Re: MQ .NET and channel exits
Does the code also allow specification of securityData? Thanks Dave -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Jason Edmeades Sent: 22 November 2004 16:01 To: [EMAIL PROTECTED] Subject: Re: MQ .NET and channel exits Support for these was added under APAR IC39879 (http://www-1.ibm.com/support/docview.wss?uid=swg1IC39879), which shipped in fixpack 8, although I do agree the documentation wasnt updated. Looking at the code I have suspicions you might need a fix on top of that as well (defect 80465) which you would have to get through service and is scheduled for fixpack 09. This should enable the message and send / receive exits from a .net environment to be supplied Regards, Jason Edmeades [EMAIL PROTECTED] Websphere MQ Service Architect Internet email: [EMAIL PROTECTED] Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: MQ .NET and channel exits
Ahh, I see... in that case I agree it would be a surprising limitation! Thanks Sid. -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: 23 November 2004 01:34 To: [EMAIL PROTECTED] Subject: Re: MQ .NET and channel exits It's not an actual VM, it's a runtime that just in time compiles code to native executable format... quite different from Java. -Original Message- From: Meekin, Paul [mailto:[EMAIL PROTECTED] Sent: Tuesday, 23 November 2004 01:52 To: [EMAIL PROTECTED] Subject: Re: MQ .NET and channel exits Forgive the butting in but, isn't .NET Microsoft's latest attempt at creating a proprietary Java-like platform? (Java-like in the sense of being a complete VM, language, interpreter etc rather than an actual JVM environment). In that case, isn't it reasonable to have similar limitations to Java apps? -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of David C. Partridge Sent: 22 November 2004 15:05 To: [EMAIL PROTECTED] Subject: Re: MQ .NET and channel exits Indeed so, That's what started this whole thread :-( D. -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Potkay, Peter M (ISD, IT) Sent: 22 November 2004 14:01 To: [EMAIL PROTECTED] Subject: Re: MQ .NET and channel exits .NET clients do not support client channel tables. See the 1st page of chapter 5 in the .NET manual. -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of David C. Partridge Sent: Monday, November 22, 2004 8:31 AM To: [EMAIL PROTECTED] Subject: Re: MQ .NET and channel exits H Anyone from Hursley able to comment? This seems to be a major omission from the manual. Support for channel tables in client mode also seems a pretty major omission, as this allows the use of exits with NO code modification at all. Dave -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Potkay, Peter M (ISD, IT) Sent: 22 November 2004 13:12 To: [EMAIL PROTECTED] Subject: Re: MQ .NET and channel exits Yes, the manual is incomplete in this area. The Hash Table definitely works, I just haven't used the Security Exit parameter yet. You could also directly code MQEnvironment.SecurityExit if you don't want to use the hash table. -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of David C. Partridge Sent: Monday, November 22, 2004 5:08 AM To: [EMAIL PROTECTED] Subject: Re: MQ .NET and channel exits Strange, my version of the documentation doesn't mention that at all. The only attributes mentioned for the MQEnvironment class are: Channel Hostname Port SSLCipherSpec SSLKeyRepository SSLPeerName The Java MQEnvironment class DOES have attributes for channel exits. Are you saying that the use of a HashTable and setting the exit names will actually work as expected? Unfortunately changing the code isn't an option in this particular case, so even if you can set the HashTable values prior to the connect, and there are (undocumented) attributes of the MQEnvironment class for: securityExit sendExit receiveExit just like the Java implementation, this wouldn't solve the problem for the particular situation. Cheers Dave -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Potkay, Peter M (ISD, IT) Sent: 19 November 2004 18:01 To: [EMAIL PROTECTED] Subject: Re: MQ .NET and channel exits David, I haven't actually used it yet, but there is something for specifying a channel exit on the MQEnvironment class. 'build the hash table with the connection info myHashTable.Add(IBM.WMQ.MQC.CHANNEL_PROPERTY, ClientChannelName) myHashTable.Add(IBM.WMQ.MQC.HOST_NAME_PROPERTY, HostName) myHashTable.Add(IBM.WMQ.MQC.PORT_PROPERTY, 1414) myHashTable.Add(IBM.WMQ.MQC.SECURITY_EXIT_PROPERTY, SecurityExitPath) 'connect to the QM using tha HashTable for connection paramters myQM = New MQQueueManager(QMName, myHashTable) -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of David C. Partridge Sent: Friday, November 19, 2004 12:55 PM To: [EMAIL PROTECTED] Subject: MQ .NET and channel exits It would appear to be impossible to use MQ channel exits with MQ .NET, as it doesn't support the use of channel connection tables, and does not allow specification of channel exits in the MQEnvironment class, and there doesn't appear to be any other way to configure their use. This seems to be rather a problem if you have a need to do channel exit stuff with a .net client :-( Is there some (possibly undocumented) way round this? There is one line in the manual which suggests there is an MQChannelDefinition class, but this isn't mentioned anywhere else, and the MQQueueManager doesn't appear to have a ctor that uses one (but this may just be because it isn't documented). Is
