| Author |
Message
|
| zpat |
 Posted: Mon Jun 27, 2022 1:09 am Post subject: MQ AMS on z/OS - admin? |
 |
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Anyone using AMS with z/OS QMs?
We have MQExplorer 9.2 and z/OS MQ 9.2 with AMS enabled.
Anyway my question is how you perform admin of policies?
It seems that MQ explorer does not support AMS policy admin on z/OS QMs - is this true or have I done something wrong?
and also where to see the reasons for AMS decisions to allow or prevent access to messages (e.g. using MQ client to attempt access)?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Mon Jun 27, 2022 11:44 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
What's the problem you're seeing? Do any of your AMS certs have an email in it? 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Jun 27, 2022 12:52 pm Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
It's more that I expected to administer AMS policies etc on MQ with a GUI.
Seems that MQ on z/OS is stuck in the past in several ways - the latest of which is lack of support for AMS admin via PCF messages (i.e. MQ explorer or MO71).
I can't believe AMS users on z/OS MQ put up with this - are there any users out there?
No - our certs don't have Email addresses that I know of.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jun 28, 2022 4:39 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| zpat wrote: |
It's more that I expected to administer AMS policies etc on MQ with a GUI.
Seems that MQ on z/OS is stuck in the past in several ways - the latest of which is lack of support for AMS admin via PCF messages (i.e. MQ explorer or MO71).
I can't believe AMS users on z/OS MQ put up with this - are there any users out there?
No - our certs don't have Email addresses that I know of. |
AMS on multi-platform has been known to not work right with certs that had an email in the DN.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Tue Jun 28, 2022 11:26 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Most of our apps are MQ client attached to z/OS QMs.
So the AMS interceptors have to run on the client platform.
I am testing on Windoze with a CMS keystore with a personal CA signed cert, and the CA signers.
AMS is not able to find the public certificate. So it can put a message with integrity policy but can't get it or browse it.
I am using C client (rfhutilc and MO71) to test with.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Jun 28, 2022 9:00 pm Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| zpat wrote: |
| AMS is not able to find the public certificate. So it can put a message with integrity policy but can't get it or browse it. |
So you have an integrity policy, something like this?
| Code: |
setmqspl -m MQG1
-p INTG.Q
-s SHA256
-a "CN=Sender App,O=MQGem" |
that is, you have an authorised signer (or maybe not even - maybe everyone can sign to this queue?) and a signing algorithm and no encryption algorithm and no recipients listed.
And then when you try to get it with the same/another app (??) that app is unable to verify the original signers digital signature?
What does the getting app have in it's KDB?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| zpat |
| Posted: Wed Jun 29, 2022 6:30 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Putter and getter are the same app and using the same KDB.
This contains my personal cert and the CA signers we use.
My cert is CA issued not self signed.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| hughson |
| Posted: Sat Jul 02, 2022 2:37 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| zpat wrote: |
| AMS is not able to find the public certificate. So it can put a message with integrity policy but can't get it or browse it. |
OK, so what error do you get. Both, the return code on the MQGET, and what errors in the client errorlog.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Jul 04, 2022 12:08 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
MQRC 2063
Message signer is not in the list of authorised signers.
(I would copy/paste full details but I cannot access this site from our corporate network).
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| hughson |
| Posted: Mon Jul 04, 2022 2:19 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
So you have:-
A client putting application and a client getting application both using the SAME CMS KDB and the same keystore.conf.
The queue being used is a QLOCAL on your z/OS queue manager, and both putter and getter address the QLOCAL directly and not via a QALIAS.
The setmqspl policy for said local queue has a single DN listed on the -a parameter (for the authorised signer). That DN is the certificate which you have named (the label of) in the keystore.conf being used by both the putter and the getter application.
Is all of the above true?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Jul 04, 2022 5:18 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Yes, that's correct.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| hughson |
| Posted: Tue Jul 05, 2022 1:59 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
I wonder if it is because the certificate in question is not in the KDB as a signer but instead as a personal cert. Perhaps when looking for a signer, it only looks in the signer section of the KDB and ignores those certificates that are personal certs?
I haven't tried this out, so just an off-the-wall guess at this point.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
