|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
MS0P Administered Servers Certificate Store |
« View previous topic :: View next topic » |
Author |
Message
|
LouML |
Posted: Wed Jan 15, 2014 4:06 am Post subject: MS0P Administered Servers Certificate Store |
|
|
 Partisan
Joined: 10 Nov 2005 Posts: 305 Location: Jersey City, NJ / Bethpage, NY
|
I'm using MS0P 7.2, Windows 7 Pro desktop and MQ Server 7.5.0.2 on a Solaris 10 server.
I am trying to use the Administered Servers feature of MS0P. Has anyone got this to work with SSH certificates?
Our Unix team does not allow straight mqm userid access to our Solaris servers. To support MQ, I need to login as my own userid, then sudo su – mqm. Unfortunately, this can’t be done with MS0P. If I use my own userid, I can connect and see the queue managers but get security errors trying to access things like error logs, etc…
One solution would be to have my userid added to the mqm user group, which I know is not preferred. However, since I am the only MQ Admin, I don’t think it’s as bad as if I had a team of people setup that way.
I suppose the better choice would be to use the SSH Certificate Store option.
I created a certificate on my Windows 7 desktop. I’ve added it to the authorized_keys file on the Solaris MQ server.
I’ve tested that it works by doing an SFTP from my Windows desktop command line and I’m able to connect to the MQ Server as the mqm userid.
When I try the same certificate to add an administered server, it does not.
Can someone suggest how to go about this?
I’ve tried a few different ways and they all fail with ‘Cannot establish session with server mqm1d using SSH’
1st attempt - Populating Passphrase and SSH Cert Store
Server: mqm1d
User Name: mqm
Password/Passphrase: ************************
Preferred Protocol: SSH
SSH Certificate Store: C:\Users\me\My Documents\MobaXterm\Home\.ssh\id_rsa.pub
2nd attempt - Populating just Passphrase
1st attempt - Populating Passphrase and SSH Cert Store
Server: mqm1d
User Name: mqm
Password/Passphrase: ************************
Preferred Protocol:
3rd attempt - Populating just SSH Cert Store
1st attempt - Populating Passphrase and SSH Cert Store
Server: mqm1d
User Name: mqm
Password/Passphrase:
Preferred Protocol: SSH
SSH Certificate Store: C:\Users\me\My Documents\MobaXterm\Home\.ssh\id_rsa.pub
Also, we have one development server that I can connect to because it is the only one I can login directly as 'mqm'.
In this case, once connected, I try 'Update Queue Manager Status' and it fails twice with 'LANG=C: Command not found'. Once, when it tries to 'Find Installed Versions' and then when it tries to 'Get a list of Queue Managers'. _________________ Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
Back to top |
|
 |
PeterPotkay |
Posted: Wed Jan 15, 2014 4:27 am Post subject: Re: MS0P Administered Servers Certificate Store |
|
|
 Poobah
Joined: 15 May 2001 Posts: 7722
|
LouML wrote: |
Our Unix team does not allow straight mqm userid access to our Solaris servers. To support MQ, I need to login as my own userid, then sudo su – mqm. Unfortunately, this can’t be done with MS0P. If I use my own userid, I can connect and see the queue managers but get security errors trying to access things like error logs, etc…
|
Dude, what if the MQ Admins set up a CHLAUTH rule for a SVRCONN channel to map your incoming userid to mqm if it comes from your IP address?