Re: Using gsk6cmd to create certificates and key ring files on AI X
Bill, That statement does create concerns! Given that gsk6cmd and gsk6man share the same code I translate the statement as meaning little. In the interval between about a year ago and some unknown point in the future, we use gsk6cmd successfully on AIX. In my experience, rely upon JAVA_HOME to point to the Java run-time installed with MQ (/usr/mqm/ssl/jre). Attempting to set up your own class path leads to madness. We use openSSL on a Windows system to cut the PKCS12 file. We import these into a copy of our empty model key repository. When you create one with gsk6cmd, it populates it with popular CA certificates, which we most definitely don't want - we need full control of the CA. Deleting them all is then a once only activity. You might find it useful to trawl the web for general stuff about gsk6cmd. You will notice that there is a history of problems getting that first key repository created. Once past that the problems get easier. Also the AIX documentation of gsk6cmd is somewhat more forthcoming than MQ's. What are your messages? Alan -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Bill Anderson Sent: 22 November 2004 20:06 To: [EMAIL PROTECTED] Subject: Using gsk6cmd to create certificates and key ring files on AIX I have been struggling with setting up SSL on an AIX server running AIX 5.2 and WMQ5.3 CSD07. The IBM security manual only walks you through procedures for using the gsk6ikm which only works with a server that is X-compatible (so you can see the GUI of course). It goes on to say, and I quote, WebSphere MQ does not support the gsk6cmd command. gsk6cmd is the command line version of the ikeyman tool used to create key repositories and certificates. has anyone had success using gsk6cmd on AIX? I have tried, but get various errors depending on how I set up the environment and what command line options I use with the tool. Thanks Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
MQ on z/OS security (SSL) question.
Hello,
I noticed strange MQ SVRCONN channel behavior. Channel is enabled for SSL encryption and SSL client certificate is enforced.
The client certificate's public keys are stored in RACF. The channel parameters are:
DEFINE CHANNEL ('CHLA') +
CHLTYPE(SVRCONN) +
TRPTYPE(TCP) +
DESCR('MQ SVRCONN chl for users') +
QSGDISP(QMGR) +
PUTAUT(DEF) +
MAXMSGL(104857600) +
MCAUSER(' ') +
RCVDATA(' ') +
RCVEXIT(' ') +
SCYDATA(' ') +
SCYEXIT(' ') +
SENDDATA(' ') +
SENDEXIT(' ') +
SSLCAUTH(REQUIRED) +
SSLCIPH('TRIPLE_DES_SHA_US') +
SSLPEER(' ') +
KAINT(AUTO) +
REPLACE
From RACF I have removed a public certificate user and got the following message:
+CSQX632I +MQ1 CSQXRESP SSL certificate has no associated user ID, 315
remote channel
- channel initiator user ID used
+CSQX500I +MQ1 CSQXRESP Channel MQCHANN1 started
So, the certificate could not be located, so the CHINIT user id was used. But my understanding is that this connection should fail (because of the parameter SSLCAUTH(REQUIRED)). The PUTAUT(DEF) parameter is left blank intentionally because many users with different userIDs are using the same channel.
Any suggestions? Is this normal behavior? What should I do in order to enforce SSL authentication?
Best Regards, Peter
Peter Gerak
3Gen d.o.o., Traka 21, 1000 Ljubljana
M: +386 31 332 787
T: +386 1 42 10 475
E: [EMAIL PROTECTED]
Re: MQ on z/OS security (SSL) question.
SSL authentication has still happened.
The client-connection channel still has a copy of it's personal certificate
on the client machine even though you removed it from the server-connection
machine. The client will still send over this certificate. The fact that
the channel has started means that you must have the CA certificate that
signed the client's certificate in your queue manager key ring.
The message you are seeing tells you that neither a copy of the certificate
(since you removed it), nor a Certifiate Name Filter (CNF) was found
matching the DN of the certificate, so no user could be mapped to it. The
default behaviour when no mapped user ID is found is to use the CHINIT user
ID. This is described in the z/OS System Set-up Guide. This message is an
informational message to let you know a user ID mapping could not be made
(because otherwise it would very difficult to spot mapping failures if you
were trying to use CNF's) it does not indicate that SSL authentication
failed.
