| Author |
Message
|
| dextermbmq |
 Posted: Tue Feb 23, 2016 4:53 am Post subject: SSL through MQ Explorer |
 |
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Hello Guys,
I am using the MQ Explorer to connect a Queue Manager using SSL. I have created a CMS type keyrepositry at QMGR level and a JKS type of TRUSTSTORE at Client Machine. I am using a AMQCLCHL.TAB file to connect. The problem is :
I am able to connect to the Queue Manager even if am just configuring the TAB file location in the MQ Explorer and not configuring the Truststore (.jks) file path.
I have used the SSLCIPH attribute and populated it with DES_SHA_EXPORT. Also, since I just want to use ONE WAY ATHENTICATION , I am using SSLCAUTH(OPTIONAL) [Client will authenticate the server only and QM Server won't authenticate client]. oSince the SSLCIPH attribute is carrying a valid value should not the connection fail ? I am not able to trouble shoot what's going wrong?
CHANNEL DEFS
---------------------
define channel() chltype(SVRCONN) TRPTYPE(TCP) MCAUSER('mqm/service id') SSLCAUTH(OPTIONAL) SSLCIPH(DES_SHA_EXPORT)
define channel(() chltype(CLNTCONN) TRPTYPE(TCP) QMNAME() CONNAME() SSLCIPH(DES_SHA_EXPORT)
 |
|
| Back to top |
|
 |
| bruce2359 |
| Posted: Tue Feb 23, 2016 5:35 am Post subject: Re: SSL through MQ Explorer |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| dextermbmq wrote: |
| I am using a AMQCLCHL.TAB file to connect. |
How are you using AMQCLCHL.TAB file to connect?
What errors are in the errors directory/folder for this qmgr? In the errors directory/folder on the client?
Did you do a REFRESH SECURITY TYPE(SSL)?
What version of MQ?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Tue Feb 23, 2016 5:48 am Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
I have created the channel definitions of my UNIX box and copied the AMQCLCHL TAB file onto a Windows Machine where WMQ Explorer is installed.
In MQ Explorer I am adding a REMOTE QUEUE MANAGER.Is asks whether we want to connect by a CHLTAB. AT this path I am providing the AMQCLCHL.TAB path.
Since my problem is that WHY AM I ABLE TO CONNECT WITHOUT GIVING THE MQ EXPLORER TRUSTSTORE PATH , so clearly there would not be any errors in the /var/mqm/qmgrs/<QMNAME>/errors path (as its getting connected)
Yes I refreshed the security.
Now I am assuming the connection made when the TRUSTSTORE Is given along with TAB file is also SSL Disabled. I think in case of SSL enabled connections I should see the SSLPEER value getiing populated automatically if SSL communication establishes. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Feb 23, 2016 6:24 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Did you export/import certs on both ends?
When you display channel and channel-status, do you see SSL parameters with values?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Tue Feb 23, 2016 7:51 am Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
Hello Bruce,
yes. I have configured the certs
AT SERVER (MQ QUEUE MANAGER SERVER )
-------------------------------------------------------
I have configured the MQ SSLKEYR attribute as below
/mqha/WMQ/<QMGR>/data/<QMGR>/ssl/key
where key.kdb is the Keystore file
LABEL IS : ibmwebspheremq<QMGR in lower case>
AT CLIENT / SERVER WITH MQ EXPLORERE
----------------------------------------------------
There is one jks file.
LABEL : ibmwebspheremq<USERID of windows machine>
Just one update ::
I had a jks file for my environment having the certificate. For KDB file, i just saved it in KDB format through iKeyMan. Also, I listed the certs
using runmqckm in case of KDB
using keytool in case of JKS , all seemed gud.
ALso, if there had been some error in the Certficate configuration , MQ would have thrown some error at QMGR error logs.
