| Author |
Message
|
| ramires |
 Posted: Sun Feb 22, 2015 3:27 pm Post subject: testing AMS / MCA Interception |
 |
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
Hello all, I'm playing with AMS the objective is to learn...
I've v8.0..0.0 server running in Ubuntu (I know AMS its not supported there...) but it works for local queues, following the doc sample with "alice" and "bob" I had no problems. The problem is with a client connection.
When trying with a client from another box, a window with v7.5, it is failing (I'm using MA01 to put messages)
| Code: |
F:\IBM\TXPACK\MA01>q -lmqic32 -ap -mQM21 -oQ1.AMS
MQSeries Q Program by Paul Clarke [ V4.5 Build:Sep 15 2006 ]
Connecting ...connected to 'QM21'.
MQOPEN on object 'Q1.AMS' returned 2035 Not authorized..
|
and windows AMQERR01.LOG:
| Code: |
-------------------------------------------------------------------------------
22-02-2015 23:20:18 - Process(13084.1) User(Joao) Program(q.exe)
Host(PCSALA) Installation(Installation1)
VRMF(7.5.0.1)
AMQ9062: O interceptor da polÃtica de segurança WebSphere MQ não pôde ler o
arquivo de configuração do keystore: C:\Users\Joao\.mqs\keystore.conf.
EXPLICAÇÃO:
O interceptor da polÃtica de segurança WebSphere MQ não pôde ler o arquivo de
configuração do keystore: C:\Users\Joao\.mqs\keystore.conf.
|
translating: security policy interceptor could not read the keystore configuration file
It's my understanding for this type of connection the client doesn't need a keystore.conf, am I correct? Or am I missing some configuration?
Thanks! |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sun Feb 22, 2015 5:45 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
If you are planning on using the conf file for channel interception, did you create a conf file for the user being passed on the channel on the server? And put it in the expected location? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ramires |
| Posted: Sun Feb 22, 2015 5:58 pm Post subject: |
|
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
I've a conf file in the server side, under home directory for "mqm" user:
/var/mqm/.mqs/keystore.conf with
| Code: |
cms.keystore = /var/mqm/.mqs/mqmkey
cms.certificate = mqm_cert
cms.certificate.channel.MQM.SVRCONN.CHL1=mqm_cert
|
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Feb 23, 2015 6:01 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Obviously from your post your are trying to access the qmgr with user Joao.
You must have missed the part for the mca interception as the system is looking for a store on the client: C:\Users\Joao\.mqs\keystore.conf.
If your access is through java you should also configure a jks keystore not only the cms keystore...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ramires |
| Posted: Mon Feb 23, 2015 6:17 am Post subject: |
|
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
Yes, you're right. I'm using "Joao" to run q.exe, and I missed the part about configuring in client side a keystore.conf. I was not expecting to have to do some configurations in client side, Knowledge Center is not very explicit on this type of configuration.
I'm still doing some tests 
Thanks |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Feb 23, 2015 6:29 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| ramires wrote: |
Yes, you're right. I'm using "Joao" to run q.exe, and I missed the part about configuring in client side a keystore.conf. I was not expecting to have to do some configurations in client side, Knowledge Center is not very explicit on this type of configuration.
I'm still doing some tests
Thanks |
Well if you did not define the mca interception part in your keystore.conf file, the system would expect this to happen on the client...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ramires |
| Posted: Mon Feb 23, 2015 6:41 am Post subject: |
|
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
| Quote: |
| Well if you did not define the mca interception part in your keystore.conf file, the system would expect this to happen on the client... |
This it's what confuses me. Do I need to define keystore.conf on the client? Is the only option?
