| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| SOLVED: WMQ Internet pass-thru Support Pac (MS81) |
« View previous topic :: View next topic » |
| Author |
Message
|
| exerk |
 Posted: Fri Mar 05, 2010 9:14 am Post subject: SOLVED: WMQ Internet pass-thru Support Pac (MS81) |
 |
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
I am evaluating IPT and have hit a problem in SSL configuration that has me stumped, and I am following the doc to the letter, and I have hit Google - to no avail.
INFRASTRUCTURE
1. Windows XP Pro SP3, 32 bit, 4GB RAM, > 100GB free space
WebSphere MQ 7.0.1.1
2. Windows 7 Ultimate, 64 bit, 4GB RAM, > 1TB free space
WebSphere MQ 7.0.1.1
All prerequisites are met on both machines (I know that Windows 7 is not in the list but it works, and it's the only other piece of available hardware).
ISSUE
I can successfully run an IPT on each server and I defined a route in each to allow a client connection from 1. to 2. - all works fine.
The problem occurs (on both machines) when setting up a single IPT to work as an SSL proxy, it fails with access denied (java.io.FilePermission c:\mqipt\logs read).
My user is an administrator, but to fault diagnose I explicitly set permissions for that account, switched on auditing etc., but still the issue. The policy file, mqipt.config is reproduced below:
| Code: |
grant codeBase "file://c:/mqipt/lib/com.ibm.mq.ipt.jar" {
permission java.net.SocketPermission "127.0.0.1:1-", "accept, listen, resolve";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "file.encoding", "read";
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.io.FilePermission "c:\\mqipt", "read";
permission java.io.FilePermission "c:\\mqipt\\errors\\*", "read, write";
permission java.io.FilePermission "c:\\mqipt\\logs\\*", "read, write";
permission java.io.FilePermission "c:\\mqipt\\exits\\*", "read";
permission java.io.FilePermission "c:\\mqipt\\ssl\\*", "read";
permission java.io.FilePermission "c:\\mqipt\\lib\\*", "execute";
permission java.io.FilePermission "c:\\mqipt\\bin\\*", "execute";
permission java.io.FilePermission "c:\\mqipt\\*", "read, write";
permission java.lang.RuntimePermission "setSecurityManager";
}; |
FDC files are cut (as per the doc) with a Probe Id of JD000002, but nothing else catches my eye as regards why the error is returned and the IPT errors directory is empty.
Can anyone help please?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Last edited by exerk on Tue Mar 09, 2010 6:52 am; edited 1 time in total |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Fri Mar 05, 2010 1:18 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If using a single IPT as SSL proxy you need to get a little creative
Say you have a server and a client.
The client connects to port a on the IPT and gets forwarded with the client cert to port b on the IPT which has the server cert and forwards to the qmgr.
The assumption is that client to IPT and IPT to MQ are setup without SSL.
With a single IPT server the SSL portion will be internal to the IPT server.
This should be a relatively simple scenario. You can spice it up by giving the incoming IPT port a server and a client keyring and have the client go SSL to it...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Mar 05, 2010 1:39 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Sorry fj, but I'm not sure what you're driving at 
I've connected two IPT's together without SSL, and used the amqsputc sample to prove the routes successfully; I now want to move on to using SSL using a single IPT acting as an SSL proxy. The problem is I can't get the IPT to start because of the log file read failure - and I now realise that I didn't make it clear that the IPT wasn't starting at all. I want to go through every example in the doc so I have a full understanding of all the content.
My final target is client -> IPT1 -> IPT2 -> queue manager where everything downstream of the client is SSL, but the client-to-IPT1 is non-SSL.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Sat Mar 06, 2010 3:40 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
are you being bitten by Windows UAC?
I have the same with for example VMWare Workstation, if I double click the virtual machine it doesn't work, if I run VMWare Workstation as Adminstrator and then start the VM it works...
try settging explicit access or run the process explicitly as Administrator using run as...
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
| exerk |
| Posted: Sat Mar 06, 2010 8:11 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Michael Dag wrote: |
are you being bitten by Windows UAC?
I have the same with for example VMWare Workstation, if I double click the virtual machine it doesn't work, if I run VMWare Workstation as Adminstrator and then start the VM it works...
try settging explicit access or run the process explicitly as Administrator using run as... |
Michael,
I'm an Administrator on both machines and gave explicit permissions to the directory structure, and would not expect Win XP Pro to give me UAC issues, but will give the contact admin option a go...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Mar 06, 2010 8:06 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| Quote: |
| permission java.net.SocketPermission "127.0.0.1:1-", "accept, listen, resolve"; |
This permission is insufficient. You need as well to allow the permissions for the incoming MQIPT which, if on an other machine, can obviously not be 127.0.0.1 or localhost. You could also use a dns name instead of the ip.