Cheers
Morag
Morag Hughson
WebSphere MQ for z/OS Development
Telephone: +44 (0) 1962 816900
Internet: [EMAIL PROTECTED]
Peter Gersak
[EMAIL PROTECTED]
N.SI To
Sent by: MQSeries [EMAIL PROTECTED]
List cc
[EMAIL PROTECTED]
N.AC.AT Subject
MQ on z/OS security (SSL) question.
23/11/2004 10:16
Please respond to
MQSeries List
Hello,
I noticed strange MQ SVRCONN channel behavior. Channel is enabled for SSL
encryption and SSL client certificate is enforced.
The client certificate's public keys are stored in RACF. The channel
parameters are:
DEFINE CHANNEL ('CHLA') +
CHLTYPE(SVRCONN) +
TRPTYPE(TCP) +
DESCR('MQ SVRCONN chl for users') +
QSGDISP(QMGR) +
PUTAUT(DEF) +
MAXMSGL(104857600) +
MCAUSER(' ') +
RCVDATA(' ') +
RCVEXIT(' ') +
SCYDATA(' ') +
SCYEXIT(' ') +
SENDDATA(' ') +
SENDEXIT(' ') +
SSLCAUTH(REQUIRED) +
SSLCIPH('TRIPLE_DES_SHA_US') +
SSLPEER(' ') +
KAINT(AUTO) +
REPLACE
From RACF I have removed a public certificate user and got the following
message:
+CSQX632I +MQ1 CSQXRESP SSL certificate has no associated user ID, 315
remote channel
- channel initiator user ID used
+CSQX500I +MQ1 CSQXRESP Channel MQCHANN1 started
So, the certificate could not be located, so the CHINIT user id was used.
But my understanding is that this connection should fail (because of the
parameter SSLCAUTH(REQUIRED)). The PUTAUT(DEF) parameter is left blank
intentionally because many users with different userIDs are using the same
channel.
Any suggestions? Is this normal behavior? What should I do in order to
enforce SSL authentication?
Best Regards, Peter
Peter Gerak
3Gen d.o.o., Traka 21, 1000 Ljubljana
M: +386 31 332 787
T: +386 1 42 10 475
E: [EMAIL PROTECTED]{--~jvx2j)b
b.n+bvz'^v)
K
i^jm
%rbmfIzr
Re: MQ on z/OS security (SSL) question.
Title: Message
Pete
That is disappointing at best. It looks like a
security hole.
Do you have the RESLEVEL set to NONEfor the
Chinit? I thought if you set PUTAUT toONLYMCA with RESLEVEL
set to NONE, then it should enforce the validation of the Userid. Did you
try this on QMGR to QMGR connection as well? I am very interested in how
this turns out. If you prefer, I can go off list.
Thanks Frank
-Original Message-From: MQSeries List
[mailto:[EMAIL PROTECTED] On Behalf Of Peter
GersakSent: Tuesday, November 23, 2004 5:17 AMTo:
[EMAIL PROTECTED]Subject: MQ on z/OS security (SSL)
question.Hello, I noticed strange MQ SVRCONN channel behavior. Channel is enabled for
SSL encryption and SSL client certificate is enforced. The client certificate's public keys are stored in RACF. The channel
parameters are: DEFINE CHANNEL
('CHLA') +
CHLTYPE(SVRCONN) +
TRPTYPE(TCP) +
DESCR('MQ SVRCONN chl for users') +QSGDISP(QMGR) +
PUTAUT(DEF)
+
MAXMSGL(104857600) +
MCAUSER(' ') +RCVDATA(' ') +RCVEXIT(' ') +
SCYDATA(' ')
+SCYEXIT('
') +
SENDDATA(' ') +
SENDEXIT(' ') +
SSLCAUTH(REQUIRED) +SSLCIPH('TRIPLE_DES_SHA_US') +
SSLPEER(' ')
+
KAINT(AUTO) +
REPLACE From RACF I have removed a
public certificate user and got the following message: +CSQX632I +MQ1 CSQXRESP SSL certificate has no associated user ID,
315 remote channel - channel initiator user ID used +CSQX500I +MQ1 CSQXRESP Channel MQCHANN1 startedSo, the certificate could not be located, so
the CHINIT user id was used. But my understanding is that this connection
should fail (because of the parameter SSLCAUTH(REQUIRED)). The
PUTAUT(DEF) parameter is left blank intentionally because many users with
different userIDs are using the same channel. Any suggestions? Is this normal behavior? What should I
do in order to enforce SSL authentication? Best Regards, PeterPeter Ger9ak3Gen d.o.o.,
Tr>a9ka 21, 1000 LjubljanaM: +386 31 332 787T: +386 1 42 10 475E:
[EMAIL PROTECTED]
This e-mail message and any attachments contain confidential information
from Medco. If you are not the intended recipient, you are hereby notified
that disclosure, printing, copying, distribution, or the taking of any
action in reliance on the contents of this electronic information is
strictly prohibited. If you have received this e-mail message in error,
please immediately notify the sender by reply message and then delete the
electronic message and any attachments.
