ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Managing MQ running on Openshift

Post new topic  Reply to topic Goto page Previous  1, 2
 Managing MQ running on Openshift « View previous topic :: View next topic » 
Author Message
hughson
PostPosted: Tue Mar 14, 2023 3:04 am    Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1914
Location: Bay of Plenty, New Zealand

andres wrote:
Thanks hughson, it takes some time to understand all auth possibilities.

IN the end i sort it out to connect to the queue manager, test connection with "amqssslc" and send messages with ampsphac and get with amqsgetc.
For some reason, amqsputc get stuck and it is not sending any message.

Could you explain what you mean by "get stuck" - do you get a return code when you type in a message, or does it fail before then?

andres wrote:
I created my own certificate "/CN=andres/OU=mydomain/O=myorg". But before i created a simple one "/CN=andres/OU=mydomain" and i couldnt stablish a SSL connection.

What was the error you got that stopped you establishing an SSL connection with the previous certificate?

andres wrote:
My CHLAUTH looks like this now, is there a prevalence between SSLPEERMAP and Address?. I think the AUTH is only working if a enable Address and it is not checking SSLPEER

Code:
Q8878I: Display channel authentication record details.
   CHLAUTH(SSL)                            TYPE(SSLPEERMAP)
   DESCR( )                                CUSTOM( )
   SSLPEER(CN=andres,OU=mydomain,O=myorg)
   SSLCERTI( )                             ADDRESS( )
   MCAUSER(mqm)                            USERSRC(MAP)
   CHCKCLNT(ASQMGR)                        ALTDATE(2023-03-14)
   ALTTIME(08.34.01)                   
AMQ8878I: Display channel authentication record details.
   CHLAUTH(SSL)                            TYPE(ADDRESSMAP)
   DESCR( )                                CUSTOM( )
   ADDRESS(*)                              MCAUSER(mqm)
   USERSRC(MAP)                            CHCKCLNT(ASQMGR)
   ALTDATE(2023-03-14)                     ALTTIME(08.34.44)
6 MQSC commands read.


Forgot to mention that if i remove CHLAUTH (Address) and i keep only SSLPEER:

Code:
CHLAUTH(SSL)                            TYPE(SSLPEERMAP)
   DESCR( )                                CUSTOM( )
   SSLPEER(CN=andres,OU=mydomain,O=myorg)
   SSLCERTI( )                             ADDRESS( )
   MCAUSER(mqm)                            USERSRC(MAP)
   CHCKCLNT(ASQMGR)                        ALTDATE(2023-03-14)
   ALTTIME(08.34.01)


2023-03-14T09:05:46.011Z mqhtpass: User authentication failed user=andres effuser=andres applname=amqsphac cspuser=andres cc=1 reason=0


So yes, there is a precedence. It will check SSLPEERMAPs before ADDRESSMAPs. If it is matching against the ADDRESSMAP that means that it considers the SSLPEERMAP to not be a match.

If you have a successful connection, issue a DISPLAY CHSTATUS(SSL) ALL and look at the value in the SSLPEER attribute. If you get a failure due to CHLAUTH, you will get an error message in the AMQERR01.LOG showing what it matched against. See I'm being blocked by CHLAUTH - how can I work out why? for more on that. Either way, you will find what the value it is matching with.

If it it blank, that means you are not even sending the certificate. If there is something there, make sure it matches what you put in the SSLPEERMAP CHLAUTH rule.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
fjb_saper
PostPosted: Tue Mar 14, 2023 6:48 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

andres wrote:
I created my own certificate "/CN=andres/OU=mydomain/O=myorg". But before i created a simple one "/CN=andres/OU=mydomain" and i couldnt stablish a SSL connection.

