ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » MQ AMS on z/OS - admin?

Post new topic  Reply to topic
 MQ AMS on z/OS - admin? « View previous topic :: View next topic » 
Author Message
zpat
PostPosted: Mon Jun 27, 2022 1:09 am    Post subject: MQ AMS on z/OS - admin? Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Anyone using AMS with z/OS QMs?

We have MQExplorer 9.2 and z/OS MQ 9.2 with AMS enabled.

Anyway my question is how you perform admin of policies?

It seems that MQ explorer does not support AMS policy admin on z/OS QMs - is this true or have I done something wrong?

and also where to see the reasons for AMS decisions to allow or prevent access to messages (e.g. using MQ client to attempt access)?
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Mon Jun 27, 2022 11:44 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

What's the problem you're seeing? Do any of your AMS certs have an email in it?
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
zpat
PostPosted: Mon Jun 27, 2022 12:52 pm    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

It's more that I expected to administer AMS policies etc on MQ with a GUI.

Seems that MQ on z/OS is stuck in the past in several ways - the latest of which is lack of support for AMS admin via PCF messages (i.e. MQ explorer or MO71).

I can't believe AMS users on z/OS MQ put up with this - are there any users out there?

No - our certs don't have Email addresses that I know of.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Jun 28, 2022 4:39 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

zpat wrote:
It's more that I expected to administer AMS policies etc on MQ with a GUI.

Seems that MQ on z/OS is stuck in the past in several ways - the latest of which is lack of support for AMS admin via PCF messages (i.e. MQ explorer or MO71).

I can't believe AMS users on z/OS MQ put up with this - are there any users out there?

No - our certs don't have Email addresses that I know of.

AMS on multi-platform has been known to not work right with certs that had an email in the DN.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
zpat
PostPosted: Tue Jun 28, 2022 11:26 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Most of our apps are MQ client attached to z/OS QMs.

So the AMS interceptors have to run on the client platform.

I am testing on Windoze with a CMS keystore with a personal CA signed cert, and the CA signers.

AMS is not able to find the public certificate. So it can put a message with integrity policy but can't get it or browse it.

I am using C client (rfhutilc and MO71) to test with.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Jun 28, 2022 9:00 pm    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

zpat wrote:
AMS is not able to find the public certificate. So it can put a message with integrity policy but can't get it or browse it.

So you have an integrity policy, something like this?

Code:
setmqspl -m MQG1
   -p INTG.Q
   -s SHA256
   -a "CN=Sender App,O=MQGem"


that is, you have an authorised signer (or maybe not even - maybe everyone can sign to this queue?) and a signing algorithm and no encryption algorithm and no recipients listed.

And then when you try to get it with the same/another app (??) that app is unable to verify the original signers digital signature?

What does the getting app have in it's KDB?

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
zpat
PostPosted: Wed Jun 29, 2022 6:30 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Putter and getter are the same app and using the same KDB.

This contains my personal cert and the CA signers we use.

My cert is CA issued not self signed.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
hughson
PostPosted: Sat Jul 02, 2022 2:37 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

zpat wrote:
AMS is not able to find the public certificate. So it can put a message with integrity policy but can't get it or browse it.

OK, so what error do you get. Both, the return code on the MQGET, and what errors in the client errorlog.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
zpat
PostPosted: Mon Jul 04, 2022 12:08 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

MQRC 2063

Message signer is not in the list of authorised signers.

(I would copy/paste full details but I cannot access this site from our corporate network).
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
hughson
PostPosted: Mon Jul 04, 2022 2:19 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

So you have:-

A client putting application and a client getting application both using the SAME CMS KDB and the same keystore.conf.

The queue being used is a QLOCAL on your z/OS queue manager, and both putter and getter address the QLOCAL directly and not via a QALIAS.

The setmqspl policy for said local queue has a single DN listed on the -a parameter (for the authorised signer). That DN is the certificate which you have named (the label of) in the keystore.conf being used by both the putter and the getter application.

Is all of the above true?
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
zpat
PostPosted: Mon Jul 04, 2022 5:18 am    Post subject: Reply with quote

Jedi Council

Joined: 19 May 2001
Posts: 5849
Location: UK

Yes, that's correct.
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
Back to top
View user's profile Send private message
hughson
PostPosted: Tue Jul 05, 2022 1:59 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

I wonder if it is because the certificate in question is not in the KDB as a signer but instead as a personal cert. Perhaps when looking for a signer, it only looks in the signer section of the KDB and ignores those certificates that are personal certs?

I haven't tried this out, so just an off-the-wall guess at this point.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » MQ AMS on z/OS - admin?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.