Re: Using gsk6cmd to create certificates and key ring files on AIX
Bill, Are you sure you are using the latest copies of the manuals?The command line interface wasn't supported for the initial release of 5.3, but support was added a few months later. The version of the Security manual published in October 2002 has sample gsk6cmd commands.The System Administration Guide from the October 2002 version onward has more detailed documentation for the commands in Chapter 18, Using the IKEYCMD interface to manage keys and certificates on UNIX systems. Also, in case you aren't already aware of this, you can download pdfs of any of the WMQ manuals for free through this site: http://www-306.ibm.com/software/integration/mqfamily/library/manualsa/ Hope this helps, Tom -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Tom Schneider / IBM Global Services - MQSeries ASC (513) 274-4034 [EMAIL PROTECTED] -=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Bill Anderson [EMAIL PROTECTED] Sent by: MQSeries List [EMAIL PROTECTED] 11/22/2004 03:06 PM Please respond to MQSeries List To [EMAIL PROTECTED] cc Subject Using gsk6cmd to create certificates and key ring files on AIX I have been struggling with setting up SSL on an AIX server running AIX 5.2 and WMQ5.3 CSD07. The IBM security manual only walks you through procedures for using the gsk6ikm which only works with a server that is X-compatible (so you can see the GUI of course). It goes on to say, and I quote, WebSphere MQ does not support the gsk6cmd command. gsk6cmd is the command line version of the ikeyman tool used to create key repositories and certificates. has anyone had success using gsk6cmd on AIX? I have tried, but get various errors depending on how I set up the environment and what command line options I use with the tool. Thanks Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: MQ on z/OS security (SSL) question.
Morag
I am very glad you responded on this one. I need some help understanding
this.
How would SSL help control Java Client access where any userid can be
passed?
Should the Chinit not be allowed access to the SSL controlled objects?
Thanks
Frank
-Original Message-
From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Morag
Hughson
Sent: Tuesday, November 23, 2004 7:05 AM
To: [EMAIL PROTECTED]
Subject: Re: MQ on z/OS security (SSL) question.
SSL authentication has still happened.
The client-connection channel still has a copy of it's personal certificate
on the client machine even though you removed it from the server-connection
machine. The client will still send over this certificate. The fact that the
channel has started means that you must have the CA certificate that signed
the client's certificate in your queue manager key ring.
The message you are seeing tells you that neither a copy of the certificate
(since you removed it), nor a Certifiate Name Filter (CNF) was found
matching the DN of the certificate, so no user could be mapped to it. The
default behaviour when no mapped user ID is found is to use the CHINIT user
ID. This is described in the z/OS System Set-up Guide. This message is an
informational message to let you know a user ID mapping could not be made
(because otherwise it would very difficult to spot mapping failures if you
were trying to use CNF's) it does not indicate that SSL authentication
failed.
Cheers
Morag
Morag Hughson
WebSphere MQ for z/OS Development
Telephone: +44 (0) 1962 816900
Internet: [EMAIL PROTECTED]
Peter Gersak
[EMAIL PROTECTED]
N.SI To
Sent by: MQSeries [EMAIL PROTECTED]
List cc
[EMAIL PROTECTED]
N.AC.AT Subject
MQ on z/OS security (SSL) question.
