Websphere + MQ client - ibm-mq

I am getting following error message while connecting to websphere server using MQ client :
/opt/mqm/samp/bin/amqssslc -x 'X.X.X.10(9110)' -c QMEIGS1.VSER.SVRCONN
QMEIGS1 -k /var/mqm/qmgrs/QMEIGS1/ssl/qmeigs1.arm -s TRIPLE_DES_SHA_US
Error Message :
LE_DES_SHA_US
Sample AMQSSSLC start
Connecting to the default queue manager
Using the server connection channel QMEIGS1.VSER.SVRCONN
on connection name 10.87.205.70(7118).
No SSL configuration specified.
MQCONNX ended with reason code 2393
We have placed .arm file in ssl dir in the path /var/mqm/qmgrs/QMEIGS1/ssl/qmeigs1.arm
Please tell me what need to be done to resolve this ?
we are using following Packages on client side :
Client version : 8.0.0.4
Client OS : Redhat Linux 6.x 64bit (Non GUI)
Packages Installed on client :
MQSeriesJRE_vserv-8.0.0-4.x86_64
MQSeriesRuntime_vserv-8.0.0-4.x86_64
MQSeriesGSKit_vserv-8.0.0-4.x86_64
MQSeriesClient_vserv-8.0.0-4.x86_64
MQSeriesSamples_vserv-8.0.0-4.x86_64
Regards
Atul

The -k parameter on the client side (the amqssslc application) and the queue manager's ssl folder should contain a .kdb file. You appear to be using a .arm file. You should create a Key Database File (KDB) and add the certificate contained in the .arm file to that KDB, then rerun using the KDB as the target used by both client and queue manager instead of the .arm file.
You can find step-by-step instructions at the following page:
Running the SSL/TLS sample program

Related

Unable establish secure connection with IBM MQ from MQI client

I am trying to make a secure connection with MQ with the below command:
./amqssslc -c CLI.QM1.T -x <remote_server> -k clientkey -s <SOME CIPHE NAME>
I have created the clientkey.kdb using below commands:
runmqakm -keydb -create -db clientkey.kdb -pw passw0rd -type pkcs12 -expire 1000 -stash
runmqakm -cert -add -label QM1.cert -db clientkey.kdb -stashed -trust enable -file /root.cer
I got the below error:
No OCSP configuration specified.
MQCONNX ended with reason code 2393
Error in the log file :
AMQ9620E: Internal error on call to SSL function on channel 'CLI.QM1.T' to
host 'host-name'.
EXPLANATION:
An error indicating a software problem was returned from a function which is
used to provide SSL or TLS support. The error code returned was '9'. The
function call was 'gsk_environment_init'.
The channel is 'CLI.QM1.T'; in some cases its name cannot be determined and
so is shown as '????'. The channel did not start.
The remote host name is 'host-name'.
ACTION:
Collect the items listed in the 'Problem determination' section of the System
Administration manual and use either the MQ Support site:
http://www.ibm.com/software/integration/wmq/support/, or IBM Support Assistant
(ISA): http://www.ibm.com/software/support/isa/, to see whether a solution is
already available. If you are unable to find a match, contact your IBM support
center.
can you please help me to solve this? I am using IBM MQ 9.1.0.11 version.
Besides, I got the private key name.p12 should I use this somewhere to establish the connection from MQ Client

