I am trying to make a secure connection with MQ with the below command:
./amqssslc -c CLI.QM1.T -x <remote_server> -k clientkey -s <SOME CIPHE NAME>
I have created the clientkey.kdb using below commands:
runmqakm -keydb -create -db clientkey.kdb -pw passw0rd -type pkcs12 -expire 1000 -stash
runmqakm -cert -add -label QM1.cert -db clientkey.kdb -stashed -trust enable -file /root.cer
I got the below error:
No OCSP configuration specified.
MQCONNX ended with reason code 2393
Error in the log file :
AMQ9620E: Internal error on call to SSL function on channel 'CLI.QM1.T' to
host 'host-name'.
EXPLANATION:
An error indicating a software problem was returned from a function which is
used to provide SSL or TLS support. The error code returned was '9'. The
function call was 'gsk_environment_init'.
The channel is 'CLI.QM1.T'; in some cases its name cannot be determined and
so is shown as '????'. The channel did not start.
The remote host name is 'host-name'.
ACTION:
Collect the items listed in the 'Problem determination' section of the System
Administration manual and use either the MQ Support site:
http://www.ibm.com/software/integration/wmq/support/, or IBM Support Assistant
(ISA): http://www.ibm.com/software/support/isa/, to see whether a solution is
already available. If you are unable to find a match, contact your IBM support
center.
can you please help me to solve this? I am using IBM MQ 9.1.0.11 version.
Besides, I got the private key name.p12 should I use this somewhere to establish the connection from MQ Client
Related
My Jira instance is running on an HTTPS port. I have written a script that creates sub-tasks of a task in a project using a Jira API POST request on the Jira instance. It was working fine on my HTTP version. When I shifted to the HTTPS version, it started giving errors.
Error 1:
It gave the certificate error that was not present in Java.
Resolution. I resolved the issue using the below commands in my Jira instance.
openssl x509 -in <(openssl s_client -connect 192.168.2.214:8083 -prexit 2>/dev/null) -out ~/server-name.crt
keytool -importcert -file ~/server-name.crt -alias server-name -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
My Instance is running on AWS and has different internal and external IPs to access it.
The problem I am facing after resolving the above issue is :
javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 192.168.2.214 found
at Script2.run(Script2.groovy:11)
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.2.214 found
... 1 more
My internal IP is 192.168.2.214 and my external IP is different from it.
My external IP is mapped to a URL and the certificate is purchased against that URL.
How do I get rid of this error as I only can access my HTTPS port using the internal IP when making an API call and there is no HTTP port defined. If I define an HTTP port, I would need to reconstruct my whole instance which is not possible at the moment.
I'm forwarding my IBM MQ v9.1 error logs using splunk forwarder to a centralized cluster to see trends on common error occurring across my distributed messaging systems.
However I'm unable to parse the required fields, since the format of MQ error logs are varying i.e. the severity of the messages could be error, warning, informational, severe and termination and each have different set of fields in itself and are not consistent.
Please let me know if anyone have used regex in splunk for parsing the fields of IBM MQ error logs for v9.1.
I have tried few regex patterns but it wasn't parsing as expected.
I have already referred below link, but that is for v8 and there is a different in format of error logs for v9,
https://t-rob.net/2017/12/18/parsing-mq-error-logs-in-splunk/
Also the splunk user is unable to access the error logs. I have updated below stanza in qm.ini
Filesystem:
ValidateAuth=No
also set chmod -R 755 to /var/mqm/qmgrs/qmName/errors folder.
Though the permissions for the ERROR logs doesn't change whenever it gets updated, when the logs rotate the permissions are revoked and splunk user is not able to read the logs.
Please let me know how to overcome this without adding splunk user to mqm group
I would suggest enabling JSON logging and forward those logs to Splunk which should be able to parse this format.
In IBM MQ v9.0.4 CDS release IBM added the ability to log out to a JSON formatted log, MQ will always log to the original AMQERR0x.LOG files even if you enable the JSON logging. This is included in all MQ 9.1 LTS and CSD releases.
The IBM MQ v9.1 Knowledge Center Page IBM MQ>Configuring>Changing IBM MQ and queue manager configuration information>Attributes for changing queue manager configuration information>Diagnostic message logging>Diagnostic message service stanzas>Diagnostic message services has information on the topic. You can add the following to your qm.ini to have it output the log information to a JSON formatted file called AMQERR0x.json in the standard queue manager errors directory:
DiagnosticMessages:
Service = File
Name = JSONLogs
Format = json
FilePrefix = AMQERR
As noted by the OP the JSON formatted logs do not contain the EXPLANATION or ACTION portion that you see in the normal logs.
In IBM MQ v9.1 you can use the mqrc command to convert the JSON format to the familiar format you see in AMQERR01.LOG.
