| Author |
Message
|
| Zanderism |
 Posted: Sun Jan 24, 2016 6:34 pm Post subject: MQ AMS - Error 2063 Security exit rejected connection |
 |
|
Newbie
Joined: 24 Jan 2016
Posts: 5
|
Hello All
I am having trouble implementing MQ AMS.
My environment is Windows with MQ 7.5.
I have successfully implemented TLS channel connections using CMS key stores on the MQ server and an application server.
I want to use the same certificates for AMS.
I have set authorities for the my local user account to put messages to one queue and can successfully put messages to that queue using RFHUtilc.exe (with TLS enabled)
If i create a security policy, for signing only, i can still put messages on this queue. However if i enable encryption i am unable to put messages on the queue.
There are no errors in the queue managers error log when i try to put the message on the queue, only a message displayed in RFHUtil (2063 Security exit rejected connection).
Would anyone have an idea of what i could try or where i could look for a resolution to this? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sun Jan 24, 2016 10:51 pm Post subject: Re: MQ AMS - Error 2063 Security exit rejected connection |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Zanderism wrote: |
Hello All
I am having trouble implementing MQ AMS.
My environment is Windows with MQ 7.5.
I have successfully implemented TLS channel connections using CMS key stores on the MQ server and an application server.
I want to use the same certificates for AMS.
I have set authorities for the my local user account to put messages to one queue and can successfully put messages to that queue using RFHUtilc.exe (with TLS enabled)
If i create a security policy, for signing only, i can still put messages on this queue. However if i enable encryption i am unable to put messages on the queue.
There are no errors in the queue managers error log when i try to put the message on the queue, only a message displayed in RFHUtil (2063 Security exit rejected connection).
Would anyone have an idea of what i could try or where i could look for a resolution to this? |
Could be due to the client cert. AMS is a little bit more restrictive as to what content it allows in the DN than standard MQ... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Zanderism |
| Posted: Tue Jan 26, 2016 3:46 pm Post subject: Re: MQ AMS - Error 2063 Security exit rejected connection |
|
|
Newbie
Joined: 24 Jan 2016
Posts: 5
|
| fjb_saper wrote: |
Could be due to the client cert. AMS is a little bit more restrictive as to what content it allows in the DN than standard MQ... |
Thank you! You were right!
The DN of the certificate i had created contained an "S" instead of "ST". The certificate was created correctly but when making an AMS policy i used the DN with the "S=blah". Changing that to "ST=blah" made the DN valid and fixed the issue.
Greatly appreciate your response. |
|
| Back to top |
|
|
| subani01491 |
| Posted: Sun Jan 31, 2016 3:10 pm Post subject: |
|
|
Novice
Joined: 19 Mar 2014
Posts: 12
|
I am having the similar issue in IBM MQ AMS Version 8.0.0.4 in RHEL 7, i am seeing MQRC 2063 and no error in the MQ error log. I am using symantec issued SHA2 certificate. I have required root and intermediate cert trusted in the key.kdb store along with trust of other side of server (personal) certificate.
In security policy , I am using SHA256 signing and AES 256, I double checked the DN name and all info looks valid.
Am i missing anything ? any guidance ? I appreciate your help.
Thank you. |
|
| Back to top |
|
|
| Zanderism |
| Posted: Sun Jan 31, 2016 4:48 pm Post subject: |
|
|
Newbie
Joined: 24 Jan 2016
Posts: 5
|
Hi
Is your keystore.conf file populated correctly? and have you referenced it either with an environment variable or by placing it in the userhome\.mqs directory? |
|
| Back to top |
|
|
| subani01491 |
| Posted: Sun Jan 31, 2016 7:38 pm Post subject: |
|
|
Novice
Joined: 19 Mar 2014
Posts: 12
|
Yes, i have keystore.conf setup with placed in "$HOME/.mqs/" directory.
cms.keystore = /home/mqm/.mqs/iibuser
cms.certificate = iib02id0
Thank you. |
|
| Back to top |
|
|
| Zanderism |
| Posted: Sun Jan 31, 2016 7:47 pm Post subject: |
|
|
Newbie
Joined: 24 Jan 2016
Posts: 5
|
I believe the certificate label needs to be prefixed with ibmwebspheremq<username> where <username> is the name of the user running the service.
