| Author |
Message
|
| leehairy |
 Posted: Tue Sep 12, 2006 4:10 am Post subject: amqmcert -a AMQ9680 |
 |
|
Novice
Joined: 04 Aug 2006
Posts: 13
|
MQSeries 5.3 Client for Windows, CSD012 applied.
When i attempt to run amqmcert for a specific user account i get errors.
| Code: |
| amqmcert -a -p MyCert.p12 -z MyPassord |
i am receiving error AMQ9680.
Can anyone shed some light as to what Windows error code 2 is. I think it is related to account permissions, as i can successfully add this certificate to the store as the currently logged in user, however using a user account that does not have the 'allow interactive logon' rights set, i get error AMQ9680.
In a nutshell - this works...
a) Log in as 'userX'- (which is a member of the 'mqm' group)
b) run 'amqmcert -a -p MyCert.p12 -z MyPassord' - success
this fails...
c) Log in as 'userX'
d) open a command window and run 'contact admin /user:mquser cmd' (mquser is a member of the mqm group)
e) run 'amqmcert -a -p MyCert.p12 -z MyPassord' - fails with error amq9680
Further info
'mquser' is a member of the administrator group
'mquser' has full access permissions to the certificate store (!default.sto)
'mquser' exists as a user on the MQ server
MQCHLLIB=C:\program files\ibm\websphere MQ\
MQCHLTAB=AMQCLCHL.TAB
MQSSLKEYR=C:\program files\ibm\websphere MQ\!Default
| Code: |
5724-B41 (C) Copyright IBM Corp. 1994, 2002. ALL RIGHTS RESERVED.
Using CURRENT_USER for default system stores.
AMQ9680 A problem was encountered with the specified certificate file.
A problem occurred when attempting to read the certificate from the file 'mq.p12'. The file may be corrupt or incorrectly formatted. The Windows error code reported is 2. The WebSphere MQ error recording routine has been called.
Ensure that the certificate file is valid and complete, and in one of the file formats supported by WebSphere MQ. If the problem cannot be resolved then use the standard facilities supplied with your system to record the problem identifier and save the generated output files, and then contact your IBM support center. Do not discard these files until the problem has been resolved. |
|
|
| Back to top |
|
 |
| MQALearner |
| Posted: Tue Sep 12, 2006 6:42 am Post subject: Try this |
|
|
Newbie
Joined: 10 Jun 2006
Posts: 9
|
You can try install trough Internet explorer first and then
try to use the command interface
amqmcert -a -p MyCert.p12 -z MyPassord
Please do let us know the result .......so that we can explore diff way if there is any problem. |
|
| Back to top |
|
|
| leehairy |
| Posted: Tue Sep 12, 2006 8:07 am Post subject: |
|
|
Novice
Joined: 04 Aug 2006
Posts: 13
|
| Quote: |
You can try install trough Internet explorer first and then
try to use the command interface |
I am not familiar with installing through internet explorer. Can you elaborate.
Thanks
Steve |
|
| Back to top |
|
|
| leehairy |
| Posted: Tue Sep 12, 2006 9:39 am Post subject: |
|
|
Novice
Joined: 04 Aug 2006
Posts: 13
|
Some Further information.
Installing the certificate using the Windows certificate mmc console as a user with a profile works successfully
Installing the certificate using contact admin /mquser then invoking mmc and loading up the certificate mmc console gives me the error 'The private key that you are importing might require a cryptographic service provider that is not installed on your system'
I have added the appropriate permissions to the
| Code: |
| D:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys |
directory |
|
| Back to top |
|
|
| leehairy |
| Posted: Tue Sep 12, 2006 10:38 am Post subject: |
|
|
Novice
Joined: 04 Aug 2006
Posts: 13
|
Success Thank goodness for WinDbg
A quick debugging session shows that 'amqmcert' fails during the Win32 CryptAquireContext() call - with error code 0x02L - this was what the windows error code related to...arghh. Would have been nice to have known the failing call and the exit code!
| Code: |
| ERROR_FILE_NOT_FOUND ( 2L ) The profile of the user is not loaded and cannot be found. This happens when the application impersonates a user, for example, the IUSR_ComputerName account. |
So it seems i need a full user profile with a key store. I can create this by logging off and logging on with the mquser account. However i do not want to allow the 'mquser' account to be able to logon locally (this is a service account).
To overcome this i can use the /netonly parameter with contact admin. Invoking
| Code: |
| contact admin /netonly /user:mquser cmd |
works nicely..
If anyone can shed some light on the workings of the /netonly parameter i would be much obliged.
CryptAquireContext can be found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptacquirecontext.asp |
|
| Back to top |
|
|
| leehairy |
| Posted: Tue Sep 12, 2006 11:07 am Post subject: |
|
|
Novice
Joined: 04 Aug 2006
Posts: 13
|
Oh dear I was too keen to shout success
Using contact admin from the command line I can now install the certificates successfully and can send test messages successfully using amqsputc.
Unfortunately as soon as i start my windows service using my 'mquser' account i am back to square one. The certificate can not be loaded.
Can anyone help me..... using Windows XP/2003 etc
a) I need to create a locked down account that cannot be used to log on to the server.
b) The account must be able to access the certificates contained within the MQSeries !default.sto.
c) The account will be used as a service account under which my queue processing application will be run. |
|
| Back to top |
|
|
|
|
