Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks 

Hi Joao,

You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

Cheers,

Morag

Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks 

Hi Morag 

Thanks for the links! After posting I found these other two:

Hi Joao,

You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

Cheers,

Morag

Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks 

some results: 

I using a CMS key.kdb with stashed password. 

In this case I can delete stash file and change, with MQ Explorer, the qmgr atribute KEYRPWD to the stashed password (and I know the password) . The name in MQ Explorer for this atribute is "SSL Key repository password".

If I change qmgr KEYRPWD value from a runmqsc prompt the access to the key.kdb fails with invalid password:

"SSL key repository: password incorrect or, stash file absent or unusable."
 

I believe this happens because MQ Explorer default key to encrypt a stashed password is the same runmqckm uses. It makes some confusing, changing the KEYRPWD gives different results if MQ Explorer or runmqsc were used. I've to try MQ Console to see what happens. 

Hi Morag 

Thanks for the links! After posting I found these other two:

Hi Joao,

You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

Cheers,

Morag

Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks 

Can we list the keystore (.p12) without knowing the password, like how we do it with CMS keystores with the help of stash file ? 

some results: 

I using a CMS key.kdb with stashed password. 

In this case I can delete stash file and change, with MQ Explorer, the qmgr atribute KEYRPWD to the stashed password (and I know the password) . The name in MQ Explorer for this atribute is "SSL Key repository password".

If I change qmgr KEYRPWD value from a runmqsc prompt the access to the key.kdb fails with invalid password:

"SSL key repository: password incorrect or, stash file absent or unusable."
 

I believe this happens because MQ Explorer default key to encrypt a stashed password is the same runmqckm uses. It makes some confusing, changing the KEYRPWD gives different results if MQ Explorer or runmqsc were used. I've to try MQ Console to see what happens. 

Hi Morag 

Thanks for the links! After posting I found these other two:

Hi Joao,

You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

Cheers,

Morag

Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks 

Hi Anhilash,

It is not possible to use a PKCS#12 keystore (one with a .p12 extension) without supplying the password. There is no stash file concept with PKCS#12.

This is why the ability for a queue manager to use a PKCS#12 keystore was introduced at the same time as the keyword where you can supply the password, as they are needed together.

Cheers,
Morag

Can we list the keystore (.p12) without knowing the password, like how we do it with CMS keystores with the help of stash file ? 

some results: 

I using a CMS key.kdb with stashed password. 

In this case I can delete stash file and change, with MQ Explorer, the qmgr atribute KEYRPWD to the stashed password (and I know the password) . The name in MQ Explorer for this atribute is "SSL Key repository password".

If I change qmgr KEYRPWD value from a runmqsc prompt the access to the key.kdb fails with invalid password:

"SSL key repository: password incorrect or, stash file absent or unusable."
 

I believe this happens because MQ Explorer default key to encrypt a stashed password is the same runmqckm uses. It makes some confusing, changing the KEYRPWD gives different results if MQ Explorer or runmqsc were used. I've to try MQ Console to see what happens. 

Hi Morag 

Thanks for the links! After posting I found these other two:

Hi Joao,

You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

Cheers,

Morag

Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks 

Sorry Morag, I'm going to have to contradict you here!

Stash files are a GSKit concept and separate to the keystore. So you can use a PKCS#12 keystore and a stash file, so long as the underlying mechanism is GSKit. (C applications/QMGR and Windows, Linux platforms)

Hi Anhilash,

It is not possible to use a PKCS#12 keystore (one with a .p12 extension) without supplying the password. There is no stash file concept with PKCS#12.

This is why the ability for a queue manager to use a PKCS#12 keystore was introduced at the same time as the keyword where you can supply the password, as they are needed together.

Cheers,
Morag

Can we list the keystore (.p12) without knowing the password, like how we do it with CMS keystores with the help of stash file ? 

some results: 

I using a CMS key.kdb with stashed password. 

In this case I can delete stash file and change, with MQ Explorer, the qmgr atribute KEYRPWD to the stashed password (and I know the password) . The name in MQ Explorer for this atribute is "SSL Key repository password".

If I change qmgr KEYRPWD value from a runmqsc prompt the access to the key.kdb fails with invalid password:

"SSL key repository: password incorrect or, stash file absent or unusable."
 

I believe this happens because MQ Explorer default key to encrypt a stashed password is the same runmqckm uses. It makes some confusing, changing the KEYRPWD gives different results if MQ Explorer or runmqsc were used. I've to try MQ Console to see what happens. 

Hi Morag 

Thanks for the links! After posting I found these other two:

Hi Joao,

You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

Cheers,

Morag

Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks 

Sorry Morag, I'm going to have to contradict you here!

Stash files are a GSKit concept and separate to the keystore. So you can use a PKCS#12 keystore and a stash file, so long as the underlying mechanism is GSKit. (C applications/QMGR and Windows, Linux platforms)

Hi Anhilash,

It is not possible to use a PKCS#12 keystore (one with a .p12 extension) without supplying the password. There is no stash file concept with PKCS#12.