Meanwhile I'm testing with another client, a Fedora client, and I was able to put messages with q program in a server queue protected by a policy. Not sure how it is working, KC says I need a CHLAUTH rule for the channel being used, but I don't have one ...  |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Feb 23, 2015 7:22 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Did you set up on your linux box the rules for mca interception on the channel for the user id in the channel mcauser ?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ramires |
| Posted: Mon Feb 23, 2015 8:33 am Post subject: |
|
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
looks better now ... I had to code in client side, this way client doesn't use keystore.conf:
| Code: |
| AMQ_DISABLE_CLIENT_AMS=true |
server side I'm using "bob", channel is "BOB.SVRCONN" with MCA='bob', a keystore.conf under ~bob/.mqs with:
| Code: |
cms.keystore = /home/bob/.mqs/bobkey
cms.certificate = Bob_Cert
cms.certificate.channel.BOB.SVRCONN=BOB_CERT
|
the q program, client, is failing with 2063
| Code: |
MQSeries Q Program by Paul Clarke [ V6.0.0 Build:May 1 2012 ]
Connecting ...connected to 'QM21'.
>1234
MQPUT on object 'Q1.AMS' returned 2063 Security error..
|
and a fdc on server side is created...
| Code: |
| Date/Time :- Seg Fevereiro 23 2015 16:18:43 WET |
| UTC Time :- 1424708323.411323 |
| UTC Time Offset :- 0 (WET) |
| Probe Id :- KN787001 |
| Component :- kpiCheckMsgProtection |
| Program Name :- amqzlaa0 |
| Process :- 2195 |
| Thread :- 17 SharedAgent |
|
|
|
| Back to top |
|
|
| ramires |
| Posted: Mon Feb 23, 2015 10:21 am Post subject: |
|
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
After applying 8.0.0.1 still no success, I have to try with a supported Linux version. Client receives a 2063:
| Code: |
[bob@fc14rami ~]$ /opt/mqm/samp/bin/amqsputc Q1.AMS QM21
Sample AMQSPUT0 start
target queue is Q1.AMS
message
MQPUT ended with reason code 2063
Sample AMQSPUT0 end |
server shows:
| Code: |
23-02-2015 18:04:40 - Process(27823.17) User(mqm) Program(amqzlaa0)
Host(Ubuntu-64) Installation(Installation1)
VRMF(8.0.0.1) QMgr(QM21)
AMQ9034: Message does not have a valid protection type.
EXPLANATION:
The WebSphere MQ security policy interceptor detected an invalid protection
type in a message header. This usually occurs because the WebSphere MQ message
header is not valid.
ACTION:
Retry the operation. If the problem persists, contact your IBM service
representative.
|
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Feb 23, 2015 1:57 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Looks to me like your keystore.conf is still missing some lines of configuration... Did you check out all the possible entries for keystore.conf?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| ramires |
| Posted: Mon Feb 23, 2015 4:56 pm Post subject: |
|
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
 it's working!
From the KC: "By default, the keystore configuration file for MCA interception is keystore.conf and is located in the .mqs directory in the HOME directory path of the user who started the queue manager or the listener." As "mqm" user starts the qmgr (and the listener) I had to create a:
~mqm/.mqs/keystore.conf
with:
cms.keystore = /home/bob/.mqs/bobkey
cms.certificate.channel.BOB.SVRCONN=Bob_Cert
and give read permissions for mqm to bobkey.*
I was confused by alice , bob , mqm , .mqs , late hours and all
Many thanks for your guidance and suggestions fjb_saper! |
|
| Back to top |
|
|
| mvic |
| Posted: Mon Feb 23, 2015 5:21 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
|
| Back to top |
|
|
| ramires |
| Posted: Mon Feb 23, 2015 5:31 pm Post subject: |
|
|
Knight
Joined: 24 Jun 2001
Posts: 523
Location: Portugal - Lisboa
|
Thanks mvic , I did look at it , but I have a client in a box remote to the qmgr, the setup is a little bit different.
Looking the example I think it needs to be emended. They create a key database in:
"KEYSTORELOC=/home/testusr/ssl/ams1/alicekey"
and after in the cms.keystore points to another path
"cms.keystore = /home/userID/ssl/ams1/alicekey"
Regards |
|
| Back to top |
|
|
|
|