Setup WSO2 Enterprise Integrator VFS connection towards Windows SFTP server

Running WSO2 Enterprise Integrator 6.5.0. on RHEL 7. We are in the proces of building flows to read files from an sftp server. But setting up the sftp connection towards a Windows SFTP server fails. We can access this Windows SFTP server correctly with Windows clients like FileZilla/WinSCP.
With netstat we see a connection is build towards the Windows SFTP server but the flow isn't moving - no files are being read. On the point of stopping the server the error as shown below is printed in the wso2carbon.log.
When setting up the connection towards a Linux sftp server ( Plain RHEL 7 box with SSHD ) we don't face any issues. We have the matching private key place under .ssh/id_rsa in the home dir of the user running WSO2 EI.
Searching for the error message ( see snippet below ) we should get it resolved by adding the transport.vfs.AvoidPermissionCheck=true parameter to the VFS URL but unfortunately this doesn't solve our issue.
This is the VFS URL we are using.
sftp://SFTPUSER#SERVER.ACMECORP.ORG/inputdir?transport.vfs.AvoidPermissionCheck=true;vfs.passive=true
Is this a configuration that should work and are we missing a configuration option? Or is this a bug in the WSO2 software?
These URL's mention the issue we are facing.
VFS2 Error cannot delete file and could not get the groups id of the current user (error code: -1)
https://issues.apache.org/jira/browse/VFS-617
https://github.com/wso2/product-ei/issues/3725
[2019-12-06 13:48:59,724] [-1] [] [vfs-Worker-2] ERROR {org.apache.synapse.transport.vfs.VFSTransportListener} - Error checking for existence and readability : sftp://SFTPUSER#SERVER.ACMECORP.ORG/inputdir?transport.vfs.AvoidPermissionCheck=true;vfs.passive=true
org.apache.commons.vfs2.FileSystemException: Could not determine if file "sftp://SFTPUSER#SERVER.ACMECORP.ORG/inputdir?transport.vfs.AvoidPermissionCheck=true;vfs.passive=true" is readable.
at org.apache.commons.vfs2.provider.AbstractFileObject.isReadable(AbstractFileObject.java:1494)
at org.apache.synapse.transport.vfs.VFSTransportListener.scanFileOrDirectory(VFSTransportListener.java:295)
at org.apache.synapse.transport.vfs.VFSTransportListener.poll(VFSTransportListener.java:188)
at org.apache.synapse.transport.vfs.VFSTransportListener.poll(VFSTransportListener.java:134)
at org.apache.axis2.transport.base.AbstractPollingTransportListener$1$1.run(AbstractPollingTransportListener.java:67)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.jcraft.jsch.JSchException: Could not get the groups id of the current user (error code: -1)
at org.apache.commons.vfs2.provider.sftp.SftpFileSystem.getGroupsIds(SftpFileSystem.java:219)
at org.apache.commons.vfs2.provider.sftp.SftpFileObject.getPermissions(SftpFileObject.java:250)
at org.apache.commons.vfs2.provider.sftp.SftpFileObject.doIsReadable(SftpFileObject.java:264)
at org.apache.commons.vfs2.provider.AbstractFileObject.isReadable(AbstractFileObject.java:1492)
... 8 more
UPDATE
Using the same URL but then setting up the WSO2 flow to write a file towards the SFTP server works.
Got this resolved with support from WSO2.
The correct VFS url to use is.
sftp://SFTPUSER#SERVER.ACMECORP.ORG/inputdir?transport.vfs.AvoidPermissionCheck=true&vfs.passive=true So a '&' seperator instead of a ';'.
The documentation of WSO2 just is very fuzzy about the correct syntax to use.
They give different examples across their documentation.
https://docs.wso2.com/display/EI650/VFS+Transport
https://docs.wso2.com/display/EI650/File+Inbound+Protocol
https://docs.wso2.com/display/EI650/Configuring+File+Inbound+Protocol+for+FTP%2C+SFTP+and+FILE+Connections

Mulesoft - SFTP Component to go through SOCKS Proxy

I was hoping someone could help.
I am trying to sftp to a remote server that is behind a firewall. I have a proxy setup and can sftp via the unix terminal succesfully. However when using mulesofts SFTP connector I get a timeout. From research it looks like this is because it is run on the JVM.
Mule comes with wrapper.conf to update any jvm settings so I have set the following settings:
wrapper.java.additional.15=-DsocksProxyHost:hostname
wrapper.java.additional.16=-DsocksProxyPort=1080
When I do this the Mule service no longer runs and get the following error:
WrapperManager Error: Unexpected exception opening backend socket: java.net.SocketException: Can't connect to SOCKS proxy:Invalid argument or cannot assign requested address
Hopefully someone can assist.
Thank you.
Perhaps typo in the
-DsocksProxyHost:hostname
Should be = rather than :.
The port is unnecessary, 1080 is the default. Documentation is here, see section 2.4 for SOCKS
http://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html

Can't connect remotely to WAS 8.5 full profile installed on Ubuntu 14.04 from RAD 9.5 installed on OSX

