This is the first of a few posts about my voyage of discovery with WebSphere MQ ( now IBM MQ ) Advanced Message Security (AMS), in the context of message authentication and encryption.
Thus far, I've broken it twice :-)
I'm following this tutorial: -
and was able to successfully send messages from Alice to Bob, via a MQ Queue Manager.
However, I did hit two exceptions: -
/opt/ibm/mqm/samp/bin/amqsput TESTQ TESTQM
Sample AMQSPUT0 start
target queue is TESTQ
MQOPEN ended with reason code 2063
unable to open queue for output
Sample AMQSPUT0 end
The Queue Manager log gave me the queue: -
cat /var/mqm/qmgrs/TESTQM/errors/AMQERR01.LOG
…
04/21/2017 04:35:27 PM - Process(27379.1) User(alice) Program(amqsput)
Host(bpm857.novalocal) Installation(Installation2)
VRMF(7.5.0.2) QMgr(TESTQM)
AMQ9021: An error occured during the certificate import for the following DN:
CN=bpm857.novalocal,OU=PSCell1,OU=Dmgr,O=IBM,C=US, result: 60
EXPLANATION:
The distinguished name is not present in the keystore or invalid.
…
AMQ9070: The WebSphere MQ security policy interceptor failed to validate a
certificate.
EXPLANATION:
The WebSphere MQ security policy interceptor could not validate a certificate.
...
This seen when attempting to send a message as user Alice.
In the first instance, this was occurring because I'd put the Personal Certificate for my WAS cell: -
"CN=bpm857.novalocal,OU=PSCell1,OU=Dmgr,O=IBM,C=US"
into the MQ Security Policy: -
setmqspl -m $QMGR -p $Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "CN=bob,O=IBM,C=GB" -r "CN=bpm857.novalocal,OU=PSCell1,OU=Dmgr,O=IBM,C=US"
rather than the Signer Certificate: -
setmqspl -m $QMGR -p $Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "C=US, O=IBM, OU=Dmgr, OU=PSCell1, OU=Root Certificate, CN=bpm857.novalocal"
I'd pulled the Subject DN of the certificate via openssl : -
openssl x509 -in /tmp/was_ca.arm -text -noout
...
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 728601959222 (0xa9a40f9b36)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=IBM, OU=Dmgr, OU=PSCell1, OU=Root Certificate, CN=bpm857.novalocal
Validity
Not Before: Mar 12 07:12:08 2017 GMT
Not After : Mar 8 07:12:08 2032 GMT
Subject: C=US, O=IBM, OU=Dmgr, OU=PSCell1, OU=Root Certificate, CN=bpm857.novalocal
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
…
It was also necessary to add the Signer Certificate into Alice's key store: -
/opt/ibm/mqm/bin/runmqakm -cert -add -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label CN=BPM857 -file /tmp/was_ca.arm
Once I did this, I hit another problem: -
…
04/21/2017 04:58:28 PM - Process(28212.1) User(alice) Program(amqsput)
Host(bpm857.novalocal) Installation(Installation2)
VRMF(7.5.0.2) QMgr(TESTQM)
AMQ9021: An error occured during the certificate import for the following DN:
CN=bpm857.novalocal,OU=PSCell1,OU=Dmgr,O=IBM,C=US, result: 57
EXPLANATION:
The distinguished name is not present in the keystore or invalid.
...
The solution wasn't too difficult to find …
I'd added the Signer Certificate into the MQ Security Policy in the wrong format.
I'd added this: -
C=US, O=IBM, OU=Dmgr, OU=PSCell1, OU=Root Certificate, CN=bpm857.novalocal
rather than this: -
CN=bpm857.novalocal, OU=Root Certificate, OU=PSCell1, OU=Dmgr, O=IBM, C=US
i.e.
setmqspl -m $QMGR -p $Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "CN=bob,O=IBM,C=GB" -r "CN=bpm857.novalocal, OU=Root Certificate, OU=PSCell1, OU=Dmgr, O=IBM, C=US"
Once I fixed the policy, it just started working.
Now to get WebSphere Application Server (WAS) to read messages from the Queue …..
For the record, these sources were of use: -