Friday, 21 April 2017

WebSphere MQ - Advanced Message Security - Some tinkering and AMQ9021

This is the first of a few posts about my voyage of discovery with WebSphere MQ ( now IBM MQ ) Advanced Message Security (AMS), in the context of message authentication and encryption.

Thus far, I've broken it twice :-)

I'm following this tutorial: -


and was able to successfully send messages from Alice to Bob, via a MQ Queue Manager.

However, I did hit two exceptions: -

/opt/ibm/mqm/samp/bin/amqsput TESTQ TESTQM

Sample AMQSPUT0 start
target queue is TESTQ
MQOPEN ended with reason code 2063
unable to open queue for output
Sample AMQSPUT0 end


The Queue Manager log gave me the queue: -

cat /var/mqm/qmgrs/TESTQM/errors/AMQERR01.LOG 

04/21/2017 04:35:27 PM - Process(27379.1) User(alice) Program(amqsput)
                    Host(bpm857.novalocal) Installation(Installation2)
                    VRMF(7.5.0.2) QMgr(TESTQM)
                   
AMQ9021: An error occured during the certificate import for the following DN:
CN=bpm857.novalocal,OU=PSCell1,OU=Dmgr,O=IBM,C=US, result: 60

EXPLANATION:
The distinguished name is not present in the keystore or invalid.

AMQ9070: The WebSphere MQ security policy interceptor failed to validate a
certificate.

EXPLANATION:
The WebSphere MQ security policy interceptor could not validate a certificate.

...

This seen when attempting to send a message as user Alice.

In the first instance, this was occurring because I'd put the Personal Certificate for my WAS cell: -

"CN=bpm857.novalocal,OU=PSCell1,OU=Dmgr,O=IBM,C=US"

into the MQ Security Policy: -

setmqspl -m $QMGR -p $Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "CN=bob,O=IBM,C=GB" -r "CN=bpm857.novalocal,OU=PSCell1,OU=Dmgr,O=IBM,C=US"

rather than the Signer Certificate: -

setmqspl -m $QMGR -p $Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "C=US, O=IBM, OU=Dmgr, OU=PSCell1, OU=Root Certificate, CN=bpm857.novalocal"

I'd pulled the Subject DN of the certificate via openssl : -

openssl x509 -in /tmp/was_ca.arm -text -noout

...
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 728601959222 (0xa9a40f9b36)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=IBM, OU=Dmgr, OU=PSCell1, OU=Root Certificate, CN=bpm857.novalocal
        Validity
            Not Before: Mar 12 07:12:08 2017 GMT
            Not After : Mar  8 07:12:08 2032 GMT
        Subject: C=US, O=IBM, OU=Dmgr, OU=PSCell1, OU=Root Certificate, CN=bpm857.novalocal
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)


It was also necessary to add the Signer Certificate into Alice's key store: -

/opt/ibm/mqm/bin/runmqakm -cert -add -db /home/alice/.mqs/alicekey.kdb -pw passw0rd -label CN=BPM857 -file /tmp/was_ca.arm 

Once I did this, I hit another problem: -

04/21/2017 04:58:28 PM - Process(28212.1) User(alice) Program(amqsput)
                    Host(bpm857.novalocal) Installation(Installation2)
                    VRMF(7.5.0.2) QMgr(TESTQM)
                   
AMQ9021: An error occured during the certificate import for the following DN:
CN=bpm857.novalocal,OU=PSCell1,OU=Dmgr,O=IBM,C=US, result: 57

EXPLANATION:
The distinguished name is not present in the keystore or invalid.

...

The solution wasn't too difficult to find …

I'd added the Signer Certificate into the MQ Security Policy in the wrong format.

I'd added this: -

C=US, O=IBM, OU=Dmgr, OU=PSCell1, OU=Root Certificate, CN=bpm857.novalocal

rather than this: -

CN=bpm857.novalocal, OU=Root Certificate, OU=PSCell1, OU=Dmgr, O=IBM, C=US

i.e.

setmqspl -m $QMGR -p $Q -s SHA1 -a "CN=alice,O=IBM,C=GB" -e AES256 -r "CN=bob,O=IBM,C=GB" -r "CN=bpm857.novalocal, OU=Root Certificate, OU=PSCell1, OU=Dmgr, O=IBM, C=US"

Once I fixed the policy, it just started working.

Now to get WebSphere Application Server (WAS) to read messages from the Queue …..

For the record, these sources were of use: -





No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...