23/11/2004 10:16
Please respond to
MQSeries List
Hello,
I noticed strange MQ SVRCONN channel behavior. Channel is enabled for SSL
encryption and SSL client certificate is enforced. The client certificate's
public keys are stored in RACF. The channel parameters are: DEFINE CHANNEL
('CHLA') +
CHLTYPE(SVRCONN) +
TRPTYPE(TCP) +
DESCR('MQ SVRCONN chl for users') +
QSGDISP(QMGR) +
PUTAUT(DEF) +
MAXMSGL(104857600) +
MCAUSER(' ') +
RCVDATA(' ') +
RCVEXIT(' ') +
SCYDATA(' ') +
SCYEXIT(' ') +
SENDDATA(' ') +
SENDEXIT(' ') +
SSLCAUTH(REQUIRED) +
SSLCIPH('TRIPLE_DES_SHA_US') +
SSLPEER(' ') +
KAINT(AUTO) +
REPLACE
From RACF I have removed a public certificate user and got the following
message:
+CSQX632I +MQ1 CSQXRESP SSL certificate has no associated user ID, 315
remote channel
- channel initiator user ID used
+CSQX500I +MQ1 CSQXRESP Channel MQCHANN1 started
So, the certificate could not be located, so the CHINIT user id was used.
But my understanding is that this connection should fail (because of the
parameter SSLCAUTH(REQUIRED)). The PUTAUT(DEF) parameter is left blank
intentionally because many users with different userIDs are using the same
channel.
Any suggestions? Is this normal behavior? What should I do in order to
enforce SSL authentication?
Best Regards, Peter
Peter GerE!ak
3Gen d.o.o., TrEaE!ka 21, 1000 Ljubljana
M: +386 31 332 787
T: +386 1 42 10 475
E: [EMAIL PROTECTED]{--J~
jvx2
j)b b.n+bvz'^v) .a Z K nW i^jm %rI b` =m`6 f ` 7 I z r
-
This e-mail message and any attachments contain confidential information
from Medco. If you are not the intended recipient, you are hereby notified
that disclosure, printing, copying, distribution, or the taking of any
action in reliance on the contents of this electronic information is
strictly prohibited. If you have received this e-mail message in error,
please immediately notify the sender by reply message and then delete the
electronic message and any attachments.
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Sending a PDF file as MQ payload
Thanks to all who replied. I was relatively sure it was not a problem, but all of your tips on the format field of the MQMD header, and keeping the file size under control helped me help the developers side step a few land mines. thanks again to all Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Using gsk6cmd to create certificates and key ring files on AIX
Thanks Tom! My copy of the manual is from June 2002. I will download it and have a look. I am sure it will get me off in the right direction. Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ Tom Schneider [EMAIL PROTECTED]To: [EMAIL PROTECTED] OM cc: Sent by: MQSeriesSubject: Re: Using gsk6cmd to create certificates and key ring files on AIX List [EMAIL PROTECTED] N.AC.AT 11/23/2004 07:39 AM Please respond to MQSeries List Bill, Are you sure you are using the latest copies of the manuals?The command line interface wasn't supported for the initial release of 5.3, but support was added a few months later. The version of the Security manual published in October 2002 has sample gsk6cmd commands.The System Administration Guide from the October 2002 version onward has more detailed documentation for the commands in Chapter 18, Using the IKEYCMD interface to manage keys and certificates on UNIX systems. Also, in case you aren't already aware of this, you can download pdfs of any of the WMQ manuals for free through this site: http://www-306.ibm.com/software/integration/mqfamily/library/manualsa/ Hope this helps, Tom -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Tom Schneider / IBM Global Services - MQSeries ASC (513) 274-4034 [EMAIL PROTECTED] -=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Bill Anderson [EMAIL PROTECTED] Sent by: MQSeries List [EMAIL PROTECTED] 11/22/2004 03:06 PM Please respond to MQSeries List To [EMAIL PROTECTED] cc Subject Using gsk6cmd to create certificates and key ring files on AIX I have been struggling with setting up SSL on an AIX server running AIX 5.2 and WMQ5.3 CSD07. The IBM security manual only walks you through procedures for using the gsk6ikm which only works with a server that is X-compatible (so you can see the GUI of course). It goes on to say, and I quote, WebSphere MQ does not support the gsk6cmd command. gsk6cmd is the command line version of the ikeyman tool used to create key repositories and certificates. has anyone had success using gsk6cmd on AIX? I have tried, but get various errors depending on how I set up the environment and what command line options I use with the tool. Thanks Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Using gsk6cmd to create certificates and key ring files on AI X
