| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| AMS and amqsput example (2035 auth err) |
« View previous topic :: View next topic » |
| Author |
Message
|
| Boyd |
 Posted: Wed Apr 09, 2014 6:26 am Post subject: |
 |
|
Novice
Joined: 06 Apr 2014
Posts: 16
|
It looks like the queue is SYSTEM.ADMIN.QMGR.EVENT
Examining.... |
|
| Back to top |
|
 |
| Boyd |
| Posted: Fri Apr 11, 2014 10:34 am Post subject: |
|
|
Novice
Joined: 06 Apr 2014
Posts: 16
|
There was no event in the queue, and apparently this is because when setting up the AMS exercise, the queue had a policy assigned to it only to allow certain users to access it.
(The AMS exercise works perfectly, I just cant get the explorer to read the queue.)
I am using the following policy
| Code: |
| setmqspl -m QM_VERIFY_AMS -p TEST.Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "CN=bob,O=IBM,C=GB" |
So apparently only users exposing the Bob_Cert certificate can read from the queue.
So I moved the Bob_cert created in the AMS exercise to the Windows machine where I am running the MQ Explorer.
I create a keystore.jks and imporedt the Bob_Cert into it, as follows:
| Code: |
C:\Users\mqexp\keystore>keytool -import -file /users/mqexp/keystor
e/bob_public.arm -alias Bob_Cert -keystore /users/mqexp/keystore/keystore
.jks -storepass passw0rd
Owner: CN=bob, O=IBM, C=GB
Issuer: CN=bob, O=IBM, C=GB
Serial number: 636a9d70e1ef80c8
Valid from: 4/6/14 2:30 PM until: 4/7/15 2:30 PM
Certificate fingerprints:
MD5: 77:90:D1:BB:72:AE:48:5E:63:D5:7D:6E:C3:D1:58:83
SHA1: FB:50:12:FB:AD:09:4D:6F:05:63:75:FC:A5:B9:4B:08:9E:A0:B2:0D
Trust this certificate? [no]: yes
Certificate was added to keystore |
The I create the following keystore.conf, and place it on /users/mqexp on Windows:
| Code: |
JKS.keystore = /users/mqexp/keystore
JKS.certificate = Bob_Cert
JKS.encrypted = no
JKS.keystore_pass = passw0rd
JKS.key_pass = passw0rd
JKS.provider = IBMJCE |
I restart the MQ Explorer on Windows, but I still get the Explorer error when I try to browse the queue set by the policy:
| Code: |
| Explanation: The queue manager security mechanism has indicated that the userid associated with this request is not authorized to access this object |
I do not know how to set the MQ Explorer to look at the keystore.conf and to look at the certificates
How can I connect the MQ Explorer to see the certificates (I looked in QMGR->Properties->SSL, but that is refering to certificates on the server where the QM is stored) |
|
| Back to top |
|
|
| subhmq |
| Posted: Tue Jul 01, 2014 9:23 am Post subject: |
|
|
Newbie
Joined: 01 Jul 2014
Posts: 3
|
If this has not worked yet, I would suggest to do the following.
Open a command window, set the MQS_KEYSTORE_CONF variable and start MQExplorer from the same command window using strmqcfg command. Then, try browsing the messages on the queue and see if it works. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jul 01, 2014 6:50 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
The AMS documentation states very clearly that if you are not one of the authorized users and want to browse the queue (for admin reasons) you have to access the queue through an ALIAS queue that is not configured in AMS. This way you will see the messages encrypted.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
