We're running Websphere MQ 9.1 and our Telemetry (MQTT) channel is configured to require SSL Authentication.
Our certificates have lifespans of just a few months and we want to automate the process of replacing these certificates. I can easily create a new .kdb file and place in the SSLKEYR location, but this doesn't automatically make the channel use the new certificates.
I have tried the REFRESH SECURITY TYPE(SSL) command and this command succeeds (output: AMQ8560I: IBM MQ security cache refreshed.) I would think this should work, see: https://www.ibm.com/docs/en/ibm-mq/9.1?topic=authorities-refreshing-tls-security
Refreshing TLS security
If you make a change to the key repository, you can refresh the copy of the key repository that is held in memory while a channel is running, without restarting the channel. When you refresh the cached copy of the key repository, the TLS channels that are currently running on the queue manager are updated with the new information.
About this task
When a channel is secured using TLS, the digital certificates and their associated private keys are stored in the key repository. A copy of the key repository is held in memory while a channel is running. If you make a change to the key repository, you can refresh the copy of the key repository that is held in memory without restarting the channel.
When you refresh the cached copy of the key repository, all TLS channels that are currently running are updated:
Sender, server, and cluster-sender channels that use TLS are allowed to complete the current batch of messages. The channels then run the SSL handshake again with the refreshed view of the key repository.
All other channel types that use TLS are stopped. If the partner end of the stopped channel has retry values defined, the channel retries and runs the SSL handshake again. The new SSL handshake uses the refreshed view of the contents of the key repository, the location of the LDAP server to be used for the Certificate Revocation Lists, and the location of the key repository. In the case of server-connection channel, the client application loses its connection to the queue manager and has to reconnect to continue.
However - when I replace the KDB with a keyrepository with different certificates and I refresh the security, my clients still reconnect after I purge them from the channel. When I restart the channel, the clients stay offline as expected.
Why doesn't refresh security work in this case (because its a telemetry channel?) and is there a way to solve this puzzle without stopping and starting the channel?
In IBM MQ, MQTT components are called MQXR. There are 3 log files you can check:
(1)
Windows: {MQ_DATA_PATH}\qmgrs\{qmgr_name}\mqxr.stdout
Windows: {MQ_DATA_PATH}\qmgrs\{qmgr_name}\mqxr.stderr
Unix: {MQ_DATA_PATH}/qmgrs/{qmgr_name}/mqxr.stdout
Unix: {MQ_DATA_PATH}/qmgrs/{qmgr_name}/mqxr.stderr
(2)
Windows: {MQ_DATA_PATH}\qmgrs\{qmgr_name}\errors\mqxr_0.log
Unix: {MQ_DATA_PATH}/qmgrs/{qmgr_name}/errors/mqxr_0.log
The log file mqxr_0.log should have any error messages related to refreshing security.
Here's an interesting note from the MQ Knowledge Center:
All other channel types using TLS are stopped with a STOP CHANNEL MODE(FORCE) STATUS(INACTIVE) command. If the partner end of the stopped message channel has retry values defined, the channel retries and the new TLS handshake uses the refreshed view of the contents of the TLS key repository, the location of the LDAP server to be used for Certification Revocation Lists, and the location of the key repository. In the case of a server-connection channel, the client application loses its connection to the queue manager and has to reconnect in order to continue.
So, you issuing the stop channel command is basically what the note said the refresh security command will do.
Finally, you should probably open a PMR (help ticket) with IBM to see what they say and possibly fix the issue if it is a bug.
Related
I have done an SSL configuration for my IBM MQ v9, created a Java client, and added the certificates both sides. A Put and Get messages works fine. My issue is I'm able to browse the message using the MQ Explorer in the server. Is it because the message is decrypted and shown? Can I keep this message encrypted to a MQ Admin user who has access to the MQ explorer.
Any advice is very much appreciated.
Thanks in advance,
Yasothar
Configuring encryption at the channel level only encrypts data in motion (on the network).
Messages on a queue are not encrypted unless you do this at the application layer or use the IBM MQ Advanced Message Security (AMS) extension of the product, this requires additional configuration with different certs to represent the putting and getting applications as well as policies to tell MQ AMS what to encrypt and who can receive.
Even with IBM MQ AMS configured, someone with MQ admin authority can still override configurations to allow viewing of messages sent, since the the MQ admin controls the policy, so can easily add themselfs as a new recipient so they can also view message that are sent.
I have a chat implementation working with CometD.
On front end I have a Client that has a clientId=123 and is talking to VirtualMachine-1
The longpolling connection between the VirtualMachine-1 and the Client is done through the clientId. When the connection is established during the handshake, VirtualMachine-1 registers the 123 clientId as it's own and accepts its data.
For some reason, if VM-1 is restarted or FAILS. The longpolling connection between Client and VM-1 is disconnected (since the VirtualMachine-1 is dead, the heartbeats would fail, thus it would become disconnected).
In which case, CometD loadBalancer will re-route the Client communication to a new VirtualMachine-2. However, since VirtualMachine-2 has different clientId it is not able to understand the "123" coming from the Client.
My question is - what is the cometD behavior in this case? How does it re-route the traffic from VM-1 to a new VM-2 to successfully go through handshaking process?
When a CometD client is redirected to the second server by the load balancer, the second server does not know about this client.
