| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| AMS and the MQ Explorer |
« View previous topic :: View next topic » |
| Author |
Message
|
| Boyd |
 Posted: Thu Apr 24, 2014 12:28 pm Post subject: AMS and the MQ Explorer |
 |
|
Novice
Joined: 06 Apr 2014
Posts: 16
|
I am trying to get the QUick Start for AMS workign with the MQ Explorer
So now I have users Bob and Alice on Linux,
and user Exp (to run the explorer on) on Windows and Linux
On Wndows, Exp has the following defined:
Directory of C:\Users\Exp \AMS
04/23/2014 01:22 PM <DIR> .
04/23/2014 01:22 PM <DIR> ..
04/23/2014 01:22 PM 465 Exp_Java_Cert.cer
04/16/2014 12:35 PM 173 keystore.conf
04/23/2014 01:21 PM 1,243 keystore.jks
3 File(s) 1,881 bytes
2 Dir(s) 20,714,684,416 bytes free
C:\Users\Exp \AMS>keytool -list -v -keystore keystore.jks
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in the keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide the srckeystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: jks
Keystore provider: IBMJCE
Your keystore contains 1 entry
Alias name: Exp_java_cert
Creation date: Apr 23, 2014
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Exp, O=IBM, C=GB
Issuer: CN=Exp, O=IBM, C=GB
Serial number: 535820c6
Valid from: 4/23/14 1:21 PM until: 7/22/14 1:21 PM
Certificate fingerprints:
MD5: 37:AD:43:F2:6C:1F:BF:3C:9A:73:41:74:0F:C9:EC:E3
SHA1: FE:5D:E2:93:B7:7E:9D:B0:B4:DB:21:C3:81:4A:C9:96:B9:F9:5A:C4
*******************************************
*******************************************
C:\Users\Exp \AMS>
In the Linux machine, with user Alice I see the following certs:
[root@mmclnt1 .mqs]# runmqakm -cert -details -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label Bob_Cert
Label : Bob_Cert
Key Size : 1024
Version : X509 V3
Serial : 636a9d70e1ef80c8
Issuer : CN=bob,O=IBM,C=GB
Subject : CN=bob,O=IBM,C=GB
Not Before : April 6, 2014 5:30:42 PM EDT
Not After : April 7, 2015 5:30:42 PM EDT
Public Key
30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
05 00 03 81 8D 00 30 81 89 02 81 81 00 C8 CD 97
DF 18 C4 00 0D 64 E3 4D E8 02 76 1D 18 9A BA 2F
F9 B3 23 4C 4B E2 C5 21 7B 08 0B DD 54 08 59 9C
BA EE 64 04 78 7B 74 07 9F C7 A1 0A 4A F1 D7 82
CA A3 15 EC D6 82 AC 7C 43 C4 B0 57 0D 88 08 C6
12 60 36 E3 34 8A 86 75 34 DE EE D1 F3 40 3B A7
46 B8 1B CD 74 BD B9 D4 50 73 49 CE 68 7F E7 7A
84 7B C7 5C D3 53 1C 1C C2 0B DE 2D DA 5F 23 99
27 F2 E1 89 8A D5 BB 1C 5A CB EC 1B 2D 02 03 01
00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 :
FB 50 12 FB AD 09 4D 6F 05 63 75 FC A5 B9 4B 08
9E A0 B2 0D
Fingerprint : MD5 :
77 90 D1 BB 72 AE 48 5E 63 D5 7D 6E C3 D1 58 83
Fingerprint : SHA256 :
C6 BC 75 AE 65 4C 4F 60 B5 F2 C5 5C 83 F7 62 A5
95 05 F9 BD 2D F9 C0 10 E6 F1 B4 55 CB C0 DC E5
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
2C 55 FD EA 60 FA 7D FB C0 9B 07 C7 68 8D 06 6B
FA DA F6 96 37 54 C8 47 29 F2 88 36 2D 3F 16 AE
D1 18 E4 46 35 50 7C EB 03 DD 05 6B 14 A3 EE FF
1E E5 70 CC 1B 67 9B 8C 14 A7 F3 59 2A 8D 74 09
B0 93 31 A0 64 6A D4 21 CB DF CF 89 4C 82 79 A8
DF FD 93 50 8C A4 46 6D 53 50 E9 60 E2 3E 44 7A
C3 BE C2 C5 E2 22 D1 AB A3 C0 03 65 82 65 20 34
DF 06 22 F9 6C F1 CD 9F 89 20 59 4C 9F 67 93 EE
Trust Status : Enabled
[root@mmclnt1 .mqs]#
[root@mmclnt1 .mqs]#
[root@mmclnt1 .mqs]# runmqakm -cert -details -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label Exp_Java_Cert
Label : Exp_Java_Cert
Key Size : 1024
Version : X509 V3
Serial : 535820c6
Issuer : CN=Exp,O=IBM,C=GB
Subject : CN=Exp,O=IBM,C=GB
Not Before : April 23, 2014 4:21:26 PM EDT
Not After : July 22, 2014 4:21:26 PM EDT
Public Key
30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
05 00 03 81 8D 00 30 81 89 02 81 81 00 BD CF 87