LouML wrote: |
One solution would be to have my userid added to the mqm user group, which I know is not preferred. However, since I am the only MQ Admin, I don’t think it’s as bad as if I had a team of people setup that way.
|
Unless the primary group for your user ID is the mqm group, don't do this. Otherwise every MQ object you create will instantly be accessible by every member of your actual primary group, which in large companies is usually some generic group like AllEmployeesInOurDivision. _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
 |
LouML |
Posted: Wed Jan 15, 2014 4:35 am Post subject: Re: MS0P Administered Servers Certificate Store |
|
|
 Partisan
Joined: 10 Nov 2005 Posts: 305 Location: Jersey City, NJ / Bethpage, NY
|
PeterPotkay wrote: |
LouML wrote: |
Our Unix team does not allow straight mqm userid access to our Solaris servers. To support MQ, I need to login as my own userid, then sudo su – mqm. Unfortunately, this can’t be done with MS0P. If I use my own userid, I can connect and see the queue managers but get security errors trying to access things like error logs, etc…
|
Dude, what if the MQ Admins set up a CHLAUTH rule for a SVRCONN channel to map your incoming userid to mqm if it comes from your IP address? |
I'm the only MQ Admin. I'm not even getting as far as the remote queue manager. I'm trying to connect MQ Explorer from a Windows Desktop using SSH to a Solaris server that runs the queue managers. _________________ Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
Back to top |
|
 |
LouML |
Posted: Wed Jan 15, 2014 5:47 am Post subject: |
|
|
 Partisan
Joined: 10 Nov 2005 Posts: 305 Location: Jersey City, NJ / Bethpage, NY
|
I just ran an MS0P trace and see the following the MS0PTrace.txt log:
Code: |
08:36:20 [main] admin Server (constructor)
08:36:20 [main] admin ServerExtObject (constructor 1) null
08:36:20 [main] admin ServerExtObject (constructor 2)
08:36:20 [main] admin AccessMethod (prepareToStartSession)
08:36:20 [main] admin ServerActions (startSession) Protocol Length = 1
08:36:21 [main] admin AccessMethod (tryToStartSession)
com.ibm.tivoli.remoteaccess.RemoteAccessAuthException: CTGRI0000E Could not establish a connection to the target machine with the authorization credentials that were provided.
using SSH
08:36:21 [main] admin StatusReport (constructor)
08:36:21 [main] admin StatusReport (issueReport) sev=0
08:36:21 [main] admin StatusReport (issueReport) have a parent
08:36:23 [main] admin ServerActions (startSession) ra is null
|
This is strange, because I can connect using SFTP from the same desktop to the same MQ server:
Code: |
[myid.JCWA1021YFC] sftp mqm@mqm1d
Connected to mqm1d.
sftp> quit
[2014-01-15 08:38.52] ~/.ssh
[myid.JCWA1021YFC]
|
I googled the error and found the following (referes to Tivoli though, not MQ) and it doesn't provide much clarity:
Code: |
CTGRI0000E
Could not establish a connection to the target machine with the authorization credentials that were provided.
Explanation
A connection to the target machine was denied. This is probably due to improper authorization credentials being specified.
Programmer response
Verify that the login name and password are valid for the target machine. For SSH logins, also verify that the key store name and passphrase are correctly specified. Retry the connection.
|
_________________ Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
Back to top |
|
 |
PeterPotkay |
Posted: Wed Jan 15, 2014 7:10 am Post subject: |
|
|
 Poobah
Joined: 15 May 2001 Posts: 7722
|
Sorry, ignore my previous suggestion about CHLAUTH. I just realized you are talking about the ssh connection MS0P is doing, not an MQ Client connection. _________________ Peter Potkay
Keep Calm and MQ On
Last edited by PeterPotkay on Tue Jan 21, 2014 7:36 am; edited 1 time in total |
|
Back to top |
|
 |
LouML |
Posted: Tue Jan 21, 2014 6:29 am Post subject: |
|
|
 Partisan
Joined: 10 Nov 2005 Posts: 305 Location: Jersey City, NJ / Bethpage, NY
|
No problem Peter.
Anyone else have any ideas? _________________ Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
Back to top |
|
 |
LouML |
Posted: Tue Jul 15, 2014 5:49 am Post subject: Re: MS0P Administered Servers Certificate Store |
|
|
 Partisan
Joined: 10 Nov 2005 Posts: 305 Location: Jersey City, NJ / Bethpage, NY
|
We had to drop this for a while so I'm just getting back to it now.