AS PER CHANNEL STATUS
--------------------------------
When the connection is successful through the MQ Explorer(again, without uploading truststore ) I can see SVRCONN as running with blank SSLPEER . NO CLNTCONN comes into running state |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Feb 23, 2016 8:16 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| dextermbmq wrote: |
AS PER CHANNEL STATUS
--------------------------------
When the connection is successful through the MQ Explorer(again, without uploading truststore ) I can see SVRCONN as running with blank SSLPEER . NO CLNTCONN comes into running state |
On the SVRCONN at the qmgr, what other SSL attributes are there? Post all of them, and their values here.
Also, display the QMGR object. Post SSL attributes and values here.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Tue Feb 23, 2016 8:24 am Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
dis qmgr output
-----------------------
SCHINIT(QMGR) SCMDSERV(QMGR)
SPLCAP(DISABLED) SSLCRLNL( )
SSLCRYP( ) SSLEV(DISABLED)
SSLFIPS(NO)
SSLKEYR(/mqha/WMQ/xxxxxxx/data/xxxxxx/ssl/key)
SSLRKEYC(0) STATACLS(QMGR)
STATCHL(OFF) STATINT(1800)
STATMQI(OFF) STATQ(OFF)
STRSTPEV(ENABLED) SUITEB(NONE)
SYNCPT TREELIFE(1800)
TRIGINT(999999999) VERSION(07050004)
XRCAP(NO)
I connected the WMQ EXplorer and below is the channel status :
dis chs(C*) all
1 : dis chs(C*) all
AMQ8417: Display Channel Status details.
CHANNEL(XXXXXXXXXXXXXXXXXX) CHLTYPE(SVRCONN)
BUFSRCVD(63) BUFSSENT(64)
BYTSRCVD(16856) BYTSSENT(41596)
CHSTADA(2016-02-23) CHSTATI(10.22.47)
COMPHDR(NONE,NONE) COMPMSG(NONE,NONE)
COMPRATE(0,0) COMPTIME(0,0)
CONNAME(10.25.226.180) CURRENT
EXITTIME(0,0) HBINT(300)
JOBNAME(00000F5400058FED) LOCLADDR( )
LSTMSGDA(2016-02-23) LSTMSGTI(10.23.05)
MCASTAT(RUNNING) MCAUSER(mqm)
MONCHL(OFF) MSGS(63)
RAPPLTAG(WebSphere MQ Client for Java)
SSLCERTI( ) SSLKEYDA( )
SSLKEYTI( ) SSLPEER( )
SSLRKEYS(0) STATUS(RUNNING)
STOPREQ(NO) SUBSTATE(RECEIVE)
CURSHCNV(1) MAXSHCNV(10)
RVERSION(00000000) RPRODUCT(MQJB) |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Feb 23, 2016 9:27 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| dextermbmq wrote: |
AS PER CHANNEL STATUS
--------------------------------
When the connection is successful through the MQ Explorer(again, without uploading truststore ) I can see SVRCONN as running with blank SSLPEER . NO CLNTCONN comes into running state |
Would not expect to see a CLNTCONN displayed on the server.
Would not expect to see any information in the SSLPEER or other SSL fields in the channel status as these display the SSL information of the connecting party. As per definition, the client is not require to flow a cert and with one way SSL I'd expect the fields to be blank. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Feb 23, 2016 10:11 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Use MQSC to display your SVRCONN channel definition. (not chstatus)
Use MQSC to display your CLNTCONN channel definition. (not chstatus)
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Tue Feb 23, 2016 7:29 pm Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
hello, please have a look at my channel defs :
dis chl(CONTENT.SIET.SVRCONN)
2 : dis chl(CONTENT.SIET.SVRCONN)
AMQ8414: Display Channel details.
CHANNEL(CONTENT.SIET.SVRCONN) CHLTYPE(SVRCONN)
ALTDATE(2016-02-23) ALTTIME(07.16.33)
COMPHDR(NONE) COMPMSG(NONE)
DESCR( ) DISCINT(0)
HBINT(300) KAINT(AUTO)
MAXINST(999999999) MAXINSTC(999999999)
MAXMSGL(4194304) MCAUSER(mqm)
MONCHL(QMGR) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SHARECNV(10)
SSLCAUTH(OPTIONAL) SSLCIPH(DES_SHA_EXPORT)
SSLPEER( ) TRPTYPE(TCP)
AMQ8414: Display Channel details.