This is why the ability for a queue manager to use a PKCS#12 keystore was introduced at the same time as the keyword where you can supply the password, as they are needed together.

Cheers,
Morag

Can we list the keystore (.p12) without knowing the password, like how we do it with CMS keystores with the help of stash file ? 

some results: 

I using a CMS key.kdb with stashed password. 

In this case I can delete stash file and change, with MQ Explorer, the qmgr atribute KEYRPWD to the stashed password (and I know the password) . The name in MQ Explorer for this atribute is "SSL Key repository password".

If I change qmgr KEYRPWD value from a runmqsc prompt the access to the key.kdb fails with invalid password:

"SSL key repository: password incorrect or, stash file absent or unusable."
 

I believe this happens because MQ Explorer default key to encrypt a stashed password is the same runmqckm uses. It makes some confusing, changing the KEYRPWD gives different results if MQ Explorer or runmqsc were used. I've to try MQ Console to see what happens. 

Hi Morag 

Thanks for the links! After posting I found these other two:

Hi Joao,

You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

Cheers,

Morag

Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks 

Hey Rob,

Is there any other way can we list the pkcs12 keystore without having to provide the password explicitly and no stash file available. The KEYRPWD is encrypted and let's say I don't remember the password.

I am trying to understand how pkcs12 keystore is better than CMS in terms of external cert mgmt automation tools.

Sorry Morag, I'm going to have to contradict you here!

Stash files are a GSKit concept and separate to the keystore. So you can use a PKCS#12 keystore and a stash file, so long as the underlying mechanism is GSKit. (C applications/QMGR and Windows, Linux platforms)

Hi Anhilash,

It is not possible to use a PKCS#12 keystore (one with a .p12 extension) without supplying the password. There is no stash file concept with PKCS#12.

This is why the ability for a queue manager to use a PKCS#12 keystore was introduced at the same time as the keyword where you can supply the password, as they are needed together.

Cheers,
Morag

Can we list the keystore (.p12) without knowing the password, like how we do it with CMS keystores with the help of stash file ? 

some results: 

I using a CMS key.kdb with stashed password. 

In this case I can delete stash file and change, with MQ Explorer, the qmgr atribute KEYRPWD to the stashed password (and I know the password) . The name in MQ Explorer for this atribute is "SSL Key repository password".

If I change qmgr KEYRPWD value from a runmqsc prompt the access to the key.kdb fails with invalid password:

"SSL key repository: password incorrect or, stash file absent or unusable."
 

I believe this happens because MQ Explorer default key to encrypt a stashed password is the same runmqckm uses. It makes some confusing, changing the KEYRPWD gives different results if MQ Explorer or runmqsc were used. I've to try MQ Console to see what happens. 

Hi Morag 

Thanks for the links! After posting I found these other two:

Hi Joao,

You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

Cheers,

Morag

Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks 

some results: 

I using a CMS key.kdb with stashed password. 

In this case I can delete stash file and change, with MQ Explorer, the qmgr atribute KEYRPWD to the stashed password (and I know the password) . The name in MQ Explorer for this atribute is "SSL Key repository password".

If I change qmgr KEYRPWD value from a runmqsc prompt the access to the key.kdb fails with invalid password:

"SSL key repository: password incorrect or, stash file absent or unusable."
 

I believe this happens because MQ Explorer default key to encrypt a stashed password is the same runmqckm uses. It makes some confusing, changing the KEYRPWD gives different results if MQ Explorer or runmqsc were used. I've to try MQ Console to see what happens. 

Hi Morag 

Thanks for the links! After posting I found these other two:

Hi Joao,

You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

Cheers,

Morag

Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks 

Hi Joao,

Is there any possibility that you have lower case letters in your password and that you forgot to quote the value in the KEYRPWD attribute when changing it using runmqsc?

The key used to encrypt the password is in the INITKEY attribute on the queue manager.  I don't believe it is used by either MQ Explorer or runmqsc, but rather it is used by the queue manager when it stores the password supplied by either of those tools. I have not seen any suggestion that the INITKEY used by the queue manager bears any relation to the stash file technology used by runmqakm.

Cheers,
Morag

some results: 

I using a CMS key.kdb with stashed password. 

In this case I can delete stash file and change, with MQ Explorer, the qmgr atribute KEYRPWD to the stashed password (and I know the password) . The name in MQ Explorer for this atribute is "SSL Key repository password".

If I change qmgr KEYRPWD value from a runmqsc prompt the access to the key.kdb fails with invalid password:

"SSL key repository: password incorrect or, stash file absent or unusable."
 

I believe this happens because MQ Explorer default key to encrypt a stashed password is the same runmqckm uses. It makes some confusing, changing the KEYRPWD gives different results if MQ Explorer or runmqsc were used. I've to try MQ Console to see what happens. 

