| Author |
Message
|
| smdavies99 |
 Posted: Tue Feb 08, 2011 3:49 am Post subject: Importing a PolicySet |
 |
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
This is on V6.1.0.3(Solaris), 6.1.0.5(Linux) & 6.1.0.8 (Windows)
I've created a PolicySet & Bindings for an SOAP HTTPS Service on the 6.1.0.3 Linux system. I exported it to an xml file using mqsireportproperties.
Ok. so far so good.
I exported the bindings as well.
Then I went to the other systems and tried to import the exported files.
- The createConfigurableService went ok.
- The bindings import using mqsichangeproperties succeeded.
- The import of the PolicySet file fails on both Solaris & Windows systems in the same way.
| Code: |
BIP2051E: Broker S1BRKR1B (UUID 7976c476-2701-0000-0080-c535bd37d116) could not process an internal configuration message to completion, the problem was caused by 'Change : ws-security :
<?xml version="1.0" encoding="UTF-8"?>
<policy:Policy xmlns:_0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:_200512="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512" xmlns:policy="http://schemas.xmlsoap.org/ws/2004/09/policy">
<_200512:AsymmetricBinding>
<policy:Policy>
<_200512:InitiatorToken>
<policy:Policy>
<_200512:X509Token _200512:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToInitiator">
<policy:Policy Name="initToken">
<_200512:WssX509V3Token10/>
</policy:Policy>
</_200512:X509Token>
</policy:Policy>
</_200512:InitiatorToken>
<_200512:RecipientToken>
<policy:Policy>
<_200512:X509Token _200512:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
<policy:Policy Name="recipToken">
<_200512:WssX509V3Token10/>
</policy:Policy>
</_200512:X509Token>
</policy:Policy>
</_200512:RecipientToken>
<_200512:AlgorithmSuite>
<policy:Policy>
<_200512:Basic128Rsa15/>
</policy:Policy>
</_200512:AlgorithmSuite>
<_200512:IncludeTimestamp/>
<_200512:Layout>
<policy:Policy>
<_200512:Strict/>
</policy:Policy>
</_200512:Layout>
</policy:Policy>
</_200512:AsymmetricBinding>
<policy:Policy _0:Id="response:app_encparts_response">
<_200512:EncryptedParts>
<_200512:Body/>
</_200512:EncryptedParts>
<_200512:EncryptedElements>
<_200512:XPath>/*[namespace-uri()='.
The configuration message could not be processed and was rejected.
Use the inserts within this message to determine the cause of the problem. Correct the broker's configuration and redeploy using the Message Brokers Toolkit, mqsideploy command or Config Manager Proxy application. Contact your IBM support center if you are unable to resolve the problem.
BIP2087E: Broker S1BRKR1B was unable to process the internal configuration message.
The entire internal configuration message failed to be processed successfully.
Use the messages following this message to determine the reasons for the failure. If the problem cannot be resolved after reviewing these messages, contact your IBM Support center. Enabling service trace may help determine the cause of the failure.
BIP8036E: Negative response received.
This command sends an internal configuration message to the broker, the response received indicated that the internal configuration message was unsuccessful.
Check that the WebSphere MQ transport is available. Check the system log for further information.
|
The command used to do the import was as follows:-
| Code: |
mqsichangeproperties MYBROKER -c PolicySets -o Policy_1 -n ws-security -p p_set.xml
|
It seems to be objecting to the ws-security token.
I exported it using the example in the Info Centre as a guide.
| Code: |
mqsireportproperties myBroker -c PolicySets -o myPolicySet -n ws-security -p myPolicySet.xml
|
Any thoughts as to the way forward ?
[/code]
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Tue Feb 08, 2011 4:57 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
The mystery deepens.
The import works find on 7.0.0.1 (Solaris)
I verified the validity by exporting it again and doing a 'diff'.
Sigh...
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Tue Feb 08, 2011 5:03 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
|
| Back to top |
|
|
| smdavies99 |
| Posted: Tue Feb 08, 2011 5:16 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Hmmm.
Well, none of our flows that are going to use HTTPS are deployed yet.
On the Windows broker the only flows deployed are the AddressBook samples.
I'll try it on a 'clean' broker.
But the APAR you pointed to refers to runtime problems.
This is in the setup phase.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Tue Feb 08, 2011 5:28 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
|
| Back to top |
|
|
| smdavies99 |
| Posted: Tue Feb 08, 2011 6:17 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Coming thick and fast...
6.1.0.10 eh?
That must mean that 6.1.0.9 is about to his the streets 
As for V7, 7.0.0.2 has not been around for long. I guess that we will have to wait for that one.
As I said, my issues are all in the setup not actually trying to use SOAP over https://
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Tue Feb 08, 2011 6:38 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
If the runtime is this messed up, I wouldn't guess the toolkit would be any cleaner. After further reading on IBM site re: APARs for WS-Security on WMB, even the command line utilities do funny things like add three blank lines to the policy file which messes up the mqsichangeproperties and mqsireportproperties commands. The work around is to manually edit the policy file to remove the three blank lines. I wouldn't count on any of this working any time soon.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Tue Feb 08, 2011 7:40 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Yup, it looks like the blank lines are the problem.
Note that this ONLY happens on the Policy Set file not the PolicyBindings file
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
|
|