WAS 8.5 full profile isn't officially supported on OSX by IBM so the only option to perform development from OSX is to install stub runtime and connect to WAS installed remotely. I'm trying to install such scenario but something done wrong and can't connect to my WAS.
There's my installation:
On OSX El Capitan Installed:
RAD 9.5 with WAS 8.5 stub runtime (WebSphere Application Server traditional V8.5 stub)
Installed Virtual Box with Ubuntu Desktop edition 14.04
Ubuntu's hostname: anatoly-ubuntu-vm and it's accessible from host, i.e. ping anatoly-ubuntu-vm works fine
On Ubuntu installed:
WAS 8.5 full profile at /opt/IBM/WebSphere
Created AppSrv01 profile at /opt/IBM/WebSphere/AppServer/profiles
WAS installed with root user, IBM Installation Manager required root permission when was started
My connection settings in RAD:
server name: WebSphere Application Server traditional V8.5 stub at anatoly-ubuntu-vm
hostname: anatoly-ubuntu-vm
Runtime environment: WebSphere Application Server traditional V8.5 stub
Connection type:
I've tried RMI 2809 and SOAP 8880 both options didn't work
Enable the server to start remotely is checked and Select the operating system running the remote server: checked Linux option with my username and password. I've tried my regular Ubuntu account and root, both option didn't work.
Server profile path defined as /opt/IBM/WebSphere/AppServer/profiles/AppSrv01
When I try to start server I get the following exception:
The following problems has occurred when starting the server.
CTGRI0001E The application could not establish a connection to
anatoly-ubuntu-vm .
What am I doing wrong?
UPDATE 1:
After I've written this post I've figured out that SSH server isn't installed and configured at all as described here: Requirements for using Remote Execution and Access (RXA) Now, I've installed and it seems like connecting but stuck at 23% at stage Preparing launch delegate, after a while it throw the following error:
The following problems has occurred when starting the server. The
server may not be started in the correct mode. You can restart the
server to desired mode if it is started. CTGRI0075E A file transfer to
or from the system named [anatoly-ubuntu-vm] timed out before the
transfer could complete. The current timeout interval is set to 240000
milliseconds, and might need to be increased.
UPDATE 2:
As I can see despite error message server is started and I even can connect to web console anatoly-ubuntu-vm:9060/console/ibm but it looks that not SOAP connection, neither RMI connection don't work. When I run Test Connection from Settings overview page in RAD, I get the following error:
The connection failed after trying to use all the available connection
types.
Verify the port values are correct and the server has been started. If
the security of the server is enabled, verify the "Security is enabled
on this server" check box is selected, and the user ID and password
are provided. You can specify this in the server editor or when
creating a new server.
For a Technote with details on the most common server connection
problem, see http://www.ibm.com/support/docview.wss?uid=swg21266028.
The last connection attempt failed with the following exception:
ADMC0016E: The system cannot create a SOAP connector to connect to
host anatoly-ubuntu-vm at port 8880.
UPDATE 3
As #DanielBarbarian guessed I tried to run ./wsadmin.sh -port 8880 and it worked and returned
Connected to process "server1" on node anatoly-ubuntu-vmNode01 using SOAP connector; The type of process is: UnManagedProcess`
This is settings of my ports:
UPDATE 4
When I trying to run telnet anatoly-ubuntu-vm 8880 from OSX host I get the following response (ip address changed to non real due to privacy issue):
anatoly-mac:~ anatoly$ telnet anatoly-ubuntu-vm 8880
Trying 192.168.10.10...
Connected to anatoly-ubuntu-vm
Escape character is '^]'.
HTTP/1.1 408 Request Timeout
Content-Type: text/html
Content-Length: 117
Connection: close
<HTML><TITLE>408 - Request Timeout</TITLE><BODY>
<h1>408 Connection timed out while reading request</h1></BODY>
</HTML>Connection closed by foreign host

How to run jython script from RAD using credentials from properties file?

According to documentation: http://pic.dhe.ibm.com/infocenter/rsawshlp/v7r5m0/index.jsp?topic=%2Fcom.ibm.ws.ast.jythontools.doc%2Ftopics%2Ftjythondebug.html to run jython script with credentials "As defined in soap.client.props or sas.client.props file":
The sas.client.props and the soap.client.props files are located in
the properties directory for each WebSphere Application Server
profile, for example x:/profilePath/properties
I've created file:
C:\IBM\WebSphere\AppServer85\properties\soap.client.props
The next part is about setting com.ibm.CORBA and com.ibm.SOAP properties. Because it is not written, which of them are used as credentials, I've set both:
com.ibm.CORBA.loginUserid=user
com.ibm.CORBA.loginPassword=pass
com.ibm.CORBA.loginSource=properties
com.ibm.SOAP.securityEnabled=true
com.ibm.SOAP.loginUserid=user
com.ibm.SOAP.loginPassword=pass
But I can't run the script on WebSphere:
WASX7246E: Cannot establish "SOAP" connection to host "localhost"
because of an authentication failure. Ensure that user and password
are correct on the command line or in a properties file.
I'm using IBM RAD 9.0 and WebSphere 8.5
What I'm doing wrong? I've done everything as I've understood from cited documentation, but it's very laconical and unprecise for me.
Depending on the connector being used (SOAP or RMI), wsadmin retrieves credentials from either soap.client.props or sas.client.props. In your case the connector is SOAP (that's what the error message suggests), so you have to edit two lines in soap.client.props:
com.ibm.SOAP.loginUserid=...
com.ibm.SOAP.loginPassword=...

Resources