| Author |
Message
|
| longnguk |
 Posted: Wed Apr 30, 2014 5:39 pm Post subject: AMS - MCA Interceptor, which keystore.conf to use? |
 |
|
Novice
Joined: 16 Aug 2006
Posts: 19
Location: Phoenix
|
We are trying to implement a solution using AMS MCA Interceptor and adapting the suggested http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.sec.doc/q014780_.htm.
The link does not indicate which user ID the keystore.conf need to be set up for, but we try setting up for the account (Windows) that the queue manager is running under as well as the account that the WMQ client application is running under and both methods fail with 2035 when the client application try to connect using the channel specified in the keystore.conf.
Running the trace we can see some activities attempt to use the channel, yet we do not see any indications that the MCA Interceptor being invoked.
Interestingly, on the client side we do observe error indicating that the (client) keystore.conf does not contain key 'certificate'. But we are assuming that the interception is happening at the server side, are we wrong? Regarding to this error, it implies that the cms.certificate.channel.ALICE.SVRCONN=ALICE_CERT setting is not recognized since the runtime is only interested in cms.certificate = certificate_label
Searching the PMR's, there's a hit (http://www-01.ibm.com/support/docview.wss?uid=swg21665298) that suggests we should set the environment variable AMQ_DISABLE_CLIENT_AMS=TRUE. Yet, it's targeted for FP4!
Our environment is a mixed of Windows 2008R2 and RHEL6.5 with WMQ at the latest greatest level - v7.5.03. We can only assume that it has something to do with our setup as opposed to something being broken in WMQ. Has anyone come across the situation?
For what it's worth, we even try to mimic the exact example
cms.keystore=/home/mqm/keystore/mykeystore
cms.certificate.channel.ALICE.SVRCONN=ALICE_CERT
cms.certificate.channel.BOB.SVRCONN=BOB_CERT
and it still fails!
Anyone has any advices, suggestions? |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Thu May 01, 2014 6:44 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Can you confirm that CHLAUTH is not the reason for your 2035 Reason code?
Did you first try without setting up SSL for the channel? If you did set up SSL for the channel have you verified that SSL works on a non AMS queue?
Apart from the fp4 suggestion there is also a suggestion to use libraries from a previous release... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| longnguk |
| Posted: Thu May 01, 2014 7:43 am Post subject: |
|
|
Novice
Joined: 16 Aug 2006
Posts: 19
Location: Phoenix
|
| fjb_saper wrote: |
Can you confirm that CHLAUTH is not the reason for your 2035 Reason code?
Did you first try without setting up SSL for the channel? If you did set up SSL for the channel have you verified that SSL works on a non AMS queue?
Apart from the fp4 suggestion there is also a suggestion to use libraries from a previous release... |
Thanks fjb_sapper, indeed, I purposely even turn off CHLAUTH, TLS etc. as to just focus upon the MCA Intercept aspect.
And yes, I find it rather surprising to see the recommendation of using the back versions of AMS and that makes me wonder if the MCA Intercept feature would work at all in WMQv7.5!
Does anyone know of a way to prove that the MCA Intercept is active either in trace or process names etc.? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu May 01, 2014 12:05 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
I don't think the documentation is very clear either as to the MCA Intercept feature.
It makes sense to request a cms type store as this happens on the server, but the default location needed for the config file is not very clear.
The only thing that did seem clear is that the receiver does not create a config file. On the other hand I don't know what kind of latency this potentially introduces with the SSL store being at the endpoint and not at the server, and having to be fetched from the sever...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| longnguk |
| Posted: Tue May 20, 2014 10:37 am Post subject: |
|
|
Novice
Joined: 16 Aug 2006
Posts: 19
Location: Phoenix
|
| fjb_saper wrote: |
| ...On the other hand I don't know what kind of latency this potentially introduces with the SSL store being at the endpoint and not at the server, and having to be fetched from the sever... |
Not quite. the client does not need to fetch the keystore from the server. In fact, the client simply sends/receives messages without being aware that the messages are being intercepted by the MCA. Only when a message arrives at the channel that MCA would start to apply security rules to sign and encrypt it before putting it into a queue. As for latency, I do not see any noticeable delay in comparison to the native interceptors. Well, the most noticeable latency I have come across is when I have OCSP/CRL enabled!
To answer my original question, I find out that the MCA Interceptor would look into the $HOME/mqm/.mqs for the keystore.conf file in Unix'es. For Windows, I have not found out the default location for it yet. The only way I can make it works in Windows is to explicitly define a global environment variable MQS_KEYSTORE_CONF. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue May 20, 2014 12:05 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| longnguk wrote: |
| ...For Windows, I have not found out the default location for it yet... |
Bearing in mind it's the home directory on UNIX, what about the %HOMEPATH% variable in Windows?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue May 20, 2014 12:16 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
If you want to use MCA Intercept you might be interested in this customer experience on exactly that was presented at IMPACT 2014.
http://www.slideshare.net/MoragHughson/websphere-mq-ams
Regarding the client trying to use AMS when you don't want it to, you need to have a pre-V7.5 client (which doesn't have AMS as part of it) or V7.5.0.4 which allows you to use AMS at the MCA Intercept instead of at the client. You say you're on V7.5.0.3 so this may well be pertinent if your clients are also on that level?
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| longnguk |
| Posted: Tue May 20, 2014 1:15 pm Post subject: |
|
|
Novice
Joined: 16 Aug 2006
Posts: 19
Location: Phoenix
|
| hughson wrote: |
If you want to use MCA Intercept you might be interested in this customer experience on exactly that was presented at IMPACT 2014.
http://www.slideshare.net/MoragHughson/websphere-mq-ams
Regarding the client trying to use AMS when you don't want it to, you need to have a pre-V7.5 client (which doesn't have AMS as part of it) or V7.5.0.4 which allows you to use AMS at the MCA Intercept instead of at the client. You say you're on V7.5.0.3 so this may well be pertinent if your clients are also on that level?
