Tuesday, February 19, 2013

How to fix error "AMQ9716: Remote SSL certificate revocation status check failed for channel"



Some time after installation or upgrade you can meet error AMQ9716. This basically will mean that you MQ is trying to connect to OCSP server even if you are not using it.


To fix it you need  execute next command :
Windows:
amqmdain reg QMGRNAME-c add -s SSL -v OCSPAuthentication=OPTIONAL

Linux:
Add to /var/mqm/qmgrs/QMGRNAME/qm.ini:

SSL:
        OCSPAuthentication=OPTIONAL


The main word there optional since by default we always have there required.

AMQ9716: Remote SSL certificate revocation status check failed for channel
'????'.

EXPLANATION:
WebSphere MQ failed to determine the revocation status of the remote SSL
certificate for one of the following reasons:
(angel) The channel was unable to contact any of the CRL servers or OCSP responders
  for the certificate.
(beer) None of the OCSP responders contacted knows the revocation status of the
  certificate.
(coffee) An OCSP response was received, but the digital signature of the response
  could not be verified.

The details of the certificate in question are '[IssuerName=]CN=XXX,O=XXX,C=UA[Serial#=]123a6321000650000053[SubjectName=]CN=Subordinate
CA-01,O=XXX,C=SE[IssuerName=]CN=Subordinate CA-01,O=XXX,C=UA[Serial#=]c23423534564564[SubjectName=]'.

The channel name is '????'. In some cases the channel name cannot be determined
and so is shown as '????'. The channel did not start.

WebSphere MQ does not allow the channel to start unless the certificate
revocation status can be determined.
ACTION:
If the certificate contains an AuthorityInfoAccess extension, ensure that the
OCSP server named in the certificate extension is available and is correctly
configured.

If the certificate contains a CrlDistributionPoint extension, ensure that the
CRL server named in the certificate extension is available and is correctly
configured.

If you have specified any CRL or OCSP servers to WebSphere MQ, check that those
servers are available and are correctly configured.

Ensure that the local key repository has the necessary SSL certificates to
verify the digital signature of the response from the OCSP server.
Posted by at

1 comment:

  1. FroggieAussie30 January, 2025 18:21

    What if you are forced to use OCSP (site standard) and you get this error...

    ReplyDelete

Subscribe to: Post Comments (Atom)