| Author |
Message
|
| yasaboy |
 Posted: Wed Oct 08, 2014 8:08 pm Post subject: Enabling SSL channel security on a Application |
 |
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Hi,
I have a current prototype which we have developed using MQ C API. Now we have added AMS to our solution as well. Our next task is to enable the channel security on the prototype. So it is of the type Client to QM.
In order to do that I need to use the method where channel definition table[b] is involved.
I have looked into the AMQCLCHL.TAB file and all but could not figure out a way to do this.
I have done Creating a certificate authority and Configuring WebSphere MQ to use SSL parts on below reference.
http://www-01.ibm.com/support/knowledgecenter/api/content/prodconn_1.0.0/com.ibm.scenarios.wmqwassecure.doc/topics/phase1_addssl.htm
Please help me figure out a way to do this. Thanks
[/b] |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Wed Oct 08, 2014 8:14 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
You create a channel table by running the corresponding commands from runmqsc.
Make sure your environment variables are set to point to the file you want to create. Use runmqsc to define the Client Connection part of the channel.
Once done close runmqsc (using the "end" command) and there you have your channel table...
Remember your channel table should be created by connecting to a qmgr at the same level as your MQ client installation...
You can also try support pack MO72 for qmgrs before version 8.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| yasaboy |
| Posted: Wed Oct 08, 2014 8:54 pm Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
| fjb_saper wrote: |
You create a channel table by running the corresponding commands from runmqsc.
Make sure your environment variables are set to point to the file you want to create. Use runmqsc to define the Client Connection part of the channel.
Once done close runmqsc (using the "end" command) and there you have your channel table...
Remember your channel table should be created by connecting to a qmgr at the same level as your MQ client installation...
You can also try support pack MO72 for qmgrs before version 8.
Have fun |
Thanks for the reply, Now I have done the following.
| Code: |
1) runmqsc CHANNEL.TEST
DEFINE CHANNEL(TEST.CHANNEL) CHLTYPE(CLNTCONN) CONNAME('1xx.xx.xx.xx(xxxx)') QMNAME(CHANNEL.TEST) |
And I see the AMQCLCHL.TAB file in the /var/mqm/qmgrs/CHANNEL!TEST/@ipcc is updated.
So I have copied it to the client system. /xxx/devxx/ssl folder and set the environmental variables of the client as follows
| Code: |
set mqchllib= /xxx/devxx/ssl
set mqchltab=AMQCLCHL.TAB |
Now what should I do next ? |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Oct 08, 2014 10:07 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| yasaboy wrote: |
...So I have copied it to the client system. /xxx/devxx/ssl folder and set the environmental variables of the client as follows
| Code: |
set mqchllib= /xxx/devxx/ssl
set mqchltab=AMQCLCHL.TAB |
Now what should I do next ? |
As you're using variables rather than the mqclient.ini file, I suggest you research the SSL-related variable you'll need to set.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 09, 2014 4:35 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Your client channel definition is not complete. It lacks the cipherspec (and the SSLPEER?)
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| yasaboy |
| Posted: Thu Oct 09, 2014 8:14 pm Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
| fjb_saper wrote: |
| Your client channel definition is not complete. It lacks the cipherspec (and the SSLPEER?) |
Hi,
Thanks for the reply. If I add these
echo alter chl(SSL.CLIENTS) chltype(svrconn) sslciph(triple_des_sha_us) sslcauth(optional)
set mq mqchllib=x01/MQCLIENT
mqchltab=AMQCLCHL.TAB
mqsslkeyr=x01/MQCLIENT/key
does it require me to add ssl options
/*ssl options*/
MQCNO connect_options = {MQCNO_DEFAULT};
MQCD mycd = {MQCD_CLIENT_CONN_DEFAULT};
MQSCO mysco = {MQSCO_DEFAULT};
from the C code to configure the keystore , CipherSpec and so on ?
Does this process of adding SSL channel security require any kind of code change in my application ? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 09, 2014 8:22 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
No it requires you to also change the clntconn end of the channel in your channel table.
You then need to set all your environment variables, for the channel table and for the keystore/truststore...
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Oct 09, 2014 10:32 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| fjb_saper wrote: |
| ...You then need to set all your environment variables, for the channel table and for the keystore/truststore... |
Or use the mqclient.ini file 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| yasaboy |
| Posted: Fri Oct 10, 2014 12:59 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
Hi,
I have been following lots of tutorial about channel security throughout this week. Even though you say your documentation is sound and good, could not find any clear cut ful reference for this.
So I followed this http://usuaris.tinet.cat/sag/mq_ssl.htm
By using that I have done the following up-to now.