Cheers
Morag |
Thanks Morag, I did review your excellent presentation with the customer!
You're also spot on that we have to ask for an interim fix for the AMQ_DISABLE_CLIENT_AMS=TRUE to stay on with v7.5.x.x as well as for the AMS fix described in this http://www-01.ibm.com/support/docview.wss?uid=swg1IC98712 |
|
| Back to top |
|
|
| longnguk |
| Posted: Tue May 20, 2014 1:34 pm Post subject: |
|
|
Novice
Joined: 16 Aug 2006
Posts: 19
Location: Phoenix
|
| exerk wrote: |
| longnguk wrote: |
| ...For Windows, I have not found out the default location for it yet... |
Bearing in mind it's the home directory on UNIX, what about the %HOMEPATH% variable in Windows? |
Well, it's not quite that straight forward, at least for me. Under Windows (non-domain) WMQ service is running under MUSR_MQADMIN, which has its default home subdirectory of %HOMEDRIVE%\Users\MUSR_MQADMIN. As such, I put the keystore.conf into %HOMEDRIVE%\Users\MUSR_MQADMIN\.mqs, but that does not work for me. Hence I have to set the MQS_KEYSTORE_CONF variable explicitly! I may try to pursue this in a PMR when I have a few minutes.
Thinking about it, I just wonder aloud if the MUSR_MQADMIN being a service account (non-login) may have something to do with the issue... |
|
| Back to top |
|
|
| gs |
| Posted: Fri Aug 22, 2014 12:41 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
I'm having the very same issue. Pointing to keystore.conf from an environment variable works but not using %HOMEDRIVE%/.mqs/keystore.conf.
The traces show which seems to indicate that MQ can't resolve HOMEDRIVE:
| Code: |
00003E6E 10:22:37.937622 1252.3 RSESS:000001 xcsGetEnv[MQS_KEYSTORE_CONF] = NULL
00003E6F 10:22:37.937626 1252.3 RSESS:000001 -------------------} xcsGetEnv (rc=OK)
00003E70 10:22:37.937628 1252.3 RSESS:000001 -------------------{ xcsGetEnvironmentString
00003E71 10:22:37.937638 1252.3 RSESS:000001 xcsGetEnvironmentString[HOMEDRIVE] = NULL
00003E72 10:22:37.937642 1252.3 RSESS:000001 -------------------}! xcsGetEnvironmentString (rc=xecE_E_ENV_VAR_NOT_FOUND) |
This also causes an FDC to be created as described here: http://www-01.ibm.com/support/docview.wss?uid=swg1IC95888
I've got a PMR open which I hope leads to a solution and hopefully better error messages in the future.
| longnguk wrote: |
| exerk wrote: |
| longnguk wrote: |
| ...For Windows, I have not found out the default location for it yet... |
Bearing in mind it's the home directory on UNIX, what about the %HOMEPATH% variable in Windows? |
Well, it's not quite that straight forward, at least for me. Under Windows (non-domain) WMQ service is running under MUSR_MQADMIN, which has its default home subdirectory of %HOMEDRIVE%\Users\MUSR_MQADMIN. As such, I put the keystore.conf into %HOMEDRIVE%\Users\MUSR_MQADMIN\.mqs, but that does not work for me. Hence I have to set the MQS_KEYSTORE_CONF variable explicitly! I may try to pursue this in a PMR when I have a few minutes.
Thinking about it, I just wonder aloud if the MUSR_MQADMIN being a service account (non-login) may have something to do with the issue... |
|
|
| Back to top |
|
|
| hughson |
| Posted: Fri Aug 22, 2014 2:37 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
May seem like a silly question to ask, but is %HOMEDRIVE% set? Depending on how your user ID came about, it may not be. I have certainly seen user IDs that I have created on Windows not having it set. If you display the value of it what do you see?
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| gs |
| Posted: Fri Aug 22, 2014 3:51 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
| hughson wrote: |
May seem like a silly question to ask, but is %HOMEDRIVE% set? Depending on how your user ID came about, it may not be. I have certainly seen user IDs that I have created on Windows not having it set. If you display the value of it what do you see?
|
Hi Morag,
Homedrive is indeed set as well as homepath:
| Code: |
HOMEDRIVE=C:
HOMEPATH=\Users\MUSR_MQADMIN |
I manually set HOMEDRIVE & HOMEPATH for the MQ service in the registry (HKLM/SYSTEM/CurrentControlSet/services/MQ_Installation1) and guess what...now it works!
By some reason the service can't resolve the environment variables although they show up when doing a SET from a command console for that specific user. |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Aug 22, 2014 4:05 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
Well that is interesting. Do let them know that in your PMR 
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| gs |
| Posted: Fri Aug 22, 2014 4:23 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
| hughson wrote: |
| Well that is interesting. Do let them know that in your PMR |
Thanks, will do that! |
|
| Back to top |
|
|
| gs |
| Posted: Fri Sep 26, 2014 1:32 am Post subject: |
|
|
Master
Joined: 31 May 2007
Posts: 254
Location: Sweden
|
A lenghty PMR hasn't so far provided us with a solution. Not going to 7.5.0.4 either although we got rid of the FDC's.
My wish is that the error reporting would be better and that the following scenarios would be properly logged:
- Can't find the keystore.conf file
- Invalid keystore.conf file / missing config for channel
- Other issues causing the encryption to fail
Currently we get an error stating that the client is trying to put an unencrypted message on the queue but not why (faulty qmgr config)...not very easy to troubleshoot. |
|
| Back to top |
|
|
|
|