86 A5 EC 3D 62 1B C1 9A 53 A2 5A 90 80 CF 06 69
9B 5B 41 8F 01 1C 80 27 00 A8 CB 96 28 E6 2D B8
F1 2C D1 DE D6 12 A6 E7 19 3A 60 76 33 A6 4A D7
A8 A5 B6 72 E3 18 47 D3 27 5E 02 3D 8F 4C 73 97
4F CE D3 DA 58 A2 DF 1A D7 AF 58 37 87 A5 FA B1
DE 96 D2 43 44 E1 B2 06 35 C8 7C 9A E5 4D F1 09
14 85 18 35 B5 E5 6D 06 B8 62 D8 75 3E 71 EB A9
A2 09 CB D6 9C 08 23 24 A8 AC 41 75 C9 02 03 01
00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 :
FE 5D E2 93 B7 7E 9D B0 B4 DB 21 C3 81 4A C9 96
B9 F9 5A C4
Fingerprint : MD5 :
37 AD 43 F2 6C 1F BF 3C 9A 73 41 74 0F C9 EC E3
Fingerprint : SHA256 :
E9 A9 09 BD 50 40 A4 57 D5 A4 C1 07 8A 8E C6 89
8E 9A CD 45 28 78 0A 07 CF AC 97 D6 DC 2B D2 25
Signature Algorithm : MD5WithRSASignature (1.2.840.113549.1.1.4)
Value
92 17 1F 3D 71 8D DC 1D 28 70 72 D4 99 23 B6 C5
2F 7E 38 6E B2 17 5C EE 51 0D 72 8A 04 59 17 A6
1B 5D 8D E7 A1 42 99 39 C7 0E 7A CC 7D BA FE 89
AA D2 35 9E 35 9F D3 D8 B0 16 51 A2 35 27 85 18
ED 43 C4 2A 75 D3 25 22 03 35 6A FC 1A B1 6B AB
90 DA F4 35 02 5C 86 AB F0 C6 84 AB 2D 6E 9A 37
34 6A FF 23 E5 A8 8D EB B1 3F 1E CB C7 C6 7D BF
63 A7 36 06 90 24 FB 41 36 5C D9 60 08 7C 59 F4
Trust Status : Enabled
[root@mmclnt1 .mqs]#
[root@mmclnt1 .mqs]#
[root@mmclnt1 .mqs]# runmqakm -cert -details -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label Alice_Cert
Label : Alice_Cert
Key Size : 1024
Version : X509 V3
Serial : 3c62fcaea625b14d
Issuer : CN=alice,O=IBM,C=GB
Subject : CN=alice,O=IBM,C=GB
Not Before : April 6, 2014 5:30:42 PM EDT
Not After : April 7, 2015 5:30:42 PM EDT
Public Key
30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
05 00 03 81 8D 00 30 81 89 02 81 81 00 CC 70 48
3F F1 9F F9 11 48 17 81 AF 7E 43 26 9F F5 FD 35
9E 78 12 FA 3C 71 F1 E3 7A 91 00 A0 A8 47 90 C1
66 2F 7E BF C2 A8 EE 1A 94 1F 9A 18 E9 64 D8 5C
89 72 D7 F5 D8 63 46 F9 C8 48 9E 05 A2 8C B1 81
73 43 4B 53 C9 03 01 14 8D B7 91 AF AD 70 F8 78
FA 90 0B 9B F0 E1 C7 D2 A8 2E E3 66 56 A2 B1 FF
9A A3 43 E2 89 09 37 8E 84 49 07 44 EF 98 EE 7F
8E 61 89 69 E8 06 DE AD C8 09 46 DF C5 02 03 01
00 01
Public Key Type : RSA (1.2.840.113549.1.1.1)
Fingerprint : SHA1 :
D3 7B 91 DB 25 DC 71 DF 4A E0 73 05 29 D7 30 23
4B 71 E3 A7
Fingerprint : MD5 :
5A BF 35 10 8A 8D 3E BC C6 F8 F7 42 CD 50 21 48
Fingerprint : SHA256 :
69 79 74 5A C4 79 05 A8 DF AE 51 8A FB 2B F4 F5
12 9E F1 CB 9E E4 48 04 99 80 51 21 ED 30 61 6A
Signature Algorithm : SHA1WithRSASignature (1.2.840.113549.1.1.5)
Value
97 DC D2 B0 FC 7B 19 F3 D0 0C D4 48 B8 3C EC 9A
A5 B1 77 98 0F EA 9A F0 65 6E 90 26 05 BA 88 C9
1F 11 1F 12 ED E6 A1 55 97 0A B0 A2 F5 DF B2 03
DD B0 20 B5 DD 74 99 64 D8 75 37 10 42 36 A8 60
EE A9 10 7C F9 3E 3A 9C A2 A1 84 26 74 01 F1 8A
54 47 E6 CC AA CB 0C 5A C6 F0 47 D1 FA A8 93 5B
D9 43 CB D2 82 A3 36 99 C7 0B 53 76 40 F8 B1 76
5E A7 DC 4D E9 FB 44 4E EC ED 7D 4F 47 6F EA FC
Trust Status : Enabled
[root@mmclnt1 .mqs]#
I then test, but putting a message into the queue from Linux (not from Windows)
[root@mmclnt1 bin]# cd /opt/mqm/samp/bin
[root@mmclnt1 bin]# su alice
[alice@mmclnt1 bin]$ ./amqsput TEST.Q QM_VERIFY_AMS
Sample AMQSPUT0 start
target queue is TEST.Q
Hello World
Sample AMQSPUT0 end
[alice@mmclnt1 bin]$
Prior to this point, I can browse the TEST.Q, but only if it does not have any messages within it. This only happens once it has a cert assigned to Exp . Otherwise, it will fail
However, if I then try to browse the queue when it has a message (by using the amqsget command above), I get the following error:
The request received an unexpected reason code from an underlying API
or command request. The reason code was 2063 (AMQ4048)
2063: Security Error
4048: Unexpected reason code