Hi Morag 

Thanks for the links! After posting I found these other two:

Hi Joao,

You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

Cheers,

Morag

Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks 

Hi Morag

yes, it can be the case, a lowercase password converted to upper (and the pw is "passw0rd"....) after some decades with MQ I forgot that detail ... 
This week I don't have my test env available to verify, when back to it I'll try and post the result.

Thanks  

------------------------------
Joao Ramires

Original Message:
Sent: Tue September 10, 2024 12:47 AM
From: Morag Hughson
Subject: KEYRPWD and INITKEY qmgr attributes

Hi Joao,

Is there any possibility that you have lower case letters in your password and that you forgot to quote the value in the KEYRPWD attribute when changing it using runmqsc?

The key used to encrypt the password is in the INITKEY attribute on the queue manager.  I don't believe it is used by either MQ Explorer or runmqsc, but rather it is used by the queue manager when it stores the password supplied by either of those tools. I have not seen any suggestion that the INITKEY used by the queue manager bears any relation to the stash file technology used by runmqakm.

Cheers,
Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Fri September 06, 2024 07:36 AM
From: Joao Ramires
Subject: KEYRPWD and INITKEY qmgr attributes

some results: 

I using a CMS key.kdb with stashed password. 

In this case I can delete stash file and change, with MQ Explorer, the qmgr atribute KEYRPWD to the stashed password (and I know the password) . The name in MQ Explorer for this atribute is "SSL Key repository password".

If I change qmgr KEYRPWD value from a runmqsc prompt the access to the key.kdb fails with invalid password:

"SSL key repository: password incorrect or, stash file absent or unusable."
 

I believe this happens because MQ Explorer default key to encrypt a stashed password is the same runmqckm uses. It makes some confusing, changing the KEYRPWD gives different results if MQ Explorer or runmqsc were used. I've to try MQ Console to see what happens. 

------------------------------
Joao Ramires

Original Message:
Sent: Fri September 06, 2024 05:04 AM
From: Joao Ramires
Subject: KEYRPWD and INITKEY qmgr attributes

Hi Morag 

Thanks for the links! After posting I found these other two:

------------------------------
Joao Ramires

Original Message:
Sent: Thu September 05, 2024 04:39 PM
From: Morag Hughson
Subject: KEYRPWD and INITKEY qmgr attributes

Hi Joao,

You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

Cheers,

Morag

------------------------------
Morag Hughson
MQ Technical Education Specialist
MQGem Software Limited
Website: https://www.mqgem.com

Original Message:
Sent: Thu September 05, 2024 01:27 PM
From: Joao Ramires
Subject: KEYRPWD and INITKEY qmgr attributes

Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks 

------------------------------
Joao Ramires
------------------------------

Yes, it was a problem with upper / lower case ...

KEYRPWD(passe0rd) is different from KEYRPWD ('passw0rd') , thanks for pointing that, Morag.

Regards. 

Hi Morag

yes, it can be the case, a lowercase password converted to upper (and the pw is "passw0rd"....) after some decades with MQ I forgot that detail ... 
This week I don't have my test env available to verify, when back to it I'll try and post the result.

Thanks  

Hi Joao,

Is there any possibility that you have lower case letters in your password and that you forgot to quote the value in the KEYRPWD attribute when changing it using runmqsc?

The key used to encrypt the password is in the INITKEY attribute on the queue manager.  I don't believe it is used by either MQ Explorer or runmqsc, but rather it is used by the queue manager when it stores the password supplied by either of those tools. I have not seen any suggestion that the INITKEY used by the queue manager bears any relation to the stash file technology used by runmqakm.

Cheers,
Morag

some results: 

I using a CMS key.kdb with stashed password. 

In this case I can delete stash file and change, with MQ Explorer, the qmgr atribute KEYRPWD to the stashed password (and I know the password) . The name in MQ Explorer for this atribute is "SSL Key repository password".

If I change qmgr KEYRPWD value from a runmqsc prompt the access to the key.kdb fails with invalid password:

"SSL key repository: password incorrect or, stash file absent or unusable."
 

I believe this happens because MQ Explorer default key to encrypt a stashed password is the same runmqckm uses. It makes some confusing, changing the KEYRPWD gives different results if MQ Explorer or runmqsc were used. I've to try MQ Console to see what happens. 

Hi Morag 

Thanks for the links! After posting I found these other two:

Hi Joao,

You can read about these attributes here: https://www.ibm.com/docs/en/ibm-mq/9.3?topic=wsalw-supplying-key-repository-password-queue-manager-aix-linux-windows

It is also mentioned in this Slideshare presentation: https://www.slideshare.net/RobertParker54/ibm-mq-whats-new-including-93-and-931#37

Cheers,

Morag

Hello all 

Is there a presentation about the two new qmgr parameters? 

Thanks