Thanks for the tips Alen, I'm not going to play around with SSL again until I review the latest version of the security manual. given the holiday and other projects, that will not be until next Monday or so. I like your idea of creating the PKCS12 files using open SSL and importing them. I think that is the way I may go. I'll just put open SSL on my laptop for now, and when I get things working and ready to go beyond a self signed certificate, I can find a server out on the LAN to be the open SSL server. Thanks again for your help Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ Lovett, Alan J [EMAIL PROTECTED]To: [EMAIL PROTECTED] COM cc: Sent by: MQSeriesSubject: Re: Using gsk6cmd to create certificates and key ring files on AI List X [EMAIL PROTECTED] N.AC.AT 11/23/2004 05:10 AM Please respond to MQSeries List Bill, That statement does create concerns! Given that gsk6cmd and gsk6man share the same code I translate the statement as meaning little. In the interval between about a year ago and some unknown point in the future, we use gsk6cmd successfully on AIX. In my experience, rely upon JAVA_HOME to point to the Java run-time installed with MQ (/usr/mqm/ssl/jre). Attempting to set up your own class path leads to madness. We use openSSL on a Windows system to cut the PKCS12 file. We import these into a copy of our empty model key repository. When you create one with gsk6cmd, it populates it with popular CA certificates, which we most definitely don't want - we need full control of the CA. Deleting them all is then a once only activity. You might find it useful to trawl the web for general stuff about gsk6cmd. You will notice that there is a history of problems getting that first key repository created. Once past that the problems get easier. Also the AIX documentation of gsk6cmd is somewhat more forthcoming than MQ's. What are your messages? Alan -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Bill Anderson Sent: 22 November 2004 20:06 To: [EMAIL PROTECTED] Subject: Using gsk6cmd to create certificates and key ring files on AIX I have been struggling with setting up SSL on an AIX server running AIX 5.2 and WMQ5.3 CSD07. The IBM security manual only walks you through procedures for using the gsk6ikm which only works with a server that is X-compatible (so you can see the GUI of course). It goes on to say, and I quote, WebSphere MQ does not support the gsk6cmd command. gsk6cmd is the command line version of the ikeyman tool used to create key repositories and certificates. has anyone had success using gsk6cmd on AIX? I have tried, but get various errors depending on how I set up the environment and what command line options I use with the tool. Thanks Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Tivoli Log File Adapter Configuration for MQ
Has anyone configured Log File Adapter for MQ Series? ( Not Tivoli Business Integration Monitoring ). If yes, would you be able to share following information - 1. Did you configure to monitor from syslog ( messages files) or configured to monitor AMQERR*.LOG files ? 2. What kind of events you were enabling being paged? CHANNEL, QMGR DOWN, ??? 3. How was (2) above accomplished? Own Formatted file ?? Share the event file, if possible??? Thank you. RS Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Using gsk6cmd to create certificates and key ring files on AI X
I have been using gsk6cmd on AIX (4.3, 5.1) for quite a while. It is a bore but it works. I have never used GUI (I tried but some windows were appearing shrinked to zero size so I dropped). Pavel Lovett, Alan J [EMAIL PROTECTED]To: [EMAIL PROTECTED] COM cc: Sent by: MQSeriesSubject: Re: Using gsk6cmd to create certificates and key ring files on AI List X [EMAIL PROTECTED] n.AC.AT 11/23/2004 05:10 AM Please respond to MQSeries List Bill, That statement does create concerns! Given that gsk6cmd and gsk6man share the same code I translate the statement as meaning little. In the interval between about a year ago and some unknown point in the future, we use gsk6cmd successfully on AIX. In my experience, rely upon JAVA_HOME to point to the Java run-time installed with MQ (/usr/mqm/ssl/jre). Attempting to set up your own class path leads to madness. We use openSSL on a Windows system to cut the PKCS12 file. We import these into a copy of our empty model key repository. When you create one with gsk6cmd, it populates it with popular CA certificates, which we most definitely don't want - we need full control of the CA. Deleting them all is then a once only activity. You might find it useful to trawl the web for general stuff about gsk6cmd. You will notice that there is a history of problems getting that first key repository created. Once past that the problems get easier. Also the AIX documentation of gsk6cmd is somewhat more forthcoming than MQ's. What are your messages? Alan -Original Message- From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Bill Anderson Sent: 22 November 2004 20:06 To: [EMAIL PROTECTED] Subject: Using gsk6cmd to create certificates and key ring files on AIX I have been struggling with setting up SSL on an AIX server running AIX 5.2 and WMQ5.3 CSD07. The IBM security manual only walks you through procedures for using the gsk6ikm which only works with a server that is X-compatible (so you can see the GUI of course). It goes on to say, and I quote, WebSphere MQ does not support the gsk6cmd command. gsk6cmd is the command line version of the ikeyman tool used to create key repositories and certificates. has anyone had success using gsk6cmd on AIX? I have tried, but get various errors depending on how I set up the environment and what command line options I use with the tool. Thanks Bill Anderson SITA Atlanta, GA Standard Messaging Engineering WebSphere MQ Service Owner 770-303-3503 (office) 404-915-3190 (cell) This e-mail contains information which is SITA - Company Confidential All sita.int addresses have changed to sita.aero [EMAIL PROTECTED] http://www.mconnect.aero/ Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Tracing full message data