I rebboted the WMQ after processing all certs and policies
The policy states:
[root@mmclnt1 bin]# su - mqm
-bash-4.1$ dspmqspl -m QM_VERIFY_AMS -p TEST.Q
Policy Details:
Policy name: TEST.Q
Quality of protection: PRIVACY
Signature algorithm: SHA1
Encryption algorithm: AES256
Signer DNs:
CN=alice,O=IBM,C=GB
Recipient DNs:
CN=bob,O=IBM,C=GB
CN=Exp,O=IBM,C=GB
Toleration: 0
-bash-4.1$
The users have the following authorities for TEST.Q
-bash-4.1$ dspmqaut -m QM_VERIFY_AMS -t q -n TEST.Q -p alice
Entity alice has the following authorizations for object TEST.Q:
get
browse
put
inq
set
dlt
chg
dsp
passid
passall
setid
setall
clr
-bash-4.1$
-bash-4.1$ dspmqaut -m QM_VERIFY_AMS -t q -n TEST.Q -p bob
Entity bob has the following authorizations for object TEST.Q:
get
browse
put
inq
set
dlt
chg
dsp
passid
passall
setid
setall
clr
-bash-4.1$
-bash-4.1$ dspmqaut -m QM_VERIFY_AMS -t q -n TEST.Q -p Exp
Entity Exp has the following authorizations for object TEST.Q:
get
browse
put
inq
set
dlt
chg
dsp
passid
passall
setid
setall
clr
-bash-4.1$
How can I proceed to resolve this? |
|
| Back to top |
|
 |
| mvic |
| Posted: Thu Apr 24, 2014 4:51 pm Post subject: Re: AMS and the MQ Explorer |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| Boyd wrote: |
| I am trying to get the QUick Start for AMS workign with the MQ Explorer |
Why would you want to do that? Do the MQ explorer's metadata messages contain particularly sensitive information, such that it must be encrypted when on queues? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Apr 25, 2014 5:48 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
browse and amqsget are mutually exclusive! 
If you want to browse you need to use amqsbcg (from memory)...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Boyd |
| Posted: Fri Apr 25, 2014 6:25 am Post subject: |
|
|
Novice
Joined: 06 Apr 2014
Posts: 16
|
The reason I want to do this:
1> Official reason: I have been assigned the task
I will try to use the amqbws command, but I still ned to get the explorer to work with this queue.
Any ideas of why the configuration I specified at the top of the post did not work
Thanks |
|
| Back to top |
|
|
| Boyd |
| Posted: Fri Apr 25, 2014 6:27 am Post subject: |
|
|
Novice
Joined: 06 Apr 2014
Posts: 16
|
By the way, I was probably not clear
What I am trying to do is perform an amqsput to put to the queue
But I want to use the MQ Explorer to browse the queue, not the amqsbws
Thanks |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Apr 25, 2014 7:04 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20767
Location: LI,NY
|
O.K.
so here are the steps
- Make sure that you can access any queue from MQExplorer on that qmgr
- make sure you have the correct rights (oem=>browse + get + inq + dsp) on the AMS queue.
- turn on security events
- browse the queue
- turn off security events
- evaluate
Have fun
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mvic |
| Posted: Fri Apr 25, 2014 7:50 am Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
Please remember that AMS is about getting a message from sender A to recipient B without anyone else being able to view it. So, the message will be encrypted while it is on the queue. Only recipient B has the ability to decrypt and so view the message. If you are administrator C running the explorer, you cannot expect to be able to read the message in transit between sender A and recipient B.
If you just want the ability to see that a message is present, you can create a QALIAS, and browse it. This approach is described already at http://pic.dhe.ibm.com/infocenter/wmqv7/v7r5/topic/com.ibm.mq.sec.doc/q014700_.htm |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