The client will send a /meta/connect message with clientId=123, and the second server will reply with a 402::unknown_session and advice: {reconnect: "handshake"}.
When receiving the advice to re-handshake, the client will send a /meta/handshake message and will get a new clientId=456 from the second server.
Upon handshake, a well written CometD application will subscribe (even for dynamic subscriptions) to all needed channels, and eventually be restored to function as before, almost transparently.
Messages published to the client during the switch from one server to the other are completely lost: CometD does not implement any persistent feature.
However, persisting messages until the client acknowledged them is possible: CometD offers a number of listeners that are invoked by the CometD implementation, and through these listeners an application can persist messages (or other information) into their own choice of persistent (and possibly distributed) store: Redis, RDBMS, etc.
CometD handles reconnection transparently for you - it just takes a few messages between client and the new server.
You also want to read about CometD's in-memory clustering features.
I am using mosquitto_pub to publish the data with TLS using a topic.
I am using mosquitto_sub to subscribe to the topic from mosquitto_pub..
Whenever I fire a mosquitto_pub , I noticed that the wireshark can detect a 3 way handshake each time.
My Question now is, is it possible for mosquitto to do only one time of a 3 way handshake? just to minimize the time of sending the data and receiving it to the other end.
I mean like keep the handshake alive on the first firing of mosquitto_pub, then on the succeeding publishing of message, it will send only the TLS data and not do a 3 way handshake over and over again each time.
What you are describing is SSL/TLS session resumption.
There is support in the mosquitto broker for session resumption, but not in the command line tools.
This is because they would need to store the session id key between each execution. This looks to have been discussed in this mosquitto-dev mailing list thread, but not implemented as there was no demand for it.
You can use TLS session resumption with the Paho C library by settings the Clean Session flag to false (I still think the concept of MQTT session and TLS session should have been kept separate) if the broker supports it.
I am trying to demonstrate to others that my queue is using SSL, however from the RabbitMQ web management tools there seems to be no distinction over which queues are using SSL and which are not.
Using RabbitMQ management on localhost, I am able to see all my queues. I have set up SSL on port 5671 successfully using the troubleshooting from RabbitMQ website.
Using MassTransit I have configured my incoming bus to use localhost:5671/my_queue_name with a client certificate and all is working successfully - I just can't confirm to others that the queue is secure. If I get a message from the queue using the web management tools, I can read the (JSON) message in plain text. Any ideas how I can prove my messages are secure?
I've attempted using BusDriver to peek the queues but get nothing back (independent of whether is SSL or not).
SSL is used to secure connections, not to encrypt queue contents.
What SSL gives you is that communication from clients to RabbitMQ will be encrypted, so you could theoretically be sure that nobody tampered with your messages.
Also if you need to validate that the sender of the message is a particular user, you could use this RabbitMQ extension: http://www.rabbitmq.com/validated-user-id.html
I am facing two issues when i try to connect to MQ which is deployed on a Remote Server from Weblogic Server(WLS) by creating a Foreign Server.
1. When I try to connect to MQ Queuemanager in Bindings mode(after importing the .Bindings file) i keep getting the below error in WLS console:
java.lang.UnsatisfiedLinkError: no mqjbnd05 in java.library.path
If i Switch the Transport to Client i keep getting:
JMSWMQ0018: Failed to connect to queue manager '' with connection mode 'Client' and host name 'localhost'. Check the queue manager is started and if running in client mode, check there is a listener running. Please see the linked exception for more information.
Has anyone seen this, and are there any performance implications which dictate the use of client over bindings and vice versa?
TIA
Finally i was able to resolve this, i had to recreate the .bindings file in the client mode, with changes to the IVTsetup.bat which is most likely present in
C:\Program Files\IBM\WebSphere MQ\java\bin, I had to run this
def qcf(psQCF) TRANSPORT(CLIENT) HOST(SMEKA) PORT(1415) CHANNEL(ps_SRV_CHANNEL) QMGR(psQM)
to generate the .bindings file.
Refer to this link for more details:
http://publib.boulder.ibm.com/infocenter/wbihelp/v6rxmx/index.jsp?topic=/com.ibm.wbia_adapters.doc/doc/peoplesoft/peopleso103.htm
Where the question states that I try to connect to MQ which is deployed on a Remote Server from Weblogic Server I assume this means that WLS and WMQ are on two different hosts. If that is the case, then a bindings mode connection (which relies on shared memory segments) won't work.
The client mode connection appears to be using a CF that is pointed to localhost rather than the IP or hostname of the WMQ server. This would work for an application on the same host as the queue manager but not when the app and QMgr are on separate servers.
As far as choosing between client and bindings mode, the answer is that if the QMgr is local use bindings. This provides highest reliability, best performance and XA transactionality. When using client mode, two-phase XA commit is not supported without the Extended Transactional Client. Per the JMS specification, there is an ambiguity that can exist if an app loses the connection during a COMMIT call. Depending on how the app handles this it's possible to end up with duplicate messages. (The JMS spec refers to these as "functionally duplicate.") This ambiguity is much less likely to occur with a bindings mode connection since there is no network latency and not even any traversal of the IP stack or interface. So use bindings mode where possible.
UPDATE:
Removed note about Extended Transactional Client being a chargeable component. As of April 24th, XTC is free of charge for all versions of WMQ on all platforms.