Here's a quick one - on HPUX is there a way of doing an MQ trace which will capture the whole message data? I have tried using the -t detail parameter but I still only get the first and last 64 bytes of the message body. Thanks in advance, Paul Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Candle Command Center for MQSeries on mainframe
We need to change the server to which the Candle agent on the mainframe reports. What with the absorption of Candle into IBM, as well as personnel changes at our end, getting information on this has proven more difficult than expected ... ** Confidentiality Note: This message and any attachments may contain legally privileged and/or confidential information. Any unauthorized disclosure, use or dissemination of this e-mail message or its contents, either in whole or in part, is prohibited. If you are not the intended recipient of this e-mail message, kindly notify the sender and then destroy it. ** Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: Candle Command Center for MQSeries on mainframe
Amen! Mike Davidson TSYS MQ Tech Support IBM Certified System Administrator - WebSphere MQ V5.3 IBM Certified Solution Designer - WebSphere MQ V5.3 [EMAIL PROTECTED] Taras Wolansky [EMAIL PROTECTED] Sent by: MQSeries List [EMAIL PROTECTED] 11/23/2004 11:58 AM Please respond to MQSeries List To:[EMAIL PROTECTED] cc: Subject:Candle Command Center for MQSeries on mainframe We need to change the server to which the Candle agent on the mainframe reports. What with the absorption of Candle into IBM, as well as personnel changes at our end, getting information on this has proven more difficult than expected ... ** Confidentiality Note: This message and any attachments may contain legally privileged and/or confidential information. Any unauthorized disclosure, use or dissemination of this e-mail message or its contents, either in whole or in part, is prohibited. If you are not the intended recipient of this e-mail message, kindly notify the sender and then destroy it. ** Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive The information contained in this communication (including any attachments hereto) is confidential and is intended solely for the personal and confidential use of the individual or entity to whom it is addressed. The information may also constitute a legally privileged confidential communication. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this communication in error and that any review, dissemination, copying, or unauthorized use of this information, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. Thank you
CSD08 on Windows 2000 Server
Recently we installed CSD08 for Websphere MQ 5.3 on our development server. Since then when we reboot the Queue Manager does not start. The service pack was removed and with CSD07 everything worked as expected with the QMGR starting automatically after reboot. We then reapplied Service pack 8 and the QMGR no longer starts after reboot. Has anyone seen this happen? Maybe we are missing some settings or something. Help, Alan
Re: Candle Command Center for MQSeries on mainframe
Taras, I am an ex-Candle SE, now acquired by IBM. Maybe, I can help you out. What is the question you have on trying to move the Candle Management Server? Barry D. Lamkin Consulting IT Specialist IBM Software Group Mike Davidson [EMAIL PROTECTED] S.COM To Sent by: MQSeries [EMAIL PROTECTED] List cc [EMAIL PROTECTED] N.AC.AT Subject Re: Candle Command Center for MQSeries on mainframe 11/23/2004 12:07 PM Please respond to MQSeries List Amen! Mike Davidson TSYS MQ Tech Support IBM Certified System Administrator - WebSphere MQ V5.3 IBM Certified Solution Designer - WebSphere MQ V5.3 [EMAIL PROTECTED] Taras Wolansky [EMAIL PROTECTED] To: Sent by: MQSeries List[EMAIL PROTECTED] [EMAIL PROTECTED] cc: Subject:Candle Command Center for MQSeries on 11/23/2004 11:58 AM mainframe Please respond to MQSeries List We need to change the server to which the Candle agent on the mainframe reports. What with the absorption of Candle into IBM, as well as personnel changes at our end, getting information on this has proven more difficult than expected ... ** Confidentiality Note: This message and any attachments may contain legally privileged and/or confidential information. Any unauthorized disclosure, use or dissemination of this e-mail message or its contents, either in whole or in part, is prohibited. If you are not the intended recipient of this e-mail message, kindly notify the sender and then destroy it. ** Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive The information contained in this communication (including any attachments hereto) is confidential and is intended solely for the personal and confidential use of the individual or entity to whom it is addressed. The information may also constitute a legally privileged confidential communication. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this communication in error and that any review, dissemination, copying, or unauthorized use of this information, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. Thank you Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: CSD08 on Windows 2000 Server
