| Author |
Message
|
| nvts8a |
 Posted: Tue Jan 10, 2012 8:38 am Post subject: FileOutput SFTP using SSH Identity to Windows Erroring Out |
 |
|
Newbie
Joined: 09 Jan 2012
Posts: 5
Location: Detroit, MI
|
Hey all,
Using WMB 7.0.0.2 on AIX
I can successfully SFTP and SSH from the AIX box command line into the destination Windows box; but when I attempt to use the WMB FileOutput SFTP functionality using security identity with a SSH identity file, out of the failure terminal I get:
| Code: |
ExceptionList
RecoverableException
File:CHARACTER:/build/S700_P/src/DataFlowEngine/ImbDataFlowNode.cpp
Line:INTEGER:1073
Function:CHARACTER:ImbDataFlowNode::createExceptionList
Type:CHARACTER:ComIbmFileOutputNode
Name:CHARACTER:OMITTED_FLOW_NAME#FCMComposite_1_7
Label:CHARACTER:OMITTED_FLOW_NAME.SFTPToAMIPI
Catalog:CHARACTER:BIPmsgs
Severity:INTEGER:3
Number:INTEGER:2230
Text:CHARACTER:Node throwing exception
RecoverableException
File:CHARACTER:AbstractFileOutputNode.java
Line:INTEGER:686
Function:CHARACTER:locateOutputFile
Type:CHARACTER:
Name:CHARACTER:
Label:CHARACTER:
Catalog:CHARACTER:BIPmsgs
Severity:INTEGER:0
Number:INTEGER:3314
Text:CHARACTER:
Insert
Type:INTEGER:5
Text:CHARACTER:SFTPToAMIPI
Insert
Type:INTEGER:5
Text:CHARACTER:OMITTED_FLOW_NAME
Insert
Type:INTEGER:5
Text:CHARACTER:/D:/MSPData |
The BIP3314 states I don't have read/write access but I can read, write, mkdir, and rmdir when SFTPing into the Windows box just fine.
I attempted a user trace but it gave me no more information than the exception list in debug mode.
I feel it might be possible I didn't configure the security identity right? I ran:
| Code: |
mqsisetdbparms BROKERNAME -n sftp::SECIDNAME -u WINDOWSUSERNAME -i /DIR/BROKER_PRIVATE_KEY
|
|
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Jan 10, 2012 9:02 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
Does WINDOWSUSERNAME arrive on the target machine with the right domain credentials? Who's identified by the SSH identity file?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| marko.pitkanen |
| Posted: Tue Jan 10, 2012 9:04 am Post subject: |
|
|
Chevalier
Joined: 23 Jul 2008
Posts: 440
Location: Jamsa, Finland
|
|
| Back to top |
|
|
| nvts8a |
| Posted: Tue Jan 10, 2012 11:20 am Post subject: |
|
|
Newbie
Joined: 09 Jan 2012
Posts: 5
Location: Detroit, MI
|
Vitor:
We're currently working on getting logs from the Windows boxes from our engineering group (bureaucrats  ), I'll aslo be attempting to sift through a service trace, and the identity file identifies the AIX box broker is installed on.
But just for the hell of it, I've also tried the AIX public key and the Windows box public key out of despiration and because InfoCenter is really vague.
| Code: |
-i SSHIdentityFile
(Optional) The name of an identity file, in the OpenSSH format, to be used for authentication with SFTP, in place of a password. |
Marko:
Yes, I've read through how the FileOutput node uses SFTP, the Basic -> Directory is set to a directory on the AIX box that Broker has permission to read from and write to to hold the file prior to transfering it via SFTP.
