| Author |
Message
|
| rickwatsonb |
 Posted: Wed Aug 13, 2014 7:21 am Post subject: MQ AMS MCA Interception configuration |
 |
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Hi,
I am trying to setup MCA Interception between a MQ 7.5 server with MQ AMS (Linux) and a non-IBM JRE JMS application on Solaris using a MQ 7.1.0.2 Client (no AMS installed).
I have two-way SSL working, but after adding the MCA Interception keystore I get AMQ9008, followed by AMQ9012.
The basic details are shown below but I am not sure where the configuration is in error, or if I missed a step. I did not include all the info for the two-way SSL setup since that is working.
08/05/14 13:59:34 - Process(10560.13) User(mqm) Program(amqrmppa)
Host(EXP) Installation(Installation1)
VRMF(7.5.0.2) QMgr(BATCH.SSL.MCAINT)
AMQ9008: Cannot acquire the certificate for the label:
ibmwebspheremqbatch_user_two_way_ssl_v1 in the keystore file
/var/mqm/.mqs/mqm_keystore. GSKit ACME GSS minor reason is 58.
EXPLANATION:
WebSphere MQ security policy interceptor was unable to read the certificate for
the given label from keystore.
ACTION:
Make sure the label is correctly set as the cms.certificate entry of the
configuration file. Check if the keystore contains the certificate for the
given label.
----- smqodida.c : 778 --------------------------------------------------------
08/05/14 13:59:34 - Process(10560.13) User(mqm) Program(amqrmppa)
Host(EXP) Installation(Installation1)
VRMF(7.5.0.2) QMgr(BATCH.SSL.MCAINT)
AMQ9012: The WebSphere MQ security policy interceptor could not acquire the
public key credential.
EXPLANATION:
The WebSphere MQ security policy interceptor could not perform a public key
infrastructure (PKI) login.
ACTION:
Check the error messages related to acquiring public key credentials to
determine the cause of the failure. Check whether user has the permission to
read the kdb and stash files and verify whether the kdb file contains a
certificate with the label specified. Finally, check whether the certificate
has not expired.
MQ Client 7.1.0.2 non-IBM JRE
.jks Keystore for TWO-WAY SSL (works):
(1) Batch certificate (-label ibmwebspheremqbatch_user_two_way_ssl_v1)
(2) MQ queue manager certificate
MQ Server 7.5.0.2 with AMS – two separate keystores
(A) TWO-WAY SSL Keystore: (/var/mqm/qmgrs/<queue manager>/ssl):
(1) MQ Queue manager certificate
(2) Batch certificate (-label ibmwebspheremqbatch_user_two_way_ssl_v1)
mqm@EXP:/var/mqm/qmgrs/BATCH1044SSL1044MCAINT/ssl> ll
total 36
-rw-r--r-- 1 mqm mqm 88 Jul 22 16:28 BATCH.SSL.MCAINT.crl
-rw-r--r-- 1 mqm mqm 10088 Jul 22 16:34 BATCH.SSL.MCAINT.kdb
-rw-r--r-- 1 mqm mqm 88 Jul 22 16:28 BATCH.SSL.MCAINT.rdb
-rw-r--r-- 1 mqm mqm 129 Jul 22 16:28 BATCH.SSL.MCAINT.sth
(B) MQ AMS MCA Interception Keystore (/var/mqm/.mqs)
(1) Batch certificate (-label ibmwebspheremqbatch_user_two_way_ssl_v1)
mqm@EXP:/var/mqm/.mqs> ll
total 24
-rw-r--r-- 1 mqm mqm 127 Aug 7 10:20 keystore.conf
-rw-r--r-- 1 mqm mqm 88 Jul 29 09:56 mqm_keystore.crl
-rw-r--r-- 1 mqm mqm 5088 Jul 29 10:05 mqm_keystore.kdb
-rw-r--r-- 1 mqm mqm 88 Jul 29 09:56 mqm_keystore.rdb
-rw-r--r-- 1 mqm mqm 129 Jul 29 09:56 mqm_keystore.sth
mqm@EXP:/var/mqm/.mqs> more keystore.conf
cms.keystore = /var/mqm/.mqs/mqm_keystore
cms.certificate.channel.BATCH.SSL.CHANNEL = ibmwebspheremqbatch_user_two_way_ssl_v1
Other steps:
- Authorize the users to connect to the queue manager and to work with the queue
o setmqaut -m BATCH.SSL.MCAINT -t qmgr -p batch_user +connect +inq;
o setmqaut -m BATCH.SSL.MCAINT -t queue -n <queue name> -p batch_user +put +get +inq;
- Allow the user to browse the system policy queue and put messages on the error queue.
o setmqaut -m BATCH.SSL.MCAINT -t queue -n SYSTEM.PROTECTION.POLICY.QUEUE -p batch_user +browse;
o setmqaut -m BATCH.SSL.MCAINT -t queue -n SYSTEM.PROTECTION.ERROR.QUEUE -p batch_user +put;
- Defining queue policy
o setmqspl -m BATCH.SSL.MCAINT -p <queue name> -s SHA1 -a "CN=batch_user_two_way_SSL_V1,O=DIT,C=USA"
- No environment variables set for MQ server
o Assumption - Expect MQ to find MQ AMS MCA interception keystore in default location of /var/mqm/.mqs
Thanks for your help. |
|
| Back to top |
|
 |
| rickwatsonb |
| Posted: Wed Aug 13, 2014 7:36 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
(The comment I posted here was removed by me. It was irrelevant...but the other posts are pertinent.)
