All Apps and Add-ons

JMS Messaging Modular Input: Is TLS the cause of this MQ read stability issue?

jgbricker
Contributor

We are able to retrieve messages from IBM MQ into Splunk, but it closes unexpectedly and the Modular input gets disabled. It appears to be related to the SECURE_TRANSPORT= "tls" setting in jms.py. The MQ admin says it isn't set up for TLS. Can this be turned off? If not how do we get this working? I'm not familiar with this configuration.

I hoping for someone to help me debug this issue. We were previously able to do this back in February. After working through the message formatting we are now trying to reconnect and are having problems.
We are getting the following error on the Splunk heavy forwarder:

06-29-2016 16:41:36.627 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/jms_ta/bin/jms.py" [Fatal Error] :1:1: Premature end of file.
06-29-2016 16:41:36.630 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/jms_ta/bin/jms.py" Can't connect to Splunk REST API with the token [Splunk                              ], either the token is invalid or SplunkD has exite                             d : HTTP 401 -- 
06-29-2016 16:41:36.630 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/jms_ta/bin/jms.py" 
06-29-2016 16:41:36.630 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/jms_ta/bin/jms.py"   
06-29-2016 16:41:36.630 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/jms_ta/bin/jms.py"     call not properly authenticated
06-29-2016 16:41:36.630 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/jms_ta/bin/jms.py"   
06-29-2016 16:41:36.630 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/jms_ta/bin/jms.py" 
06-29-2016 16:41:46.633 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/jms_ta/bin/jms.py" It has been determined via the REST API that all inputs                              have been disabled
06-29-2016 16:41:46.953 -0400 WARN  TcpOutputProc - Pipeline data does not have indexKey. [_path] = /opt/splunk/etc/apps/jms_ta/bin/jms.py\n[_raw] = \n[_meta] = punct::                             \n[_stmid] = 4veQIBnYxYI5na\n[MetaData:Source] = source::jms\n[MetaData:Host] = host::\n[MetaData:Sourcetype] = sourcetype::jms\n[_done] = _done\n[_linebr                             eaker] = _linebreaker\n[_conf] = source::jms|host::|jms|\n
06-29-2016 16:41:58.752 -0400 INFO  KeyManagerLocalhost - Checking for localhost key pair
06-29-2016 16:41:58.752 -0400 INFO  KeyManagerLocalhost - Public key already exists: /opt/splunk/etc/auth/distServerKeys/trusted.pem
06-29-2016 16:41:58.752 -0400 INFO  KeyManagerLocalhost - Reading public key for localhost: /opt/splunk/etc/auth/distServerKeys/trusted.pem
06-29-2016 16:41:58.752 -0400 INFO  KeyManagerLocalhost - Finished reading public key for localhost: /opt/splunk/etc/auth/distServerKeys/trusted.pem
06-29-2016 16:41:58.752 -0400 INFO  KeyManagerLocalhost - Reading private key for localhost: /opt/splunk/etc/auth/distServerKeys/private.pem
06-29-2016 16:41:58.752 -0400 INFO  KeyManagerLocalhost - Finished reading private key for localhost: /opt/splunk/etc/auth/distServerKeys/private.pem

MQ Server Application Log

6/29/2016 15:00:58 - Process(2740.49758) User() Program(amqrmppa.exe) Host() Installation(Primary) VRMF(8.0.0.2) QMgr()

Connection to host ' ()' for channel 'SPLUNKREADER.SVR1' closed.  

An error occurred receiving data from ' ()' over TCP/IP.  The connection to the remote host has unexpectedly terminated. &P The channel name is 'SPLUNKREADER.SVR1'; in some cases it cannot be determined and so is shown as '????'.  

Tell the systems administrator.

jms.py is set to:

JAVA_MAIN_CLASS = 'com.splunk.modinput.jms.JMSModularInput'
MODINPUT_NAME = 'jms'
SECURE_TRANSPORT = "tls"
#SECURE_TRANSPORT = "ssl"
LOGGING_LEVEL="ERROR"
0 Karma
1 Solution

jgbricker
Contributor

After posting this I found that I had not set my $SPLUNK_HOME/etc/system/local/server.conf [license] stanza to contain the master_uri=https_url

splunkd.log: LMTracker - license expired, revoking all session keys

Fixed this and restarted splunk.

View solution in original post

0 Karma

jgbricker
Contributor

After posting this I found that I had not set my $SPLUNK_HOME/etc/system/local/server.conf [license] stanza to contain the master_uri=https_url

splunkd.log: LMTracker - license expired, revoking all session keys

Fixed this and restarted splunk.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...