| Author |
Message
|
| hughson |
 Posted: Tue Oct 01, 2024 5:42 pm Post subject: |
 |
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| mangeshp16 wrote: |
| ... finding this page which documents the gakit reason codes. |
They're like gold dust those pages! 
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
 |
| mangeshp16 |
| Posted: Wed Oct 02, 2024 3:10 pm Post subject: |
|
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
Just to let you know we also opened a case with IBM as the other java api works with public certificate and Ibm says i don?t need private keys so not sure what else to look at. Is there a difference between versions. I tried 9.3 and 9.4 versions for client libraries.
Also the policy on the queue is
-p queuename -e AES256 -r ?CN=label,O=mycompany,C=country? -t 0
-t 0 -> means signing is optional ? if I understand correctly |
|
| Back to top |
|
|
| mangeshp16 |
| Posted: Wed Oct 02, 2024 3:11 pm Post subject: |
|
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
Just to let you know we also opened a case with IBM as the other java api works with public certificate and Ibm says i don?t need private keys so not sure what else to look at. Is there a difference between versions. I tried 9.3 and 9.4 versions for client libraries.
Also the policy on the queue is
-p queuename -e AES256 -r ?CN=label,O=mycompany,C=country? -t 0
-t 0 -> means signing is optional ? if I understand correctly |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Oct 03, 2024 2:35 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mangeshp16 wrote: |
Just to let you know we also opened a case with IBM as the other java api works with public certificate and Ibm says i don?t need private keys so not sure what else to look at. Is there a difference between versions. I tried 9.3 and 9.4 versions for client libraries.
Also the policy on the queue is
-p queuename -e AES256 -r ?CN=label,O=mycompany,C=country? -t 0
-t 0 -> means signing is optional ? if I understand correctly |
Not quite sure what you're referencing. For set up you don't need any private keys, but to operate you do.
Say you use the public cert to encrypt, that means you'll need the private key to decrypt!
On the other hand seeing that you have policy problem, did you verify that the users using the policies have browse authorization on the (SYSTEM) policy queue?
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mangeshp16 |
| Posted: Thu Oct 03, 2024 3:58 pm Post subject: |
|
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
@fjb_saber, Thank for your reply.
My question is not for setup. I was just stating the fact that per queue policy, queue doesn?t need signing but just encryption.
Now for the certificate issue let me explain:
We have 2 queues, sending queue and receiving queue.
On sender side public certificate for each queue for encryption and decryption.
server got complete certificate.
Question is if there is no signing then public certificate should be enough to encrypt messages for sending queue.
But i am getting the error previously stated in one of the messages that tells me i need private key. Am I missing anything as far as configuration is concerned? Other java api using same queues is working fine.
See Error below:
manager.
---
----- amqxeida.c : 7104 -------------------------------------------------------
9/30/2024 17:37:29 -
AMQ9008E: Cannot acquire the certificate for the label: <lable> in the keystore
file <filepath>. GSKit ACME
GSS minor reason is 58.
EXPLANATION:
IBM MQ security policy interceptor was unable to read the certificate for the
given label from keystore.
ACTION:
Make sure the label is correctly set as the cms.certificate entry of the
configuration file. Check if the keystore contains the certificate for the
given label.
----- smqodida.c : 1239 -------------------------------------------------------
9/30/2024 17:37:29 -
AMQ9012E: The IBM MQ security policy interceptor could not acquire the public
key credential.
EXPLANATION:
The IBM MQ security policy interceptor could not perform a public key
infrastructure (PKI) login.
ACTION:
Check the error messages related to acquiring public key credentials to
determine the cause of the failure. Check whether user has the permission to
read the kdb and stash files and verify whether the kdb file contains a
certificate with the label specified. Finally, check whether the certificate
has not expired. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Oct 04, 2024 11:18 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mangeshp16 wrote: |
@fjb_saber, Thank for your reply.
My question is not for setup. I was just stating the fact that per queue policy, queue doesn?t need signing but just encryption.
Now for the certificate issue let me explain:
We have 2 queues, sending queue and receiving queue.
On sender side public certificate for each queue for encryption and decryption.
server got complete certificate.
Question is if there is no signing then public certificate should be enough to encrypt messages for sending queue.
But i am getting the error previously stated in one of the messages that tells me i need private key. Am I missing anything as far as configuration is concerned? Other java api using same queues is working fine.
See Error below:
manager.
---
----- amqxeida.c : 7104 -------------------------------------------------------
9/30/2024 17:37:29 -
AMQ9008E: Cannot acquire the certificate for the label: <lable> in the keystore
file <filepath>. GSKit ACME
GSS minor reason is 58.
EXPLANATION:
IBM MQ security policy interceptor was unable to read the certificate for the
given label from keystore.
ACTION:
Make sure the label is correctly set as the cms.certificate entry of the
configuration file. Check if the keystore contains the certificate for the
given label.
----- smqodida.c : 1239 -------------------------------------------------------
9/30/2024 17:37:29 -
AMQ9012E: The IBM MQ security policy interceptor could not acquire the public
key credential.
EXPLANATION:
The IBM MQ security policy interceptor could not perform a public key
infrastructure (PKI) login.
ACTION:
Check the error messages related to acquiring public key credentials to
determine the cause of the failure. Check whether user has the permission to
read the kdb and stash files and verify whether the kdb file contains a
certificate with the label specified. Finally, check whether the certificate
has not expired. |
You are running the interceptor, which means you are acting as an endpoint.
The endpoint will need the private key linked to the certificate used for the encryption.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mangeshp16 |
| Posted: Mon Oct 07, 2024 3:05 pm Post subject: |
|
|
Newbie
Joined: 14 Sep 2024
Posts: 8
|
Understood. Thanks for your explanation.
How does then JMS client api work for java which doesn?t need private key for AMS? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Oct 07, 2024 7:32 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mangeshp16 wrote: |
Understood. Thanks for your explanation.
How does then JMS client api work for java which doesn?t need private key for AMS? |
I assume the interception is being done for AMS and the JMS Client does one way TLS and not 2 way, i.e. it only needs the public cert / root CA from the MQ Server and the channel says client cert is optional.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Fri Oct 11, 2024 2:00 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| mangeshp16 wrote: |
Just to let you know we also opened a case with IBM as the other java api works with public certificate and Ibm says i don?t need private keys so not sure what else to look at. Is there a difference between versions. I tried 9.3 and 9.4 versions for client libraries.
Also the policy on the queue is
-p queuename -e AES256 -r ?CN=label,O=mycompany,C=country? -t 0
-t 0 -> means signing is optional ? if I understand correctly |
If IBM says you don't need private keys in this situation and the IBM MQ product is complaining that a private key is needed, are IBM looking into why this is?
You say that you are not sure what else to look at, but if this is a product defect, then there is nothing else that you can do, except wait for IBM to produce a fix.
What did they say in the case? Did they accept it as a defect?
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