Last edited by rickwatsonb on Wed Aug 13, 2014 12:18 pm; edited 1 time in total |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Wed Aug 13, 2014 7:56 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
I re-ran the line of code and got back the correct CN. Will do a re-test.
setmqspl -m BATCH.SSL.MCAINT -p <queue name> -s SHA1 -a "CN=batch_user_two_way_SSL_V1,O=DIT,C=USA"
dspmqspl -m BATCH.SSL.MCAINT
Policy Details:
Policy name: <queue name>
Quality of protection: INTEGRITY
Signature algorithm: SHA1
Encryption algorithm: NONE
Signer DNs:
CN=batch_user_two_way_SSL_V1,O=DIT,C=USA
Recipient DNs: -
Toleration: 0
Last edited by rickwatsonb on Wed Aug 13, 2014 10:31 am; edited 1 time in total |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 13, 2014 9:19 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
you are talking a lot about cert labels but what you are showing in your posts is part of the DN (distinguished name). Do you mean to say that for your certificates you have label = CN?
Typically the CN or common name has nothing to do with the cert label...
Just trying to get a better understanding of your setup... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Wed Aug 13, 2014 10:36 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
The label is :
ibmwebspheremqbatch_user_two_way_ssl_v1 (all lower case)
The CN is:
batch_user_two_way_SSL_V1 (mixed case)
I need to re-test again with the batch team and get back with you. Thanks for the reply. |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Wed Aug 13, 2014 11:36 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Re-tested and got same errors - AMQ9008, followed by AMQ9012.
The suggested actions and answers are as follows:
- Make sure the label is correctly set as the cms.certificate entry of the configuration file.
mqm@EXP:/var/mqm/.mqs> more keystore.conf
cms.keystore = /var/mqm/.mqs/mqm_keystore
cms.certificate.channel.BATCH.SSL.CHANNEL = ibmwebspheremqbatch_user_two_way_ssl_v1
- Check if the keystore contains the certificate for the given label.
mqm@EXP:/var/mqm> runmqakm -cert -details -db /var/mqm/.mqs/mqm_keystore.kdb -pw passw0rd -label ibmwebspheremqbatch_user_two_way_ssl_v1
Label : ibmwebspheremqbatch_user_two_way_ssl_v1
Key Size : 1024
Version : X509 V3
Serial : 53cec9ed
Issuer : CN=batch_user_two_way_SSL_V1, ...etc
- Check the error messages related to acquiring public key credentials to determine the cause of the failure.
Not sure where else to look for this.
- Check whether user has the permission to read the kdb and stash files
mqm@EXP:/var/mqm/.mqs> ll
total 24
-rw-r--r-- 1 mqm mqm 127 Aug 7 10:20 keystore.conf
-rw-r--r-- 1 mqm mqm 88 Jul 29 09:56 mqm_keystore.crl
-rw-r--r-- 1 mqm mqm 5088 Jul 29 10:05 mqm_keystore.kdb
-rw-r--r-- 1 mqm mqm 88 Jul 29 09:56 mqm_keystore.rdb
-rw-r--r-- 1 mqm mqm 129 Jul 29 09:56 mqm_keystore.sth
- verify whether the kdb file contains a certificate with the label specified.
Same question as above (Check if the keystore contains the certificate for the given label. (It does.))
- Finally, check whether the certificate has not expired.
From runmqakm -cert -details listing:
Not Before : July 22, 2014 4:30:37 PM EDT
Not After : July 22, 2015 4:30:37 PM EDT
Are there any other places I can look and/or configurations to verify?
Thanks for your help. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Aug 13, 2014 12:36 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Yes. Check that the DN (in its entirety) matches the policy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Thu Aug 21, 2014 10:36 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
This has been resolved:
I needed to "export" the full key (public and private parts), and then import that into the kdb located in the /var/mqm/.mqs directory used for the MCA interception. (Just doing an "extract" will not get the private key).
| Code: |
Example:
Export private key and public cert (use runmqckm for jks database file)
runmqckm -cert -export -db "/var/mqm/batch_ssl_jks_keystore/batch_user_two_way_SSL_V1.jks" -pw passw0rd -label ibmwebspheremqbatch_user_two_way_ssl_v1 -type jks -target /tmp/batch_user_two_way_SSL_private_public.crt -target_pw passw0rd -target_type pkcs12
/tmp
-rw------- 1 mqm mqm 1722 Aug 18 14:19 batch_user_two_way_SSL_private_public.crt
Import private key and public cert
runmqckm -cert -import -file /tmp/batch_user_two_way_SSL_private_public.crt -pw passw0rd -type pkcs12 -target /var/mqm/.mqs/mqm_keystore.kdb -target_pw passw0rd -target_type cms -label ibmwebspheremqbatch_user_two_way_ssl_v1 |
Thanks for all of your time and help. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Fri Aug 22, 2014 6:34 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
Hmmm, I have to say that distributing the private key seems like a very bad idea. The more copies of this that exist, the more points of security exposure you will have. For DataPower if you create the CSR from the DP device, you cannot get a copy of the private key off the device (except in a secure backup).
I have to think there was/is another way. |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Fri Aug 22, 2014 7:30 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
The solution was a result of an IBM PMR.
Maybe this idea (configuration) for MCA Interception needs further discussion amongst MQ gurus.
Thanks for your input. |
|
| Back to top |
|
|
| mangeshp16 |
| Posted: Fri Oct 04, 2024 5:39 am Post subject: |
|
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
| I am facing the exact same issue as you. What do you mean "solution was a result of an IBM PMR" and what is the RCA for the Full certificate (public and private). Also in my case I dont need SSL/TLS to connect to channel. certificate is only for AMS encryption |
|
| Back to top |
|
|
|
|
