Channel 'test' has started. [CommentInsert1(test)]
2023-08-23T07:26:48.977Z AMQ9209E: Connection to host '10-20-101-209 (10.20.101.209)' for channel 'test' closed. [CommentInsert1(10-20-101-209 (10.20.101.209)), CommentInsert2(TCP/IP), CommentInsert3(test)]
2023-08-23T07:26:48.977Z AMQ9999E: Channel 'test' to host '10-20-101-209 (10.20.101.209)' ended abnormally. [CommentInsert1(test), CommentInsert2(577), CommentInsert3(10-20-101-209 (10.20.101.209))]
On the sender side I get
2023-08-23T07:25:49.109Z AMQ9002I: Channel 'test' is starting. [CommentInsert1(test)]
2023-08-23T07:25:49.142Z AMQ9299I: Channel 'test' has started. [CommentInsert1(test)]
2023-08-23T07:30:49.148Z AMQ9213E: A communications error for TCP/IP occurred. [ArithInsert1(110), ArithInsert2(110), CommentInsert1(10.20.107.254(1414)), CommentInsert2(TCP/IP), CommentInsert3(xcsCheckSocket)]
2023-08-23T07:30:49.149Z AMQ9999E: Channel 'test' to host 'internal-a5969e7f4a0954fcc99c7e07eec8155e-831577242.eu-central-1.elb.amazonaws.com(1414)' ended abnormally. [CommentInsert1(test), CommentInsert2(22259), CommentInsert3(internal-a5969e7f4a0954fcc99c7e07eec8155e-831577242.eu-central-1.elb.amazonaws.com(1414))]
I wonder if the fact that I'm using a AWS load balancer in the deployment design, and the address internal-a5969e7f4a0954fcc99c7e07eec8155e-831577242.eu-central-1.elb.amazonaws.com, might be a issue here.
------------------------------
Luis Specian
Original Message:
Sent: Tue August 22, 2023 03:50 PM
From: Morag Hughson
Subject: IBM MQ 9.3 migration of TLS certificates and Queue Manager Channels
Hi Luis,
RC=406 (GSK_ERROR_IO) in gsk_secure_soc_read happens when an error occurs during communication... in other words, the error isn't in the SSL processing, it's on the call to a socket API to retrieve/send data.
Does this channel work successfully without SSL (i.e. if you blank out the SSLCIPH on both ends of the channel)?
Are there any error messages at the other end of the channel that could shed further light on the reason for the communication error?
Cheers,
Morag
------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com
Original Message:
Sent: Tue August 22, 2023 07:44 AM
From: Luis Specian
Subject: IBM MQ 9.3 migration of TLS certificates and Queue Manager Channels
Hello, I'm working on a migration of IBM MQ from linux box to containers, and I'm having a problem with the connectivity of Queue manager channels.
I have on one side a Receiver channel and a Sender channel on the other side, I copied the .kdb, .rdb and .sth files from the linux box deployment to the container deployment and I assume that after changing the address on the Sender channel, the connectivity should work, but I receiving the following error after a while:
2023-08-22T11:34:59.446Z AMQ9002I: Channel 'test' is starting. [CommentInsert1(test)]
2023-08-22T11:34:59.446Z AMQ9299I: Channel 'test' has started. [CommentInsert1(test)]
2023-08-22T11:35:58.712Z AMQ9638E: SSL communications error for channel 'test'. [ArithInsert1(406), CommentInsert1(test), CommentInsert2(gsk_secure_soc_read)]
2023-08-22T11:35:58.712Z AMQ9999E: Channel 'test' to host '10-20-129-176 (10.20.129.176)' ended abnormally. [CommentInsert1(test), CommentInsert2(577), CommentInsert3(10-20-129-176 (10.20.129.176))]
IBM MQ version 9.0.4.0 - Linux box
IBM MQ version 9.3.1.0 - container deployment
Is there any specific action I would have to take to have the connection working?
------------------------------
Luis Specian
------------------------------