One simple example is below:
cat <<EOL |mqrc -i json -o text -
{"ibm_messageId":"AMQ9209E","ibm_arithInsert1":0,"ibm_arithInsert2":0,"ibm_commentInsert1":"localhost (127.0.0.1)","ibm_commentInsert2":"TCP/IP","ibm_commentInsert3":"SYSTEM.DEF.SVRCONN","ibm_datetime":"2018-02-22T06:54:53.942Z","ibm_serverName":"QM1","type":"mq_log","host":"0df0ce19c711","loglevel":"ERROR","module":"amqccita.c:4214","ibm_sequence":"1519282493_947814358","ibm_remoteHost":"127.0.0.1","ibm_qmgrId":"QM1_2018-02-13_10.49.57","ibm_processId":4927,"ibm_threadId":4,"ibm_version":"9.1.0.5","ibm_processName":"amqrmppa","ibm_userName":"johndoe","ibm_installationName":"Installation1","ibm_installationDir":"/opt/mqm","message":"AMQ9209E: Connection to host 'localhost (127.0.0.1)' for channel 'SYSTEM.DEF.SVRCONN' closed."}
EOL
The output will be:
02/22/2018 06:54:53 AM - User(johndoe) Program(amqrmppa)
Host(0df0ce19c711) Installation(Installation1)
VRMF(9.1.0.5) QMgr(QM1)
Time(2018-02-22T11:54:53.942Z)
RemoteHost(127.0.0.1)
CommentInsert1(localhost (127.0.0.1))
CommentInsert2(TCP/IP)
CommentInsert3(SYSTEM.DEF.SVRCONN)
AMQ9209E: Connection to host 'localhost (127.0.0.1)' for channel
'SYSTEM.DEF.SVRCONN' closed.
EXPLANATION:
An error occurred receiving data from 'localhost (127.0.0.1)' over TCP/IP. The
connection to the remote host has unexpectedly terminated.
The channel name is 'SYSTEM.DEF.SVRCONN'; in some cases it cannot be determined
and so is shown as '????'.
ACTION:
Tell the systems administrator.
----- amqccita.c : 4214 -------------------------------------------------------
You can also use mqrc with just the error message from the JSON, for example AMQ9209E, you can run the command like this:
mqrc AMQ9209E
The output will be:
536908297 0x20009209 rrcE_CONNECTION_CLOSED
536908297 0x20009209 urcMS_CONN_CLOSED
MESSAGE:
Connection to host '<insert one>' for channel '<insert three>' closed.
EXPLANATION:
An error occurred receiving data from '<insert one>' over <insert two>. The
connection to the remote host has unexpectedly terminated.
The channel name is '<insert three>'; in some cases it cannot be determined and
so is shown as '????'.
ACTION:
Tell the systems administrator.
You could take it further and specify the inserts from the JSON:
Exmple portion of the JSON log:
"ibm_messageId":"AMQ9209E","ibm_arithInsert1":0,"ibm_arithInsert2":0,"ibm_commentInsert1":"localhost (127.0.0.1)","ibm_commentInsert2":"TCP/IP","ibm_commentInsert3":"SYSTEM.DEF.SVRCONN"
In the command below each ibm_arthInsert is specified with a proceeding -n flag in order following by each ibm_commentInsert with a proceeding -c flag:
mqrc AMQ9209E -n 0 -n 0 -c "localhost (127.0.0.1)" -c "TCP/IP" -c "SYSTEM.DEF.SVRCONN"
The output is below:
536908297 0x20009209 rrcE_CONNECTION_CLOSED
536908297 0x20009209 urcMS_CONN_CLOSED
MESSAGE:
Connection to host 'localhost (127.0.0.1)' for channel 'SYSTEM.DEF.SVRCONN'
closed.
EXPLANATION:
An error occurred receiving data from 'localhost (127.0.0.1)' over TCP/IP. The
connection to the remote host has unexpectedly terminated.
The channel name is 'SYSTEM.DEF.SVRCONN'; in some cases it cannot be determined
and so is shown as '????'.
ACTION:
Tell the systems administrator.
i cant connect to my application on openshift using rhc command
here is what i get when trying to connect
C:\Users\soulhiS>rhc ssh myapp
DL is deprecated, please use Fiddle
RSA 1024 bit CA certificates are loaded due to old openssl compatibility
Connecting to 56e736655650001b4#myapp-mydomain.rhcloud.com ...
Using username "56e736655650001b4".
FATAL ERROR: Disconnected: No supported authentication methods available(server sent: publickey,gssapi-keyex,gssapi-with-mic)
Make sure that your ssh key is accessible (run the command line as administrator, if needed) and it is the one OpenShift expects - i.e. check that a corresponding public key is uploaded to OpenShift. For uploading your public ssh key to OpenShift, you can run rhc setup.
I am getting following error message while connecting to websphere server using MQ client :
/opt/mqm/samp/bin/amqssslc -x 'X.X.X.10(9110)' -c QMEIGS1.VSER.SVRCONN
QMEIGS1 -k /var/mqm/qmgrs/QMEIGS1/ssl/qmeigs1.arm -s TRIPLE_DES_SHA_US
Error Message :
LE_DES_SHA_US
Sample AMQSSSLC start
Connecting to the default queue manager
Using the server connection channel QMEIGS1.VSER.SVRCONN
on connection name 10.87.205.70(7118).