CHANNEL(CONTENT.SIET.SVRCONN) CHLTYPE(CLNTCONN)
AFFINITY(PREFERRED) ALTDATE(2016-02-23)
ALTTIME(07.16.41) CLNTWGHT(0)
COMPHDR(NONE) COMPMSG(NONE)
CONNAME(XXXXXXXXXXXXXXXXXXXX)
DEFRECON(NO) DESCR( )
HBINT(300) KAINT(AUTO)
LOCLADDR( ) MAXMSGL(4194304)
MODENAME( ) PASSWORD( )
QMNAME(XXXXXXXX) RCVDATA( )
RCVEXIT( ) SCYDATA( )
SCYEXIT( ) SENDDATA( )
SENDEXIT( ) SHARECNV(10)
SSLCIPH(DES_SHA_EXPORT) SSLPEER( )
TPNAME( ) TRPTYPE(TCP)
USERID( ) |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Feb 23, 2016 7:38 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
The MQExplorer usually connects to SYSTEM.ADMIN.SVRCONN channel. Do you have one of those?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| dextermbmq |
| Posted: Tue Feb 23, 2016 7:51 pm Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
I have that channel but MQ Explorer would not connect with SYSTEM.ADMIN.SVRCONN when we are specifying the TAB file.
Here we are connecting through Channel Tab file so it would look for definitions in the TAB file (Not to forget that connection is successful here).
Is there a way to verify whether the connection getting established when I amusing both are actually SSL enabled connections. ????
1)TAB FILE
2)Also Providing the JKS file path
|
|
| Back to top |
|
|
| dextermbmq |
| Posted: Tue Feb 23, 2016 8:29 pm Post subject: |
|
|
Voyager
Joined: 26 Jul 2014
Posts: 77
|
A small update :
I had not used my CHLTAB this time and rather used CONNECT DIRECTLY OPTION. Thereafter I had provided the :
CHANNEL NAME(which I had created and not the SYSTEM defined)
Connection name and port
QM name
Guess what :
1)WHen I do not use KEY REPOS --->Gave error :
AMQ9639: Remote channel 'XXXXXXXXXXX' did not specify a CipherSpec.
EXPLANATION:
Remote channel 'XXXXXXXXXXXXXX' did not specify a CipherSpec when the
local channel expected one to be specified.
2)WHEN I USED KEY REPOS :
CONNECTION SUCCESSFUL
NOW :
how can i verify that the connection getting established is SSL enabled ?
Does it mean error lies in my CHLTAB file ?
FYI The channel status shows WMQ Explorer as client app
dis chs(C*) all
2 : dis chs(C*) all
AMQ8417: Display Channel Status details.
CHANNEL(xxxxxxxxxxxxx) CHLTYPE(SVRCONN)
BUFSRCVD(95) BUFSSENT(99)
BYTSRCVD(25124) BYTSSENT(63488)
CHSTADA(2016-02-23) CHSTATI(22.31.10)
COMPHDR(NONE,NONE) COMPMSG(NONE,NONE)
COMPRATE(0,0) COMPTIME(0,0)
CONNAME(10.25.172.127) CURRENT
EXITTIME(0,0) HBINT(300)
JOBNAME(00000F54000618AF) LOCLADDR( )
LSTMSGDA(2016-02-23) LSTMSGTI(22.34.25)
MCASTAT(RUNNING) MCAUSER(mqm)
MONCHL(OFF) MSGS(97)
RAPPLTAG(MQ Explorer 7.5.0) SSLCERTI( )
SSLKEYDA( ) SSLKEYTI( )
SSLPEER( ) SSLRKEYS(0)
STATUS(RUNNING) STOPREQ(NO)
SUBSTATE(RECEIVE) CURSHCNV(1)
MAXSHCNV(10) RVERSION(00000000)
RPRODUCT(MQJB)
Thanks |
|
| Back to top |
|
|
|
|