However, im not sure if that is still required with version 8. |
|
| Back to top |
|
|
| Vitor |
| Posted: Mon Feb 01, 2016 5:46 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| Zanderism wrote: |
I believe the certificate label needs to be prefixed with ibmwebspheremq<username> where <username> is the name of the user running the service.
However, im not sure if that is still required with version 8. |
It's still the default position in v8; the difference in v8 is it's now not the only option....
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Feb 01, 2016 5:50 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Can you show the DN of the certs in question?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| subani01491 |
| Posted: Mon Feb 01, 2016 11:28 am Post subject: |
|
|
Novice
Joined: 19 Mar 2014
Posts: 12
|
I have below DN used for my Symantec cert "CN=iib02id01.ad.mycompany.com,OU=For Intranet Use Only,OU=MC,O=My Company,L=Tampa,ST=Florida,C=US"
My personal cert (iib02id01.ad.mycompany.com) chained up to symantec Intermediate G4 cert (Issuer : CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US)
and G4 is chained up to root G5 (Issuer : CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US).
I have below MQ security policy defined for 'TEST.AMS' Queue
Policy Details:-
Policy name: TEST.AMS
Quality of protection: PRIVACY
Signature algorithm: SHA2
Encryption algorithm: AES256
Signer DNs:
CN=iib01id01.ad.mycompany.com,OU=For Intranet Use Only,OU=MC,O=My Company,L=Tampa,ST=Florida,C=US
Recipient DNs:
CN=iib02id01.ad.mycompany.com,OU=For Intranet Use Only,OU=MC,O=My Company,L=Tampa,ST=Florida,C=US
Toleration: 0
The ketstore.conf is (this is new updated one from last time, i recreated the kdb)
cms.keystore = /home/iibuser/.mqs/iib
cms.certificate = ibmwebspheremqiibuser
The error i am getting when i try to do amqsput in the queue. I dont see any error in MQ logs.
Sample AMQSPUT0 start
target queue is TEST.AMS
MQOPEN ended with reason code 2063
unable to open queue for output
Sample AMQSPUT0 end
Thank you for your response. |
|
| Back to top |
|
|
| Zanderism |
| Posted: Mon Feb 01, 2016 3:00 pm Post subject: |
|
|
Newbie
Joined: 24 Jan 2016
Posts: 5
|
When sending the message you would be signing with your personal cert and encrypting with the public key of the recipient. It looks like the configuration you have is CN=iib01id01.ad... for your signer and CN=iib02id01.ad... as the recipient.
Are you able to try it with your personal cert as the signer? |
|
| Back to top |
|
|
| subani01491 |
| Posted: Mon Feb 01, 2016 4:14 pm Post subject: |
|
|
Novice
Joined: 19 Mar 2014
Posts: 12
|
I have two user trusting each others certificate (mutual authentication). I am trying to setup iib01id01.ad personal cert doing sending sign and encrypt and and iib02.ad cert is used for at the receiving.
(It is same like we have 'alice' and 'bob' setup in IBM RED BOOK) |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Feb 02, 2016 5:54 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Make sure you follow correctly...
From Alice to Bob: Alice's cert is used to sign, Bob's cert is used to encrypt
From Bob to Alice: Bob's cert is used to sign, Alice's cert is used to encrypt...
Or in more generic terms:
The sender's cert is used to sign, the receivers' cert(s) is used to encrypt...
Hope that clarifies it some...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| subani01491 |
| Posted: Wed Feb 03, 2016 3:00 pm Post subject: |
|
|
Novice
Joined: 19 Mar 2014
Posts: 12
|
I am able to fix the issue. The personal certificate/key pair in my kdb was imported from PFX/PKC12. Though KDB was listing my personal cert and CA certs but it looks like MQ does not like pkcs12 to cms export.
Once i generate the CSR from MQ server (hence private key is originated in MQ server) and import the cert, it took the kdb and it did not give any security error. It worked as expected.
I will talk to IBM about PKCS to CMS export compatibility issue. Please feel free to share if you encountered this kind of situation.
Thank you everyone for your response. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Feb 04, 2016 5:51 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Just to make sure this has to do with the export / import and not the certs themselves have you tried following:?
Use a working cms keydb (AMS)
Export to pkcs12
Import back into cms keydb and use it with AMS. Is the new kdb still working with AMS?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