I believe that's where you went wrong.
Should it not be DN="CN=andres,OU=mydomain,O=myorg" Note that the different components of the DN are separated by a comma and not a "/"!
(this is not an LDAP entry!)
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
andres
PostPosted: Tue Mar 14, 2023 8:59 am    Post subject: Reply with quote

Apprentice

Joined: 12 Apr 2013
Posts: 27

HI,
IF the certificate is wrong or im not sending the cert, the connection wont happend, so my problem is the SSLPEER.

I created the cert like:
openssl req -newkey rsa:2048 -nodes -keyout flagstaff.qmgr.key -x509 -days 365 -out flagstaff.qmgr.crt \
-subj "/CN=andres/OU=mydomain/O=myorg"

SSLPEER:

SSLPEER(CN=andres,OU=mydomain,O=myorg)

CHannel status doesnt show a SSLPPER and a CIPHER i didnt set in ccdt file
Code:
  1 : dis chstatus (SSL) all
AMQ8417I: Display Channel Status details.
   CHANNEL(SSL)                            CHLTYPE(SVRCONN)
   BUFSRCVD(6)                             BUFSSENT(5)
   BYTSRCVD(1792)                          BYTSSENT(1824)
   CHSTADA(2023-03-14)                     CHSTATI(16.45.56)
   COMPHDR(NONE,NONE)                      COMPMSG(NONE,NONE)
   COMPRATE(0,0)                           COMPTIME(0,0)
   CONNAME(10.131.0.2)                     CURRENT
   EXITTIME(0,0)                           HBINT(300)
   JOBNAME(0000012B00000759)               LOCLADDR(::ffff:10.129.5.79(1414))
   LSTMSGDA(2023-03-14)                    LSTMSGTI(16.45.56)
   MCASTAT(RUNNING)                        MCAUSER(mqm)
   MONCHL(OFF)                             MSGS(2)
   RAPPLTAG(amqsputc)                      SECPROT(TLSV13)
   SSLCERTI( )                         
   SSLCIPH(TLS_CHACHA20_POLY1305_SHA256)
   SSLKEYDA( )                             SSLKEYTI( )
   SSLPEER( )                              SSLRKEYS(0)
   STATUS(RUNNING)                         STOPREQ(NO



And then, ccdt looks like:

Code:
{
    "channel":
    [
        {
            "name": "SSL",
            "clientConnection":
            {
                "connection":
                [
                    {
                        "host": "ssl.chl.mqdev.mydomain.org",
                        "port": 443
                    }
                ],
                "queueManager": "mqdev"
            },
            "transmissionSecurity":
            {
              "cipherSpecification": "ANY_TLS12_OR_HIGHER"
            },
            "type": "clientConnection"
        }
       
   ]
}


And then a sent a message like:

export MQCCDTURL="/mnt/c/Temp/mq-helm-main/samples/openshift/test/ccdt_generated.json"
export MQSSLKEYR="/mnt/c/Temp/mq-helm-main/samples/openshift/test/new/key"


echo "Starting amqsphac" flagstaff
/home/andres/mqclient/samp/bin/amqsphac DEV.QUEUE.2 mqdev
# test ssl
/home/andres/mqclient/samp/bin/amqssslc -m flagstaff -c "SSL" -x "ssl.chl.mqdev.mydomain.org(443)" -k /mnt/c/Temp/mq-helm-main/samples/openshift/test/new/key -s ANY_TLS12_OR_HIGHER[/code]
Back to top
View user's profile Send private message
exerk
PostPosted: Tue Mar 14, 2023 11:38 am    Post subject: Reply with quote

Jedi Council

Joined: 02 Nov 2006
Posts: 6339

andres wrote:
CHannel status doesnt show a SSLPPER and a CIPHER i didnt set in ccdt file...

You set the CIPHER to an alias value (ANY_TLS12_OR_HIGHER), which means both ends negotiate an acceptable value, hence the Cipher Spec you are seeing.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page Previous  1, 2 Page 2 of 2

MQSeries.net Forum Index » General IBM MQ Support » Managing MQ running on Openshift
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.