Troubleshooting
Problem
A WebSphere MQ queue manager or incoming client connection is failing to establish a secure channel using TLS (formerly SSL), and you need to collect MustGather data to find a solution.
Environment
These instructions apply only to WebSphere MQ V5.3.1 and V5.3 on HP NonStop Server. Refer to the IBM MQ Read First page for instructions on other operating systems:
Resolving The Problem
Please answer these questions about the problem and then follow the steps below:
- What TLS channel problem did you observe on the system?
- What time did the TLS channel problem start and when did it stop?
- Which specific channels and certificates are involved in the problem?
Step 1: Generate Data
If the TLS channel problem is reproducible or is happening right now, generate data to provide more information about the problem:
- If the problem occurs when starting a sending channel, generate a trace of the queue manager showing the channel start attempt.
- Generate MQ trace simultaneously at the other end of the channel:
Step 2: Collect Data
- Record the MQ version and maintenance level.
- Record the operating system version and maintenance level.
- From a Guardian prompt, display the VPROC output from the MQ amqcctca and amqcctca_r files:
- List the contents of the queue manager ssl directory. Guardian users should run the osh TACL command to switch to the OSS environment first and then source the var/mqm/wmqprofile script in order to use WebSphere MQ commands. For example:
- Display the WebSphere MQ CA certificates, securely passing your actual trust store password as suggested in the following example:
- Display the WebSphere MQ personal certificates, securely passing your actual certificate store password as suggested in the following example:
- Use runmqsc to record your queue manager, queues, channels and channel status information. If any command gives an error, carry on with the others:
- Use the sdcp script to package your files for IBM, including files containing the output from the commands listed in Step 1 and 2.
Displaying the WebSphere MQ communications library VPROC output
TACL> VPROC AMQCCTCA
TACL> VPROC AMQCCTCA_R
Displaying the key store directory for queue manager QMA
osh> . /path/to/var/mqm/wmqprofile
osh> cd /path/to/var/mqm/qmgrs/QMA/ssl
osh> ls -al
Displaying the WebSphere MQ CA certificates
osh> openssl x509 -noout -in /path/to/var/mqm/qmgrs/QMA/ssl/trust.pem -passin file:<(echo -n "passw0rd") -issuer -subject -dates
Displaying the WebSphere MQ personal certificates
osh> openssl x509 -noout -in /path/to/var/mqm/qmgrs/QMA/ssl/cert.pem -passin file:<(echo -n "passw0rd") -issuer -subject -dates
DISPLAY QMGR ALL
DISPLAY QLOCAL(*) ALL
DISPLAY QALIAS(*) ALL
DISPLAY QREMOTE(*) ALL
DISPLAY CHANNEL(*) ALL
DISPLAY CHSTATUS(*) ALL
Step 3: Send Data to IBM
- Send your data to the IBM ECuRep repository by email to websphere_support@ecurep.ibm.com, or by standard or secure HTTP or FTP.
- While the data is transferring, send an email or use the IBM Service Request tool to update your PMR with your description of the problem and of the data you are sending.
- Contact your country representative if you need to speak to an IBM technical support representative, or in the US call 1-800-IBM-SERV. Refer to the IBM Software Support Handbook for more information on working with IBM.
A good description of the problem and the data is the most important information you can provide to IBM. Please do not send data without providing a description!
[{"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Problem Determination","Platform":[{"code":"PF010","label":"HP-UX"}],"Version":"5.3.1;5.3","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]Product Synonym
WebSphere MQ WMQ
Was this topic helpful?
Document Information
Modified date:
22 June 2018
UID
swg21293920