MQSeries.net :: View topic - password stash file

MQSeries.net

Tech Exchange

Education

Certifications

Library

Info Center

SupportPacs

FAQÂ Â

Usergroups

RSS Feed - WebSphere MQ Support

RSS Feed - Message Broker Support

MQSeries.net Forum Index » General Discussion » password stash file

password stash file

« View previous topic :: View next topic »

Author

Message

ammx

Posted: Thu Aug 02, 2018 5:55 am Post subject: password stash file

Acolyte

Joined: 08 Sep 2017
Posts: 50

Hi

I am getting the following error message:

AMQ9660: SSL key repository: password stash file absent or unusable.

EXPLANATION:
The SSL key repository cannot be used because MQ cannot obtain a password to
access it. Reasons giving rise to this error include:
(a) the key database file and password stash file are not present in the
location configured for the key repository,
(b) the key database file exists in the correct place but that no password
stash file has been created for it,
(c) the files are present in the correct place but the userid under which MQ is
running does not have permission to read them,
(d) one or both of the files are corrupt.

The channel is 'MQA_TO_MQB'; in some cases its name cannot be determined
and so is shown as '????'. The channel did not start.

I already checked that the keydb is present and in the correct path, the mqm user has all the permissions to the files, the key.sth file is there too, but when I try to unstash it with a script it shows me the following:

[/var/mqm/qmgrs/MQA/ssl]./unstash.pl key2.sth
�յYYYSP�Y(��X4��>ls1�E+K�E"᝿n=��L�)��

this script should show me the keystore password unencrypted, does this mean that the file .sth is corrupt?

Thanks in advance

exerk

Posted: Thu Aug 02, 2018 6:12 am Post subject: Re: password stash file

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

ammx wrote:

...this script should show me the keystore password unencrypted, does this mean that the file .sth is corrupt?

Thanks in advance

Not necessarily. Which version of MQ and GSKit are you using? THIS ARTICLE may help you understand what you're seeing.

Also, check that the queue manager's SSLKEYR attribute setting does resolve to the location of the files, that it is in stem format (that is, without the file extension), the file is 'kdb' format, and that if you did change the above attribute, you refreshed SSL security afterwards.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

ammx

Posted: Thu Aug 02, 2018 6:24 am Post subject:

Acolyte

Joined: 08 Sep 2017
Posts: 50

The MQ version is 8.0.0.8, i am not sure how to check the GSkit version. And i checked in the qmgr and the SSLKEYR is set to

SSLKEYR(/var/mqm/qmgrs/MQA/ssl/key)

the path where the keystore and stash file are located is:

/var/mqm/qmgrs/MQA/ssl and the keydb name is key2.kdb, so i think maybe i should try to set the SSLKEYR to ..../ssl/key2 instead of just key. I don't know if that may be the cause

exerk

Posted: Thu Aug 02, 2018 6:30 am Post subject:

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

key and key2 are completely different, so yes, that's likely to be your issue - MQ is good but it can't read minds and distinguish what you meant from what you told it

.

My personal view is that key store file names should not be left in the 'vanilla' name - after all, if you have a number of key stores of the same name, how are you going to identify them other than by interrogating them? Better to name the key store files with a positive identifier for the queue manager.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

JosephGramig

Posted: Thu Aug 16, 2018 9:50 am Post subject:

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

also, you don't need the password to interrogate the keydb. Just use the -stashed option and list it then get the details. If you need export it and put it in a key store you do know the password because you created it.

This is why you must secure this directory and never copy or pass key store files around (if you want it to be secure).

ankurlodhi

Posted: Wed Aug 29, 2018 5:17 am Post subject:

Master

Joined: 19 Oct 2010
Posts: 266

he is probably trying to setup SSL for the first time and when he trie to start the channel he got this issue. i got the same issue when i was setting it up the first but i recognized the issue quickly.

That is why they say STFW first.

JosephGramig

Posted: Wed Aug 29, 2018 5:27 am Post subject:

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

He never came back, so I assume he figured it out.
Always use the runmqckm (GSKit) command to create/alter key stores. Even if they are not for MQ. If you use something else, your likely to inject evil spirits.

Fine to use OpenSSL to view objects. There is some Windows command that does the same (Google it).

crashdog

Posted: Wed Sep 12, 2018 3:22 am Post subject:

Voyager

Joined: 02 Apr 2017
Posts: 77

So, to ask the obvious... there's no unstash.pl version 2 on the horizont ?

Gerhard
_________________
You win again gravity !

exerk

Posted: Wed Sep 12, 2018 3:24 am Post subject:

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

crashdog wrote:

So, to ask the obvious... there's no unstash.pl version 2 on the horizont ?

Gerhard

If you think long and hard about it, there should really not have been a version 1...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

crashdog

Posted: Wed Sep 12, 2018 6:01 am Post subject:

Voyager

Joined: 02 Apr 2017
Posts: 77

agree. But I think there's still an issue with jks. Or is there a stash for java application as well ?
_________________
You win again gravity !

exerk

Posted: Wed Sep 12, 2018 6:02 am Post subject:

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

crashdog wrote:

agree. But I think there's still an issue with jks. Or is there a stash for java application as well ?

Not that I'm aware of...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.

JosephGramig

Posted: Wed Sep 12, 2018 7:26 am Post subject:

Grand Master

Joined: 09 Feb 2006
Posts: 1230
Location: Gold Coast of Florida, USA

crashdog wrote:

agree. But I think there's still an issue with jks. Or is there a stash for java application as well ?

Create it with a CMS key store. Then you can use it with any form of a key store (that uses the same password). I do it all the time but my MQ is up to date. Note, I only use runmqckm.

Display posts from previous:

Page 1 of 1

MQSeries.net Forum Index » General Discussion » password stash file

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Protected by Anti-Spam ACP