I'm using the latest version of MS0P 7.2, Windows 7 Pro desktop and MQ Server 8.0.0.0 on a Linux VM (previously tried on MQ Server 7.5.0.2 on a Solaris 10 server).
I am still trying to use the Administered Servers feature of MS0P. Has anyone got this to work with SSH certificates?
As mentioned previously, our Unix team does not allow straight mqm userid access to our Solaris servers. To support MQ, I need to login as my own userid, then sudo su – mqm. Unfortunately, this can’t be done with MS0P. If I use my own userid, I can connect and see the queue managers but get security errors trying to access things like error logs, etc…
I would like to use the SSH Certificate Store option.
I created a certificate on my Windows 7 desktop. I’ve added it to the authorized_keys file on the Linux MQ server.
I’ve tested that it works by doing an SFTP from my Windows desktop command line and I’m able to connect to the MQ Server as the mqm userid.
When I try the same certificate to add an administered server, it does not.
Can someone suggest how to go about this?
I’ve tried the following and it fails with ‘Cannot establish session with server mqm3d using SSH’
Server: mqm3d
User Name: mqm
Password/Passphrase: ************************
Preferred Protocol:
I see the following in the /var/log/secure log on the Linux server
Code: |
Jul 15 09:39:27 mqm3d sshd[1248]: pam_vas: Authentication <failed> for <Active Directory> user: <mqm> account: <mqm3d_mqm_svc@AD.MYCOMPANY.COM> service: <sshd> reason: <Invalid password.> Access Control Identifier(NT Name):<MYCOMPANY\mqm3d_mqm_svc>
Jul 15 09:39:27 mqm3d sshd[1248]: Failed password for mqm from 10.123.149.129 port 61487 ssh2
Jul 15 09:39:27 mqm3d sshd[1249]: Received disconnect from 10.123.149.129: 10: General disconnection
|
I see the following in the MQ0PTrace.txt file on the Windows desktop:
Code: |
09:39:27 [main] admin Server (constructor)
09:39:27 [main] admin ServerExtObject (constructor 1) null
09:39:27 [main] admin ServerExtObject (constructor 2)
09:39:27 [main] admin AccessMethod (prepareToStartSession)
09:39:27 [main] admin ServerActions (startSession) Protocol Length = 1
09:39:27 [main] admin AccessMethod (tryToStartSession)
com.ibm.tivoli.remoteaccess.RemoteAccessAuthException: CTGRI0000E Could not establish a connection to the target machine with the authorization credentials that were provided.
using SSH
09:39:27 [main] admin StatusReport (constructor)
09:39:27 [main] admin StatusReport (issueReport) sev=0
09:39:27 [main] admin StatusReport (issueReport) have a parent
|
_________________ Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
Back to top |
|
 |
fjb_saper |
Posted: Tue Jul 15, 2014 11:10 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
Dude I thought that was clear enough a reason:
Quote: |
Jul 15 09:39:27 mqm3d sshd[1248]: Failed password for mqm from 10.123.149.129 port 61487 ssh2 |
Have fun  _________________ MQ & Broker admin |
|
Back to top |
|
 |
LouML |
Posted: Tue Jul 15, 2014 11:30 am Post subject: |
|
|
 Partisan
Joined: 10 Nov 2005 Posts: 305 Location: Jersey City, NJ / Bethpage, NY
|
fjb_saper wrote: |
Dude I thought that was clear enough a reason:
Quote: |
Jul 15 09:39:27 mqm3d sshd[1248]: Failed password for mqm from 10.123.149.129 port 61487 ssh2 |
Have fun  |
I am not using a password here though. I was under the impression that I could use the Passphrase (created on the desktop and which is in the authorized_keys file on the target server) in this field. _________________ Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
Back to top |
|
 |
fjb_saper |
Posted: Wed Jul 16, 2014 4:27 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
Sure, but I'd check if the setup with passphrase and everything is valid first.
Don't know if the error messages have caught up yet to the ssh auth but if they haven't that's what I would be expecting as error message if my ssh set up wasn't working yet....