No SSL configuration specified.
MQCONNX ended with reason code 2393
We have placed .arm file in ssl dir in the path /var/mqm/qmgrs/QMEIGS1/ssl/qmeigs1.arm
Please tell me what need to be done to resolve this ?
we are using following Packages on client side :
Client version : 8.0.0.4
Client OS : Redhat Linux 6.x 64bit (Non GUI)
Packages Installed on client :
MQSeriesJRE_vserv-8.0.0-4.x86_64
MQSeriesRuntime_vserv-8.0.0-4.x86_64
MQSeriesGSKit_vserv-8.0.0-4.x86_64
MQSeriesClient_vserv-8.0.0-4.x86_64
MQSeriesSamples_vserv-8.0.0-4.x86_64
Regards
Atul
The -k parameter on the client side (the amqssslc application) and the queue manager's ssl folder should contain a .kdb file. You appear to be using a .arm file. You should create a Key Database File (KDB) and add the certificate contained in the .arm file to that KDB, then rerun using the KDB as the target used by both client and queue manager instead of the .arm file.
You can find step-by-step instructions at the following page:
Running the SSL/TLS sample program
I am trying to setup my dart http server to run only with https. So I gather I need to use HttpServer.bindSecure but I'm not clear from the description what needs to be passed in as certificateName and whether requestClientCertificate being true makes it more or less secure, or has no impact on security what so ever. The small sample code at the top of the HttpServer page passes in certificateName: 'localhost_cert' but before that it does something with a database, but doesn't seem to use it in anyway. Can anyone explain in more detail what these values are and what they need to be in order to make them secure?
The requestClientCertificate parameter of bindSecure is used to specify a client certificate. Client certificates are used by servers to identify and authorize clients, which appears not to be the objective of this question. It should be noted that there is a known issue with using client certificates in Dart on IE9 and Windows 7.
The certificateName parameter is used to specify the nickname of a certificate that exists in your certificate database. You specify the certificate nickname using the -n <nickname> option when importing a certificate to your database using certutil.
Use the following steps to:
Install the NSS utility (including certutil),
Create a new certificate database in directory <dir> with a password <password>, and
Import your self-signed or purchased certificate identified by nickname <host> such that it can be used to create an HTTPS server using the following sample code. Though the nickname can be chosen arbitrarily, we use the host name in this example. These steps have been confirmed working in Ubuntu 14.04 and Dart SDK 1.6 through (currently last stable version) 1.8.3.
Install the NSS utility
sudo apt-get install libnss3-tools
cd to the directory that will contain your certificate database
cd <dir>
Create a password file to use with the certificate database:
echo "<password>" > pwdfile
Create the certificate database
certutil -N -d 'sql:./' -f pwdfile
Either:
Generate a self-signed certificate:
certutil -S -s "cn=<host>" -n "self signed for dart" -x -t "C,C,C" -m 1000 -v 120 -d "sql:./" -k rsa -g 2048 -f pwdfile
where <host> is the host ("common name") for which to generate a certificate, for example "localhost"
Or, purchase a certificate by first creating a signing request for a real domain <host>, for example "myhost.com":
certutil -R -s "CN=<host>, O=None, L=San Diego, ST=California, C=US" -a -g 2048 -o <host>.csr -d "sql:./"
Then specify the content of file <host>.csr when prompted for a CSR upon purchasing a certificate from a signing authority.
Copy the purchased certificate to a file named <host>.crt
Import the certificate to the database
certutil -A -n <host> -t "p,p,p" -i <host>.crt -d "sql:./"
If necessary to use an intermediate certificate, it can be imported as such:
certutil -A -n my_intermediate_certificate -t "p,p,p" -i intermediate.crt -d "sql:./"
where "intermediate.crt" is the intermediate certificate file downloaded from the signing authority.
Verify that the certificates exist in the database
certutil -L -n <host> -d "sql:./"
certutil -L -n my_intermediate_certificate -d "sql:./"
To use this certificate and create an HTTPS server, do the following:
// Initialize secure socket to use certificate database (note: replace `<dir>`
// with the absolute path to the certificate database directory, and `<password>`
// with the value chosen above)
SecureSocket.initialize(database: "<dir>", password: "<password>");
// Bind secure HTTP server to specified host and port (typically 443)
HttpServer.bindSecure("<host>", 443, certificateName: "<host>")
.then((HttpServer httpServer) {
// Listen for incoming requests
httpServer.listen((HttpRequest httpRequest) {
// TODO: process request
});
})
.catchError((error) {
// TODO: handle error
});
Update
I don't have enough reputation points to respond to the comments, so here are additional details that may help answer the questions: Client certificates are not used to encrypt client-server communication and are not needed in the common scenario of establishing secure communication between a web browser and a webserver via HTTPS. The steps outlined above show how to create an HTTPS server in Dart using bindSecure.