| Author |
Message
|
| DJudd |
 Posted: Mon Aug 22, 2005 7:39 am Post subject: AMQ9660 - SSL key problem |
 |
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
I have added the required certs to my keystore on HP Unix. My key.* files are in the default location of /var/mqm/qmgrs/queue/ssl/key. The channel works on non-ssl but not on ssl. I am connecting to a Z/OS machine. I also have the SSLKEYR attribute set for the queue manager and the SSLCIPH set on the sender and receiver channels. The error I am getting is below:
AMQ9660: SSL key repository: password stash file absent or unusable.
EXPLANATION:
The SSL key repository cannot be used because MQ cannot obtain a password to
access it. Reasons giving rise to this error include:
(a) the key database file and password stash file are not present in the
location configured for the key repository,
(b) the key database file exists in the correct place but that no password
stash file has been created for it,
(c) the files are present in the correct place but the userid under which MQ is
running does not have permission to read them,
(d) one or both of the files are corrupt.
The channel is 'QM1.QM2'; in some cases its name cannot be determined
and so is shown as '????'. The channel did not start.
ACTION:
Ensure that the key repository variable is set to where the key database file
is. Ensure that a password stash file has been associated with the key database
file in the same directory, and that the userid under which MQ is running has
read access to both files. If both are already present and readable in the
correct place, delete and recreate them. Restart the channel.
Any help would be greatly appreciated. |
|
| Back to top |
|
 |
| wschutz |
| Posted: Mon Aug 22, 2005 8:52 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
So, when you created the key database, did you check the "Stash the Password" checkbox... do you have a key.sth file in that directory?
_________________
-wayne |
|
| Back to top |
|
|
| DJudd |
| Posted: Mon Aug 22, 2005 8:57 am Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
| Yes, I stashed the password with the gsk6ikm tool. I have done it again, just to verify the key.sth gets updated and it does. I also have done the gsk6cmd -cert -list -db /pathname/key.kdb without the -pw and password. I get prompted to enter the password before the list prompts in return. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Aug 22, 2005 9:02 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Did you check
| Quote: |
(c) the files are present in the correct place but the userid under which MQ is
running does not have permission to read them, |
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| wschutz |
| Posted: Mon Aug 22, 2005 9:05 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
What about:
| Quote: |
(c) the files are present in the correct place but the userid under which MQ is
running does not have permission to read them,
|
... does mqm have read perm to that file?
_________________
-wayne |
|
| Back to top |
|
|
| DJudd |
| Posted: Mon Aug 22, 2005 9:10 am Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
| The files have 544 permission. They are all owned by mqm and have the group of mqm. I am logged on as the MQM userid and I am in group mqm as my primary group. I can do all of the gsk6cmd and ikm commands. Could I still have a permission problem and be able to do that? |
|
| Back to top |
|
|
| DJudd |
| Posted: Mon Aug 22, 2005 9:11 am Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
| Sorry the permission are 644 not 544. |
|
| Back to top |
|
|
| wschutz |
| Posted: Mon Aug 22, 2005 9:25 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
Sounds like security is okay then, what exactly do you get from:
| Code: |
| echo dis qmgr sslkeyr | runmqsc queue |
_________________
-wayne |
|
| Back to top |
|
|
| DJudd |
| Posted: Mon Aug 22, 2005 9:31 am Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
$ echo dis qmgr sslkeyr | runmqsc QMJ720BT1
5724-B41 (C) Copyright IBM Corp. 1994, 2002. ALL RIGHTS RESERVED.
Starting MQSC for queue manager QMJ720BT1.
1 : dis qmgr sslkeyr
AMQ8408: Display Queue Manager details.
