ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » How to test AMS

Post new topic  Reply to topic
 How to test AMS « View previous topic :: View next topic » 
Author Message
KIT_INC
PostPosted: Wed Apr 30, 2014 11:12 am    Post subject: How to test AMS Reply with quote

Knight

Joined: 25 Aug 2006
Posts: 589
I am using AMS V7.0.2 on linux

I did the set up by following the "Quick Start Guide for Linux platforms" instruction. I completed the test using the users Alice and Bob. The instruction use Alice to put the message on the Q and use Bob to get it back. I like to find out if the message is actually encrypted in the test Q. So after the put by Alice, I use mq explorer to browse the message. But MQ explorer shows message in plain text. This does not seem right to me. Can some one confirm what the message on the queue should look like after the PUT to an AMS protected Q. If I use MQ explorer to browse the message should I see the message encrypted ? I have the server interceptor and the Java interceptor enabled.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Wed Apr 30, 2014 12:54 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
Did you browse using the alias queue as described in the manual?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
KIT_INC
PostPosted: Thu May 01, 2014 8:52 pm    Post subject: Reply with quote

Knight

Joined: 25 Aug 2006
Posts: 589
Sorry, I was not doing it right. The explorer was actually using an ID that has the policy to retrieve message.

I tried to do it directly on the Server using amqsbcg to browse the message. I was geeting 2063 security error.

The info center says
"To verify that the encryption is occurring as expected, browse TEST.Q as a user authorized to browse (with setmqaut) but unauthorized to decrypt (with setmqspl) in WebSphere MQ Explorer. If a message you try to access is encrypted, an error appears with an entry in the error log 'MQ Advanced Message Security internal error'.

What does "but unauthorized to decrypt (with setmqspl)" actually means ?
Any user without an AMS keystore will be unauthorized to decrypt. Am I right ?

But I am getting 2035 error running amqsgbr with a user which belongs to the mqm group but with no AMS keystores
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri May 02, 2014 4:38 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
The manual says clearly to browse / access message content of a message on an AMS governed queue, create an Alias Queue pointing to the same base queue. As the alias queue has no AMS policy attached to it, you should be able to see the encrypted content.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » How to test AMS
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.