Why doesn't it restart ? Are there any Events posted ? May be a user login/domain issue. Bender, Alan [EMAIL PROTECTED] Bender, Alan [EMAIL PROTECTED] Sent by: MQSeries List [EMAIL PROTECTED] 11/23/2004 02:39 PM Please respond to MQSeries List To: [EMAIL PROTECTED] cc: Subject:CSD08 on Windows 2000 Server Recently we installed CSD08 for Websphere MQ 5.3 on our development server. Since then when we reboot the Queue Manager does not start. The service pack was removed and with CSD07 everything worked as expected with the QMGR starting automatically after reboot. We then reapplied Service pack 8 and the QMGR no longer starts after reboot. Has anyone seen this happen? Maybe we are missing some settings or something. Help, Alan inline: graycol.gifinline: ecblank.gif
Contract
If anyone is interested. MQSeries specialist/developer contractor OS390 to wireless device communication Utility company West Nyack, NY 3-4 month initial with possible extension Imed (within 2 weeks) availability. Excellent comm skills Contact me off the list bobbee Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Re: CSD08 on Windows 2000 Server
Alan, Did you log a PMR with IBM, what did they say ? Sid -Original Message- From: Bender, Alan [mailto:[EMAIL PROTECTED] Sent: Wednesday, 24 November 2004 05:40 To: [EMAIL PROTECTED] Subject: CSD08 on Windows 2000 Server Recently we installed CSD08 for Websphere MQ 5.3 on our development server. Since then when we reboot the Queue Manager does not start. The service pack was removed and with CSD07 everything worked as expected with the QMGR starting automatically after reboot. We then reapplied Service pack 8 and the QMGR no longer starts after reboot. Has anyone seen this happen? Maybe we are missing some settings or something. Help, Alan
Re: CSD08 on Windows 2000 Server
After applying CSD08, but before rebooting, did you verify the MQ service was still set to Automatic? Did you also verify that the QM was set to Automatic in MQ Services? If yes to both and the QM still fails to start, what does the system MQ error log say? Are there any FDCs? -Original Message-From: MQSeries List [mailto:[EMAIL PROTECTED]On Behalf Of Bender, AlanSent: Tuesday, November 23, 2004 2:40 PMTo: [EMAIL PROTECTED]Subject: CSD08 on Windows 2000 Server Recently we installed CSD08 for Websphere MQ 5.3 on our development server. Since then when we reboot the Queue Manager does not start. The service pack was removed and with CSD07 everything worked as expected with the QMGR starting automatically after reboot. We then reapplied Service pack 8 and the QMGR no longer starts after reboot. Has anyone seen this happen? Maybe we are missing some settings or something. Help, Alan This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return email and delete this communication and destroy all copies.
Re: CSD08 on Windows 2000 Server
Ihave CSD08 installed on a testing Win XP box last week and I don't have that problem. From: MQSeries List [mailto:[EMAIL PROTECTED] On Behalf Of Potkay, Peter M (ISD, IT)Sent: Wednesday, 24 November 2004 9:43 AMTo: [EMAIL PROTECTED]Subject: Re: CSD08 on Windows 2000 Server After applying CSD08, but before rebooting, did you verify the MQ service was still set to Automatic? Did you also verify that the QM was set to Automatic in MQ Services? If yes to both and the QM still fails to start, what does the system MQ error log say? Are there any FDCs? -Original Message-From: MQSeries List [mailto:[EMAIL PROTECTED]On Behalf Of Bender, AlanSent: Tuesday, November 23, 2004 2:40 PMTo: [EMAIL PROTECTED]Subject: CSD08 on Windows 2000 Server Recently we installed CSD08 for Websphere MQ 5.3 on our development server. Since then when we reboot the Queue Manager does not start. The service pack was removed and with CSD07 everything worked as expected with the QMGR starting automatically after reboot. We then reapplied Service pack 8 and the QMGR no longer starts after reboot. Has anyone seen this happen? Maybe we are missing some settings or something. Help, Alan This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return email and delete this communication and destroy all copies.
Eric J Knight is out of the office.
I will be out of the office starting 11/22/2004 and will not return until 12/02/2004. If needed, contact me via mobile phone (919)-672-2232. I will also check email on a limited basis. For EPR Move To Production questions, contact Andy B Smith. For Other EPR related questions, please contact Kevin Durham or Salley Wilson.