SSLKEYR(/var/mqm/qmgrs/QMJ720BT1/ssl/key)
QMNAME(QMJ720BT1)
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
Thanks |
|
| Back to top |
|
|
| tjfunny1 |
| Posted: Mon Aug 22, 2005 9:38 am Post subject: Re: AMQ9660 - SSL key problem |
|
|
Apprentice
Joined: 17 Jun 2002
Posts: 35
Location: Atlanta
|
| DJudd wrote: |
I have added the required certs to my keystore on HP Unix. My key.* files are in the default location of /var/mqm/qmgrs/queue/ssl/key. The channel works on non-ssl but not on ssl. I am connecting to a Z/OS machine. I also have the SSLKEYR attribute set for the queue manager and the SSLCIPH set on the sender and receiver channels. The error I am getting is below:
|
I would recommend you check with the mainframe security & verify the ACID userid associated with the CHIN has rights to access the keystore on the mainframe. 
Unless Z/OS security has done their actions correctly, the settings on the Z/OS qmgr will not work. Also, check the CHIN sysout for any errors during startup (SSLTASKS failed).
_________________
TJ
IBM Certified System Administrator Websphere MQ v5.3 |
|
| Back to top |
|
|
| wschutz |
| Posted: Mon Aug 22, 2005 9:41 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| Quote: |
| My key.* files are in the default location of /var/mqm/qmgrs/queue/ssl/key |
but ....
| Quote: |
SSLKEYR(/var/mqm/qmgrs/QMJ720BT1/ssl/key)
|
_________________
-wayne |
|
| Back to top |
|
|
| DJudd |
| Posted: Mon Aug 22, 2005 9:56 am Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
| In my quote I did not put the "actual" queue name of QMJ720BT1. |
|
| Back to top |
|
|
| tjfunny1 |
| Posted: Mon Aug 22, 2005 11:41 am Post subject: Re: AMQ9660 - SSL key problem |
|
|
Apprentice
Joined: 17 Jun 2002
Posts: 35
Location: Atlanta
|
| DJudd wrote: |
| I have added the required certs to my keystore on HP Unix. My key.* files are in the default location of /var/mqm/qmgrs/queue/ssl/key. |
You mentioned key.* files, but technically there is only one key.sto file per qmgr, and it must be in a different location than other qmgrs. Normally, it is located under <QmgrName> = your local qmgr:
/var/mqm/qmgrs/<QmgrName>/ssl
The key.sto file is a binary file, and must be admin'ed by amqmcert or the MQExplorer interface. The key.sto must contain the certificates of the CA's that signed both the sender & receiver qmgr's certificates (if they are different CA's).
If you setup the receiver channel to 'Authenticate', then the public key of the sender qmgr must reside in the receiver qmgr keystore, and vice-versa (receiver qmgr public cert in the sender keystore).
The only item that could change this setup is if you are using Java clients, they take a different setup from the client side (the qmgr side is the same).
Hope this helps
_________________
TJ
IBM Certified System Administrator Websphere MQ v5.3 |
|
| Back to top |
|
|
| DJudd |
| Posted: Mon Aug 22, 2005 12:21 pm Post subject: |
|
|
Novice
Joined: 22 Jul 2005
Posts: 17
Location: Florida
|
I do not have a key.sto anywhere from root level down. I am using DISA CAs. I am not using self-signed certificates. The key files I have are:
key.kdb
key.sth
key.crl
key.rdb
Thanks,
Denise |
|
| Back to top |
|
|
| anuprz1 |
| Posted: Thu Aug 25, 2005 10:53 pm Post subject: |
|
|
Newbie
Joined: 23 Sep 2004
Posts: 7
Location: Poland
|
| DJudd wrote: |
I do not have a key.sto anywhere from root level down. I am using DISA CAs. I am not using self-signed certificates. The key files I have are:
key.kdb
key.sth
key.crl
key.rdb
Thanks,
Denise |
key.sth is ok
key.sto is I think on windows ? but not sure in 100% 
I had the same problem yesterday, and did :
| Code: |
gsk7cmd_64 -keydb -stashpw -db key.kdb -pw some_password
|
and then it worked |
|
| Back to top |
|
|
|
|
