MQ

 View Only

  • 1.  runmqakm password generator

    IBM Champion
    Posted Mon June 07, 2021 11:59 AM
    Would it be considered a defect that runmqakm's password generator doesn't consistently make passwords that runmqakm itself is happy with?



    Attempt 1
    >runmqakm -random -create -length 14 -strong -fips
    z#HW)j+(RAb/'c

    >runmqakm -keydb -create -db mykeystore.kdb -pw " z#HW)j+(RAb/'c" -type cms -stash -fips -strong
    /usr/bin/runmqakm: eval: line 111: unexpected EOF while looking for matching `''
    /usr/bin/runmqakm: eval: line 112: syntax error: unexpected end of file


    Attempt 2
    >runmqakm -random -create -length 14 -strong -fips
    U$uK^_Ll,vpi)c

    >runmqakm -keydb -create -db mykeystore.kdb -pw "U$uK^_Ll,vpi)c" -type cms -stash -fips -strong
    CTGSK3048W The password is weak.


    Attempt 3
    >runmqakm -random -create -length 14 -strong -fips
    hidden

    Finally!, 3rd PW worked
    >runmqakm -keydb -create -db mykeystore.kdb -pw "hidden" -type cms -stash -fips -strong

    ------------------------------
    Peter Potkay
    ------------------------------


  • 2.  RE: runmqakm password generator

    IBM Champion
    Posted Tue June 08, 2021 01:43 AM

    Hi Peter,

    that's a good question. I always considered that the function was generating random bytes, rather than actual passphrases or passwords.

    When using it to generate something I'm going to use as a passphrase, I always generate something quite large (120 bytes or so) and then filter out the characters that tend to cause problems to a shell ($\/'"@![] and a few others). Then I truncate the result down to 60 characters or so.

    There's some sample (linux shell) code for this in the Secure Messaging Scenarios using WebSphere MQ IBM Redbook publication in section 8.11. The command I used during the residency when writing the book was

    runmqakm -random -create -length 125 -strong | tr -d "'" | tr -d '\\\$\%\`\~\&\@\!\|\\[\]" ' | cut -c 2-65 > key.passwd

    These days I exclude a couple of other characters as well.

    Regards,



    ------------------------------
    Neil Casey
    Senior Consultant
    Syntegrity Solutions
    Melbourne, Victoria
    IBM Champion (Cloud) 2019-21
    ------------------------------

    Original Message


  • 3.  RE: runmqakm password generator

    IBM Champion
    Posted Tue June 08, 2021 07:41 AM
    We will shamelessly steal your little trick to trim known problematic characters.

    We are still left with the problem of generated value lacking certain characters. I think it did not like our second use case because it lacked a number.

    But, if we also up the length significantly (while trimming problems) the odds go up significantly that what we are left with will be something its happy with.

    Thanks Neil!

    ------------------------------
    Peter Potkay
    ------------------------------

    Original Message


  • 4.  RE: runmqakm password generator

    IBM Champion
    Posted Tue June 08, 2021 08:56 AM
    Edited by FJ Brandelik Tue June 08, 2021 08:56 AM
    Hi Peter,
    You did not specify which OS you are using. My guess would be Linux because your attempt 2 works without a hitch in windows and I would guess would work quite ok for you if you'd use single quotes instead of double quotes (avoid substituting $).

    We encountered the problem with MQ Appliances where giving back the generated password did not work. We ended up changing it replacing spaces and other characters that did not work for scripting. Passing the password on the prompt to stash it seemed to work ok for us.

    Hope it helps a little

    ------------------------------
    FJ
    ------------------------------

    Original Message


  • 5.  RE: runmqakm password generator

    IBM Champion
    Posted Thu June 10, 2021 07:56 AM
    FJ,
    This use case happens to be on RHEL x86-64, but I omitted the O/S in my original question on purpose. I think the compiled version of runmqakm for a particular O/S should have the sense to not produce passwords with characters that particular O/S will not be happy with. (says the guy with no idea on the actual complexities involved in the source code)


    ------------------------------
    Peter Potkay
    ------------------------------

    Original Message


  • 6.  RE: runmqakm password generator

    Posted Thu June 10, 2021 07:18 AM
    I think you have a PMR that the use of eval in the /bin/runmqakm script needs to be removed/enhanced to not error with certain generated passwords.

    ------------------------------
    Tim Zielke
    ------------------------------

    Original Message