Have you been able to confirm through independent check that the ssh passphrase was working?  _________________ MQ & Broker admin |
|
Back to top |
|
 |
LouML |
Posted: Wed Jul 16, 2014 6:29 am Post subject: |
|
|
 Partisan
Joined: 10 Nov 2005 Posts: 305 Location: Jersey City, NJ / Bethpage, NY
|
fjb_saper wrote: |
Sure, but I'd check if the setup with passphrase and everything is valid first.
Don't know if the error messages have caught up yet to the ssh auth but if they haven't that's what I would be expecting as error message if my ssh set up wasn't working yet....
Have you been able to confirm through independent check that the ssh passphrase was working?  |
I setup a key pair in a file called Windows7Desktop.ppk. I copied the public key to the .ssh/authorized_keys file in the mqm home directory of my MQ server.
I am able to connect as mqm using Putty and WinSCP (both using Windows7Desktop.ppk) to the MQ Server.
Now I get nothing in /var/log/secure on the Linux MQ server and the following in the MQ0PTrace.txt file:
Code: |
10:20:55 [main] admin Server (constructor)
10:20:55 [main] admin ServerExtObject (constructor 1) null
10:20:55 [main] admin ServerExtObject (constructor 2)
10:20:55 [main] admin AccessMethod (prepareToStartSession)
10:20:55 [main] admin ServerActions (startSession) Protocol Length = 1
10:20:55 [main] admin AccessMethod (tryToStartSession)
java.net.ConnectException: CTGRI0001E The application could not establish a connection to mqm3d.
using SSH
10:20:55 [main] admin StatusReport (constructor)
10:20:55 [main] admin StatusReport (issueReport) sev=0
10:20:55 [main] admin StatusReport (issueReport) have a parent
10:20:56 [main] admin ServerActions (startSession) ra is null
|
I used the following settings in the Server Properties of Administrated Servers:
Server: mqm3d
User Name: mqm
Password/Passphrase: *******
Preferred Protocol: SSH
SSH Certificate Store: C:\Program Files (x86)\IBM\WebSphere MQ Explorer\ssl\Windows7Desktop.ppk _________________ Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
Back to top |
|
 |
fjb_saper |
Posted: Thu Jul 17, 2014 5:57 am Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
you are specifying port 22 in your MS0P setup right?  _________________ MQ & Broker admin |
|
Back to top |
|
 |
LouML |
Posted: Thu Jul 17, 2014 6:10 am Post subject: |
|
|
 Partisan
Joined: 10 Nov 2005 Posts: 305 Location: Jersey City, NJ / Bethpage, NY
|
fjb_saper wrote: |
you are specifying port 22 in your MS0P setup right?  |
I wasn't. I thought that would be the default.
Anyway, after using 22 in the Override Port Number, it still fails. _________________ Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
Back to top |
|
 |
zpat |
Posted: Thu Jul 17, 2014 8:04 am Post subject: |
|
|
 Jedi Council
Joined: 19 May 2001 Posts: 5866 Location: UK
|
Why not add your desktop id to the mqm group on the target server. _________________ Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
Back to top |
|
 |
LouML |
Posted: Thu Jul 17, 2014 9:20 am Post subject: |
|
|
 Partisan
Joined: 10 Nov 2005 Posts: 305 Location: Jersey City, NJ / Bethpage, NY
|
zpat wrote: |
Why not add your desktop id to the mqm group on the target server. |
From everything I'm told, putting anyone into the mqm group is frowned upon.
Besides, I'd like to find out if this is actually an issue with MS0P or am I just not doing it correctly.
Mark Taylor actually responded to me when I posted this a few months back and said some people have had issues under certain circumstances. However, I did not have a chance to follow up and had to drop this when other things became a higher priority.
I'm curious if anyone is successfully using MS0P this way. _________________ Yeah, well, you know, that's just, like, your opinion, man. - The Dude |
|
Back to top |
|
 |
|
|
 |
Goto page 1, 2 Next |
Page 1 of 2 |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|
|
|