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Sun Mar 07, 2010 3:51 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| Quote: |
| permission java.net.SocketPermission "127.0.0.1:1-", "accept, listen, resolve"; |
This permission is insufficient. You need as well to allow the permissions for the incoming MQIPT which, if on an other machine, can obviously not be 127.0.0.1 or localhost. You could also use a dns name instead of the ip.
Have fun |
For SSL proxy I have wmq client -> IPT (on qmgr machine) -> qmgr.
I used the policy tool to add the 'inbound', but I'm still hitting the brick wall of the IPT not starting due to the permission issue with the logs/log directory.
I'm trying to do this in baby steps and would have expected an error when the SocketPermission was missing, and want deliberately induced failures so I can trap the errors in the logs, but...if I can't get the IPT to start because it can't read the logs, I can't even do that.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sun Mar 07, 2010 12:46 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Hope you still have the original policy...
try this, and you might have to set it for either the code base or all code bases
| Code: |
permission java.io.FilePermission ".", "read";
permission java.io.FilePermission "./errors/*", "read, write";
permission java.io.FilePermission "./logs/*", "read, write";
permission java.io.FilePermission "./exits/*", "read";
permission java.io.FilePermission "./ssl/*", "read";
permission java.io.FilePermission "./lib/*", "read, execute";
permission java.io.FilePermission "./bin/*", "read, execute";
permission java.io.FilePermission "./*", "read, write"; |
Note that the execute was changed here to read execute...(how can you execute something you can't read?
See as well the change in the FilePermissions. You did start the program from the mqipt directory yes? So why did you add mqipt in the permission path?
have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Mar 08, 2010 12:58 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| Hope you still have the original policy... |
I made a copy 
| fjb_saper wrote: |
try this, and you might have to set it for either the code base or all code bases
| Code: |
permission java.io.FilePermission ".", "read";
permission java.io.FilePermission "./errors/*", "read, write";
permission java.io.FilePermission "./logs/*", "read, write";
permission java.io.FilePermission "./exits/*", "read";
permission java.io.FilePermission "./ssl/*", "read";
permission java.io.FilePermission "./lib/*", "read, execute";
permission java.io.FilePermission "./bin/*", "read, execute";
permission java.io.FilePermission "./*", "read, write"; |
Note that the execute was changed here to read execute...(how can you execute something you can't read? |
Did that...
| fjb_saper wrote: |
| See as well the change in the FilePermissions. You did start the program from the mqipt directory yes? |
Yes...
| fjb_saper wrote: |
| So why did you add mqipt in the permission path? |
Because that's what is stated in the manual (amqyab02.pdf), page 135. And I still get that permission denied message and failure to start of the IPT.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Mar 08, 2010 2:41 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
... IPT *is* Cat 3.
So you *can* open a PMR and get support. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Mar 08, 2010 5:07 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
 I was hoping it was just a keyboard interface problem, and I just wanted to be sure before going down the PMR route.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Mar 08, 2010 8:41 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
OK, as I'm in the office I could check the file permissions we have set.
They all have the FULL path and not a relative path.
Maybe that will help.
Also the code base that you show is wrong it should be:
grant codeBase "file:///c:/mqipt/lib/com.ibm.mq.ipt.jar"
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Mar 08, 2010 9:35 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
OK, as I'm in the office I could check the file permissions we have set.
They all have the FULL path and not a relative path.
Maybe that will help.
Also the code base that you show is wrong it should be:
grant codeBase "file:///c:/mqipt/lib/com.ibm.mq.ipt.jar"
Have fun |
Tried that, and still no joy.
I have checked the global $JREHOME/lib/security/java.policy file, and policy.allowSystemProperty is set to true, so that is out of the picture. I have enlisted the help of a java 'expert'. whom will be looking at this with me tomorrow, so I'll feed back then. Either this is environmental, or me (I suspect me!).
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Mar 09, 2010 6:52 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
OK, progress at last!
By replicating the mqipt.policy entries into the global java.policy file, I can get the IPT to start. I used the policytool to do the editing, and interestingly it strips out additional forward slashes and adds in additional back-slashes.
Thank you all for the time and effort you gave me on this, it's much appreciated.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Tue Mar 09, 2010 10:23 am Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
Can you post the working policy file then? or the parts that are relevant?
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
|
|
|
  |
Goto page 1, 2 Next |
Page 1 of 2 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
