| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| Managing MQ running on Openshift |
« View previous topic :: View next topic » |
| Author |
Message
|
| hughson |
 Posted: Tue Mar 14, 2023 3:04 am Post subject: |
 |
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| andres wrote: |
Thanks hughson, it takes some time to understand all auth possibilities.
IN the end i sort it out to connect to the queue manager, test connection with "amqssslc" and send messages with ampsphac and get with amqsgetc.
For some reason, amqsputc get stuck and it is not sending any message. |
Could you explain what you mean by "get stuck" - do you get a return code when you type in a message, or does it fail before then?
| andres wrote: |
| I created my own certificate "/CN=andres/OU=mydomain/O=myorg". But before i created a simple one "/CN=andres/OU=mydomain" and i couldnt stablish a SSL connection. |
What was the error you got that stopped you establishing an SSL connection with the previous certificate?
| andres wrote: |
My CHLAUTH looks like this now, is there a prevalence between SSLPEERMAP and Address?. I think the AUTH is only working if a enable Address and it is not checking SSLPEER
| Code: |
Q8878I: Display channel authentication record details.
CHLAUTH(SSL) TYPE(SSLPEERMAP)
DESCR( ) CUSTOM( )
SSLPEER(CN=andres,OU=mydomain,O=myorg)
SSLCERTI( ) ADDRESS( )
MCAUSER(mqm) USERSRC(MAP)
CHCKCLNT(ASQMGR) ALTDATE(2023-03-14)
ALTTIME(08.34.01)
AMQ8878I: Display channel authentication record details.
CHLAUTH(SSL) TYPE(ADDRESSMAP)
DESCR( ) CUSTOM( )
ADDRESS(*) MCAUSER(mqm)
USERSRC(MAP) CHCKCLNT(ASQMGR)
ALTDATE(2023-03-14) ALTTIME(08.34.44)
6 MQSC commands read. |
Forgot to mention that if i remove CHLAUTH (Address) and i keep only SSLPEER:
| Code: |
CHLAUTH(SSL) TYPE(SSLPEERMAP)
DESCR( ) CUSTOM( )
SSLPEER(CN=andres,OU=mydomain,O=myorg)
SSLCERTI( ) ADDRESS( )
MCAUSER(mqm) USERSRC(MAP)
CHCKCLNT(ASQMGR) ALTDATE(2023-03-14)
ALTTIME(08.34.01) |
2023-03-14T09:05:46.011Z mqhtpass: User authentication failed user=andres effuser=andres applname=amqsphac cspuser=andres cc=1 reason=0 |
So yes, there is a precedence. It will check SSLPEERMAPs before ADDRESSMAPs. If it is matching against the ADDRESSMAP that means that it considers the SSLPEERMAP to not be a match.
If you have a successful connection, issue a DISPLAY CHSTATUS(SSL) ALL and look at the value in the SSLPEER attribute. If you get a failure due to CHLAUTH, you will get an error message in the AMQERR01.LOG showing what it matched against. See I'm being blocked by CHLAUTH - how can I work out why? for more on that. Either way, you will find what the value it is matching with.
If it it blank, that means you are not even sending the certificate. If there is something there, make sure it matches what you put in the SSLPEERMAP CHLAUTH rule.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Mar 14, 2023 6:48 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| andres wrote: |
| I created my own certificate "/CN=andres/OU=mydomain/O=myorg". But before i created a simple one "/CN=andres/OU=mydomain" and i couldnt stablish a SSL connection. |
I believe that's where you went wrong.
Should it not be DN="CN=andres,OU=mydomain,O=myorg" Note that the different components of the DN are separated by a comma and not a "/"!
(this is not an LDAP entry!) 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| andres |
| Posted: Tue Mar 14, 2023 8:59 am Post subject: |
|
|
Apprentice
Joined: 12 Apr 2013
Posts: 27
|
HI,
IF the certificate is wrong or im not sending the cert, the connection wont happend, so my problem is the SSLPEER.
I created the cert like:
openssl req -newkey rsa:2048 -nodes -keyout flagstaff.qmgr.key -x509 -days 365 -out flagstaff.qmgr.crt \
-subj "/CN=andres/OU=mydomain/O=myorg"
SSLPEER:
SSLPEER(CN=andres,OU=mydomain,O=myorg)
CHannel status doesnt show a SSLPPER and a CIPHER i didnt set in ccdt file
| Code: |
1 : dis chstatus (SSL) all
AMQ8417I: Display Channel Status details.
CHANNEL(SSL) CHLTYPE(SVRCONN)
BUFSRCVD(6) BUFSSENT(5)
BYTSRCVD(1792) BYTSSENT(1824)
CHSTADA(2023-03-14) CHSTATI(16.45.56)
COMPHDR(NONE,NONE) COMPMSG(NONE,NONE)
COMPRATE(0,0) COMPTIME(0,0)
CONNAME(10.131.0.2) CURRENT
EXITTIME(0,0) HBINT(300)
JOBNAME(0000012B00000759) LOCLADDR(::ffff:10.129.5.79(1414))
LSTMSGDA(2023-03-14) LSTMSGTI(16.45.56)
MCASTAT(RUNNING) MCAUSER(mqm)
MONCHL(OFF) MSGS(2)
RAPPLTAG(amqsputc) SECPROT(TLSV13)
SSLCERTI( )
SSLCIPH(TLS_CHACHA20_POLY1305_SHA256)
SSLKEYDA( ) SSLKEYTI( )
SSLPEER( ) SSLRKEYS(0)
STATUS(RUNNING) STOPREQ(NO |
And then, ccdt looks like:
| Code: |
{
"channel":
[
{
"name": "SSL",
"clientConnection":
{
"connection":
[
{
"host": "ssl.chl.mqdev.mydomain.org",
"port": 443
}
],
"queueManager": "mqdev"
},
"transmissionSecurity":
{
"cipherSpecification": "ANY_TLS12_OR_HIGHER"
},
"type": "clientConnection"
}
]
} |
And then a sent a message like:
export MQCCDTURL="/mnt/c/Temp/mq-helm-main/samples/openshift/test/ccdt_generated.json"
export MQSSLKEYR="/mnt/c/Temp/mq-helm-main/samples/openshift/test/new/key"
echo "Starting amqsphac" flagstaff
/home/andres/mqclient/samp/bin/amqsphac DEV.QUEUE.2 mqdev
# test ssl
/home/andres/mqclient/samp/bin/amqssslc -m flagstaff -c "SSL" -x "ssl.chl.mqdev.mydomain.org(443)" -k /mnt/c/Temp/mq-helm-main/samples/openshift/test/new/key -s ANY_TLS12_OR_HIGHER[/code] |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Mar 14, 2023 11:38 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| andres wrote: |
| CHannel status doesnt show a SSLPPER and a CIPHER i didnt set in ccdt file... |
You set the CIPHER to an alias value (ANY_TLS12_OR_HIGHER), which means both ends negotiate an acceptable value, hence the Cipher Spec you are seeing.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
