MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Expand all | Collapse all

KEYRPWD and INITKEY qmgr attributes

  • 1.  KEYRPWD and INITKEY qmgr attributes

    Posted Thu September 05, 2024 01:28 PM

    Hello all 

    Is there a presentation about the two new qmgr parameters? 

    Thanks 



    ------------------------------
    Joao Ramires
    ------------------------------


  • 2.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Thu September 05, 2024 04:39 PM

    Hi Joao,

    You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

    It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

    Cheers,

    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 3.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Fri September 06, 2024 05:05 AM

    Hi Morag 

    Thanks for the links! After posting I found these other two:

    https://community.ibm.com/community/user/integration/blogs/robert-parker1/2024/08/13/did-you-know-ibm-mq-supports-pkcs12-keystores
    https://community.ibm.com/community/user/integration/blogs/neha-u-k/2024/06/21/introducing-to-cms-pkcs
    I'm doing some tests with this new SSL setup 
    Regards
    joao 


    ------------------------------
    Joao Ramires
    ------------------------------



  • 4.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Fri September 06, 2024 07:36 AM

    some results: 

    I using a CMS key.kdb with stashed password. 

    In this case I can delete stash file and change, with MQ Explorer, the qmgr atribute KEYRPWD to the stashed password (and I know the password) . The name in MQ Explorer for this atribute is "SSL Key repository password".

    If I change qmgr KEYRPWD value from a runmqsc prompt the access to the key.kdb fails with invalid password:

    "SSL key repository: password incorrect or, stash file absent or unusable."
     

    I believe this happens because MQ Explorer default key to encrypt a stashed password is the same runmqckm uses. It makes some confusing, changing the KEYRPWD gives different results if MQ Explorer or runmqsc were used. I've to try MQ Console to see what happens. 

     



    ------------------------------
    Joao Ramires
    ------------------------------



  • 5.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Mon September 09, 2024 12:30 PM

    Can we list the keystore (.p12) without knowing the password, like how we do it with CMS keystores with the help of stash file ? 



    ------------------------------
    Abhilash Gadila
    ------------------------------



  • 6.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Tue September 10, 2024 12:41 AM

    Hi Anhilash,

    It is not possible to use a PKCS#12 keystore (one with a .p12 extension) without supplying the password. There is no stash file concept with PKCS#12.

    This is why the ability for a queue manager to use a PKCS#12 keystore was introduced at the same time as the keyword where you can supply the password, as they are needed together.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 7.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Tue September 10, 2024 03:32 AM

    Sorry Morag, I'm going to have to contradict you here!

    Stash files are a GSKit concept and separate to the keystore. So you can use a PKCS#12 keystore and a stash file, so long as the underlying mechanism is GSKit. (C applications/QMGR and Windows, Linux platforms)



    ------------------------------
    Rob Parker
    Security Architect, IBM MQ Distributed
    IBM UK Ltd
    ------------------------------



  • 8.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Tue September 10, 2024 05:48 AM

    I stand corrected.

    I have learned something new today.

    Thanks Rob.



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 9.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Thu September 12, 2024 05:12 PM

    Hey Rob,

    Is there any other way can we list the pkcs12 keystore without having to provide the password explicitly and no stash file available. The KEYRPWD is encrypted and let's say I don't remember the password.

    I am trying to understand how pkcs12 keystore is better than CMS in terms of external cert mgmt automation tools.



    ------------------------------
    Abhilash Gadila
    ------------------------------



  • 10.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Fri September 13, 2024 03:33 AM

    I'm not aware of a way of accessing a PKCS#12 keystore with a password/stash, but i'm also not aware of a way of doing it with CMS keystores.

    PKCS#12 keystores and CMS keystores operate the same, they are just different formats. The benefit that PKCS#12 has over CMS is that PKCS#12 is an industry standard open format while CMS is proprietry to IBM. So for a certificate management tool to be able to interact with a CMS keystore they need to have been provided access to the CMS specification by IBM, which commonly requires a license. PKCS#12 being open means that there are many libraries out that can interact with them and so most, if not all, certificate management software can handle a PKCS#12 keystore.



    ------------------------------
    Rob Parker
    Security Architect, IBM MQ Distributed
    IBM UK Ltd
    ------------------------------



  • 11.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Tue September 10, 2024 12:48 AM

    Hi Joao,

    Is there any possibility that you have lower case letters in your password and that you forgot to quote the value in the KEYRPWD attribute when changing it using runmqsc?

    The key used to encrypt the password is in the INITKEY attribute on the queue manager.  I don't believe it is used by either MQ Explorer or runmqsc, but rather it is used by the queue manager when it stores the password supplied by either of those tools. I have not seen any suggestion that the INITKEY used by the queue manager bears any relation to the stash file technology used by runmqakm.

    Cheers,
    Morag



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------



  • 12.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Tue September 10, 2024 06:40 AM

    Hi Morag

    yes, it can be the case, a lowercase password converted to upper (and the pw is "passw0rd"....) after some decades with MQ I forgot that detail ... 
    This week I don't have my test env available to verify, when back to it I'll try and post the result.

    Thanks  



    ------------------------------
    Joao Ramires
    ------------------------------



  • 13.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Mon September 16, 2024 02:38 AM
    Edited by Joao Ramires Mon September 16, 2024 10:53 AM

    Yes, it was a problem with upper / lower case ...

    KEYRPWD(pass0rd) is different from KEYRPWD ('passw0rd') , thanks for pointing that, Morag.

    Regards. 



    ------------------------------
    Joao Ramires
    ------------------------------



  • 14.  RE: KEYRPWD and INITKEY qmgr attributes

    Posted Mon September 16, 2024 02:40 AM

    Phew! Glad you're all sorted @Joao Ramires



    ------------------------------
    Morag Hughson
    MQ Technical Education Specialist
    MQGem Software Limited
    Website: https://www.mqgem.com
    ------------------------------