The FTP -> Server Directory property is set to a directory on the Windows box that WINDOWSUSERNAME has permission to read from and write to. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 10, 2012 11:30 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| nvts8a wrote: |
| the identity file identifies the AIX box broker is installed on. |
That's what I was getting at. Something called
| Quote: |
| /DIR/BROKER_PRIVATE_KEY |
sounds like a key store rather than an identity file. Also shouldn't that be the identity file that matches WINDOWSUSERNAME? In place of that user's password?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| nvts8a |
| Posted: Tue Jan 10, 2012 12:02 pm Post subject: |
|
|
Newbie
Joined: 09 Jan 2012
Posts: 5
Location: Detroit, MI
|
| I've used the public key of the Windows box and the error hasn't changed. Would my flows need to be re-deployed after altering the Security Identity? |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Jan 10, 2012 12:17 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| nvts8a wrote: |
| I've used the public key of the Windows box and the error hasn't changed. |
I'm still not that surprised. So far as I understand it (which may not be far enough) you don't want either box's SSL credentials as that parameter but an SSH identity file that matches (and identifies) the user involved. So I think you're getting this error because you're logging on as WINDOWSUSERNAME and not providing WINDOWSUSERNAME's "password"
There's a simple test as I see it. Start an SSH session from AIX to Windows as WINDOWSUSERNAME. Provide the same file to SSH as you're suppliying in the mqsisetdbparms command. If the session is successfully instansiated you're looking at a different problem (like domain name) and can stop looking at this. If it doesn't then you've got a problem with the SSH identity.
| nvts8a wrote: |
| Would my flows need to be re-deployed after altering the Security Identity? |
No. At worst they'd need restarting.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| nvts8a |
| Posted: Tue Jan 10, 2012 12:35 pm Post subject: |
|
|
Newbie
Joined: 09 Jan 2012
Posts: 5
Location: Detroit, MI
|
When run ssh and provide it the AIX box private key it goes right through with no problems, but using the Windows box public key I get prompted:
| Code: |
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for './*.pub' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: ./*.pub
Enter passphrase for key './*.pub':
Password Authentication:
WINDOWSUSERNAME's password:
|
I also created a bogus file just to throw in as the identity file to see if it would break or resolve otherwise, the bogus file prompts the same as the Windows box public key which leads me to beleive the identity file they're looking for is the AIX private key? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Tue Jan 10, 2012 12:42 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
you need to point the broker at the key file that holds the certificate of the identity you are asking broker to use when you establish the sftp connection.
I.e. if you are telling broker 'Go connect to this sftp server, and tell them that you are Dave', then you need to present Dave's certificate. Otherwise you'll be told that Dave's not here, man. |
|
| Back to top |
|
|
| marko.pitkanen |
| Posted: Wed Jan 11, 2012 2:10 am Post subject: |
|
|
Chevalier
Joined: 23 Jul 2008
Posts: 440
Location: Jamsa, Finland
|
Hi,
One more stupid question: Have you double checked that you can refer to remote directory with absolutely path staring with disk symbol?
--
Marko |
|
| Back to top |
|
|
| nvts8a |
| Posted: Wed Jan 11, 2012 10:35 am Post subject: |
|
|
Newbie
Joined: 09 Jan 2012
Posts: 5
Location: Detroit, MI
|
I figured out the issue!
We had asked for a password to the WINDOWSUSERNAME account for testing and just to see if it worked.
I created a new, second, security identity, changed the property on the node and attempted to deploy and it failed, with the message:
| Code: |
Check that the message flow is only using properties or nodes that are supported on the broker. Check that all necessary user-defined extensions are installed and that they are of a version that is compatible with the message flow.
BIP3386W: File node '*' in message flow '*.*.*.*'. The remote user identifier supplied as 'SECID2' is invalid.
The user identifier supplied by a securityIdentity is not valid. Either the user identifier is missing, or no securityIdentity definition exists, or the securityIdentity registry information could not be read due to a permissions problem. FTP processing for this node has been disabled.
Ensure that the securityIdentity is correctly defined using the mqsisetdbparms command. If your broker is running on z/OS, ensure that the BIPSDBP job is run with a userid that is in the same group as the broker userid. If you modify this definition, restart the message flow to pick up the new values. The message flow FTP processing will be re-enabled automatically. For more information, see the "FtpServer configurable service properties" topic in the WebSphere Message Broker information center. |
After double checking that the one I created matched the one I set, I restarted the execution group to see if it changed anything. Attempted the deploy and it worked just fine. AND the SFTP worked too.
I then deleted the new securtity identity and tried to redeploy, but it didn't fail? The change hasn't been detected? Recreated the FIRST security ID where the AIX box private key is the SSH identity, restarted the execution group and the second one FAILS and the recreated first one works, both at deploying and at SFTPing.
Apparently, I can't find it in InfoCenter anywhere but, if you make changes to security identities you have to restart the execution group for the change to be made in the flows. And I must have made the ID wrong the first time and the change was never registered in testing.
Thanks all for your time and responses! |
|
| Back to top |
|
|
|
|