1) QMgr machine ( 172.xx.xx.xx )
| Code: |
DEFINE LISTENER('LISTENER.TCP') TRPTYPE(TCP) PORT(22xxx) CONTROL(QMGR)
DEFINE QLOCAL(TEST.INQUEUE1) REPLACE +
PUT(ENABLED) GET(ENABLED)
def chl(SSL.CLIENTS) chltype(SVRCONN)
alter chl(SSL.CLIENTS) chltype(svrconn) sslciph(triple_des_sha_us) sslcauth(optional)
DEFINE CHANNEL(SSL.CLIENTS) CHLTYPE(CLNTCONN) CONNAME('172.xx.xx.xx(22xxx)') replace
START LISTENER('LISTENER.TCP') |
and created the keystore in the default location of the Qmgr
| Code: |
/var/mqm/qmgrs/testQM1/ssl>ls
key.kdb key.rdb key.sth sslqm.arm |
copied the sslqm.arm and AMQCLCHL.TAB files to
| Code: |
| /x01/devYY/MQCLIENT |
2) Client machine (172.yy.yy.yy)
| Code: |
/x01/devYY/MQCLIENT>ls
AMQCLCHL.TAB amqsputc clientkey.kdb clientkey.rdb clientkey.sth sslqm.arm |
and set the environmental variables in the client machine to
| Code: |
set mqchltab=AMQCLCHL.TAB
set mqchllib=/x01/devYY/MQCLIENT
set mqsslkeyr=/x01/devYY/MQCLIENT/clientkey
set mqserver= |
So now when I try to run
amqsputc TEST.INQUEUE1 testQM1
gives the error MQCONN ended with reason code 2058
PLEASE HELP  |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Oct 10, 2014 1:04 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
What's missing from this picture?
| Quote: |
alter chl(SSL.CLIENTS) chltype(svrconn) sslciph(triple_des_sha_us) sslcauth(optional)
DEFINE CHANNEL(SSL.CLIENTS) CHLTYPE(CLNTCONN) CONNAME('172.xx.xx.xx(22xxx)') replace |
Read again the last post by fjb_saper.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| yasaboy |
| Posted: Fri Oct 10, 2014 1:48 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
| exerk wrote: |
What's missing from this picture?
| Quote: |
alter chl(SSL.CLIENTS) chltype(svrconn) sslciph(triple_des_sha_us) sslcauth(optional)
DEFINE CHANNEL(SSL.CLIENTS) CHLTYPE(CLNTCONN) CONNAME('172.xx.xx.xx(22xxx)') replace |
Read again the last post by fjb_saper. |
Hi,
I have added the following and copied the AMQCLCHL.TAB again
alter chl(SSL.CLIENTS) chltype(CLNTCONN) sslciph(triple_des_sha_us)
now the channels display as following
| Code: |
dis chl(SSL.CLIENTS)
9 : dis chl(SSL.CLIENTS)
AMQ8414: Display Channel details.
CHANNEL(SSL.CLIENTS) CHLTYPE(SVRCONN)
ALTDATE(2014-10-10) ALTTIME(15.13.57)
COMPHDR(NONE) COMPMSG(NONE)
DESCR( ) DISCINT(0)
HBINT(300) KAINT(AUTO)
MAXINST(999999999) MAXINSTC(999999999)
MAXMSGL(4194304) MCAUSER( )
MONCHL(QMGR) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SHARECNV(10)
SSLCAUTH(OPTIONAL) SSLCIPH(TRIPLE_DES_SHA_US)
SSLPEER( ) TRPTYPE(TCP)
AMQ8414: Display Channel details.
CHANNEL(SSL.CLIENTS) CHLTYPE(CLNTCONN)
AFFINITY(PREFERRED) ALTDATE(2014-10-10)
ALTTIME(15.08.31) CLNTWGHT(0)
COMPHDR(NONE) COMPMSG(NONE)
CONNAME(172.xx.xx.xx(22xxx)) DEFRECON(NO)
DESCR( ) HBINT(300)
KAINT(AUTO) LOCLADDR( )
MAXMSGL(4194304) MODENAME( )
PASSWORD( ) QMNAME( )
RCVDATA( ) RCVEXIT( )
SCYDATA( ) SCYEXIT( )
SENDDATA( ) SENDEXIT( )
SHARECNV(10) SSLCIPH(TRIPLE_DES_SHA_US)
SSLPEER( ) TPNAME( )
TRPTYPE(TCP) USERID( ) |
still problem remains  |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Fri Oct 10, 2014 2:10 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
What do the events logged in AMQERR01.log when you try to connect say?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| yasaboy |
| Posted: Fri Oct 10, 2014 2:45 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
| smdavies99 wrote: |
| What do the events logged in AMQERR01.log when you try to connect say? |
Hi,
I have cleared the errors folder before running the amqsputc code. Now strangely there is no AMQERR01.log file created even if I run the command amqsputc from the client machine.
Isn't the AMQCLCHL.TAB properly set here ? |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Fri Oct 10, 2014 3:50 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
What about on the client side?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| yasaboy |
| Posted: Fri Oct 10, 2014 4:18 am Post subject: |
|
|
Voyager
Joined: 23 Jun 2014
Posts: 90
|
| smdavies99 wrote: |
| What about on the client side? |
Hi,
Thanks for the reply. I checked in the client side. Even if I set the environment variables as
| Code: |
set mqsslkeyr=/x01/devYY/MQCLIENT/clientkey
set mqchllib=/x01/devYY/MQCLIENT
set mqchltab=AMQCLCHL.TAB |
The client side error log gave the error
| Code: |
AMQ9518: File '/var/mqm/AMQCLCHL.TAB' not found.
EXPLANATION:
The program requires that the file '/var/mqm/AMQCLCHL.TAB' is present and
available.
ACTION:
This may be caused by invalid values for the optional environment variables
MQCHLLIB, MQCHLTAB or MQDATA. If these variables are valid or not set then
record the name of the file and tell the systems administrator who must ensure
that file '/var/mqm/AMQCLCHL.TAB' is available to the program. |
So obviously the environmental variables has not been set properly. Therefore I copied the AMQCLCHL.TAB file to /var/mqm/.
Now there is no error in the client side as well. But still the error 2058 in code amqsputc
 |
|
| Back to top |
|
|
|
|
