| Author |
Message
|
| rockz007 |
 Posted: Thu Aug 20, 2015 12:40 am Post subject: SSL for MQ client on AS/400 COBOL iSeries |
 |
|
Newbie
Joined: 20 Aug 2015
Posts: 9
|
Hi All,
I'm pretty much new to the world of SSL in AS/400. We have MQ installed as a client on our AS/400, and the MQ server is installed on another UNIX machine. Until now we are able to connect without SSL, but now we have to use SSL. I tried to browse for related information on how to actual make a connection to MQ server from MQ client.
As far as I can find out I believe I need to set SSLKEYR with the key repository and then set MQSSLKEYR to point to that key location of SSLKEYR, I am not able to understand how to make an SSL handshake and stuff, I am pretty much new to this, and I am running on a very tight timeline here.
Can anyone help me that what needs to be done from the client AS/400 to be able to communicate using SSL.
Thanks in advance |
|
| Back to top |
|
 |
| rockz007 |
| Posted: Thu Aug 20, 2015 10:57 pm Post subject: |
|
|
Newbie
Joined: 20 Aug 2015
Posts: 9
|
Hi All,
I got the key.kdb, key.rdb, key.sth from the UNIX server and I also have AMQCLCHL.TAB set up with the queue managers and channel connections.
I put the key.* files in /QIBM/UserData/mqm and then I set MQSSLKEYR environment variable as below
"/QIBM/UserData/mqm/key"
Then when I try to do an MQCONN it fails with MQRC 2381, am I still missing anything?
Any help would be greatly appreciated.
Thanks |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Aug 21, 2015 3:33 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
Are you following instructions from the KC? If do, what is the iurl?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Aug 21, 2015 3:37 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
I don't about the MQ client, but the full QM on i-Series can use the standard operating system certificate store.
There are instructions in the IBM documentation about how to install MQ certificates into that.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| rockz007 |
| Posted: Fri Aug 21, 2015 3:39 am Post subject: |
|
|
Newbie
Joined: 20 Aug 2015
Posts: 9
|
Hi Bruce,
I'm not sure on what you mean by KC.
I am no longer receiving the previous MARC. I ran a utility from which generated the .Sth stash file for the passwords from the .Kdb file which I got from the server. Previously I was using the one which my server team gave to me.
Now when I try to connect I get mqrc 2393, which says the remote channel doesn't have SSL certificate. So we couldn't establish a 2 way handshake, but when we set the authentication to optional on the server one way hand shake was established.
The server side is saying that they don't know why 2393 is being received.
Any help would be appreciated.
Thanks |
|
| Back to top |
|
|
| zpat |
| Posted: Fri Aug 21, 2015 3:43 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
Knowledge Center - aka Infocenter.
The IBM documentation on the web for MQ.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Aug 21, 2015 3:44 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
KC is IBM's Knowledge Center website. I'm asking if you are following instructions in a document? Or are you just guessing on how to implement SSL?
Did you search google for 'ssl+iSeries' to see if what you are trying to do is documented step-by-step?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Aug 21, 2015 4:30 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
| rockz007 wrote: |
| I ran a utility from which generated the .Sth stash file for the passwords from the .Kdb file which I got from the server. Previously I was using the one which my server team gave to me. |
Please be a bit more precise when you post.
Which utility? Do you mean the utility IBM provides for this purpose?
Why do you believe that you can use a cert other than the one that is being used on the server?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Aug 21, 2015 4:44 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
Moved to Security forum
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| rockz007 |
| Posted: Fri Aug 21, 2015 9:22 pm Post subject: |
|
|
Newbie
Joined: 20 Aug 2015
Posts: 9
|
Hi Bruce,
I ran the utility because when I use the same file from the MQserver in the job log I was getting an error like "Password stash file not usable or available".
I was going through a lot of documents but couldn't locate any specific steps for MQ client on AS/400. Only the below link has some information
http://www-01.ibm.com/support/docview.wss?uid=swg27039387&aid=1
And As per the link I ran AMQRSSLC, after running this I no longer received the 2381 MQRC but now as I mentioned I am receiving 2393 MQRC. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Aug 22, 2015 5:48 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
Let's start at the beginning.
Are you following a step-by-step instruction document to get SSL to work? If so, what is that document? Or are you just randomly trying things to see if you can get it to work?
Precisely how did you create the key db? How did you create the certs? How did you add the certs? How did you export the cert to the other platform key db?
You wrote: "when I use the same file from the MQserver in the job log..." What file?
Again, please be precise in your posts.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| rockz007 |
| Posted: Sat Aug 22, 2015 5:55 am Post subject: |
|
|
Newbie
Joined: 20 Aug 2015
Posts: 9
|
Hi Bruce,
I'm sorry for not being precise. Okay these are the steps I followed.
1) MQ is installed as a client on AS400 in our system.
2) MQ server runs on Unix, and there's a separate team for this.
3) I got key.Kdb, key.rdb files from the MQ server team. I don't know how they got it generated, they gave me the CCDT file as well .
4) I FTPed the files .Kdb,.rdb, CCDT files into /qibm/user data/mqm.
5) After this I ran the utility which I mentioned previously to generate .sth file. And when I try to make the connection it says 2393.
Finally regarding the steps, the previous link is the only thing which I could find on how to implement SSL on MQ client, I saw lotta documentation on the web for MQ server, but couldn't find any info for MQ client.
Note: without the SSL we are able to connect, send and receive messages as well.
Please let me know if I'm still missing anything and thanks for being patient |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Aug 22, 2015 8:50 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY
|
|
| Back to top |
|
|
| bruce2359 |
| Posted: Sat Aug 22, 2015 9:06 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9399
Location: US: west coast, almost. Otherwise, enroute.
|
| bruce2359 wrote: |
Are you following a step-by-step instruction document to get SSL to work? If so, what is that document? Or are you just randomly trying things to see if you can get it to work?. |
I'm just short of becoming impatient with you for not answering questions you are asked.
SSL is complicated to configure. Any single incorrect configuration will cause a variety of errors.
Go to Google, then search for 'how to configure mq ssl on as400'. I found this: http://129.33.205.81/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.explorer.doc/e_ssl_mqclients.htm
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
|
|
